Time for IT departments to refocus security policy

What is IT’s proper role for security in your organization? After standards, security is the next most cited reason why IT can’t do something a business user requests. Are that many business requests so dangerous that they can’t be implemented? Or has IT lost sight of what IT security is?

IT has several clear responsibilities relating to security and risk management. The first of these is complying with the law. That may be having the necessary controls in place to comply with privacy legislation, financial controls and accountability (SoX, banking, health-care information, etc.), or for industry regulations. Not doing so may carry strong penalties for the company and C-level officers, including the CIO.

The second responsibility is confidentiality of corporate data. Leaked company data, whether financial records, business processes, customer lists, or product plans, can create embarrassment and raise questions of competence. Depending on the nature of data, a leak could seriously impact a company’s ability to compete effectively.

The third category is IT infrastructure integrity. Company operations depend on the availability of a secure and reliable IT infrastructure, whether for internal e-mail and document access, or public facing Web presence and telephony.

Of the three, securing the IT infrastructure is the most challenging as it has no hard boundaries. The rules change every day. Your IT group spends a lot of time and effort to balance staff ease of access to the IT infrastructure for their day-to-day work against making it as difficult as possible for the “bad guys” to get in and steal/corrupt data. That balance isn’t easy and one size doesn’t fit any. Your credit or debit card – now improved with a chip – is easy to use. A simple four-digit PIN plus the physical card at a terminal on the retailer’s counter gets the job done millions of times each day. Yet that same four-digit PIN wouldn’t pass muster as a login password on your network. It’s too weak.

Most IT shops’ security policies don’t stop with compliance to laws and regulations, confidentiality, and infrastructure integrity. And this is where your business users get frustrated with IT “security” policies. Policies that make it more difficult to do their jobs the way they want to do them, create frustration, conflict and distrust.

What IT decides
Ban access to porn and gambling sites – sounds appropriate as the company doesn’t want its resources used for things that could be illegal or damage its reputation. Of course, add in all of the other sites that are “iffy” according to your personal tastes. Next, block access to You Tube and Facebook because employees should be working, but label it network bandwidth concerns – after all, business traffic comes first. Then everybody gets a standard desktop image that won’t let a user add her own software to help her do her job better.

These are not about IT security or infrastructure integrity. IT has willingly taken on or has been cast into the role of corporate nanny, making arbitrary decisions about how the company staff will work in the name of “security.” No wonder users try every trick in the book (actually every trick they can find via Google) to circumvent your controls.

None of these inappropriate uses of IT infrastructure are IT’s to manage or control. Yes, they may cause IT some problems and will probably be discovered through the routine monitoring of your network. But employee behaviour is a management responsibility. Appropriate use of corporate resources is defined in HR policies and the company’s management structure is there to provide the necessary supervision of employees. Unless the problem employee is your direct report, the responsibility lies elsewhere.

Old timers may remember when switchboard extensions were being replaced by direct-dial phones. Employees could now make calls without intervention by the switchboard operator; the fear was that they’d spend all day on chatting on personal business. And when PCs started to show up on every desk, did IT delete the games directory because otherwise everybody would play Solitaire all day instead of doing their work? The reality was that, with a few exceptions that managers dealt with, those abuses didn’t happen and the company benefitted from staff having better technology to get their work done. How is the Internet so different that you are letting managers delegate their responsibilities for supervising how their employees use the company IT infrastructure to you and your staff?

Saying no is easy

If an employee is misusing company resources, whether it’s surfing shopping sites, hours of daydreaming or taking office supplies home, that employee needs to dealt with according to the existing policies by her manager. If there’s nothing wrong with staff making a short personal call, then what are a few minutes on Facebook?

As IT people, we try to be helpful in all things technical, and not be negative. Saying no is so easy when it can be blamed on something else – standards, security, policy – rather than placing the accountability where it belongs. Why would IT’s role in enabling the organization through technology include policing staff behaviour and productivity any more than IT would have a say in assigning workspace locations or parking spaces?

Managing IT effectively to support and enable your company’s business is a big enough job without taking on managing other managers’ employees. Time to re-focus.

Related Download
A Guide to Print Security for Canadian Organizations Sponsor: HP
A Guide to Print Security for Canadian Organizations
IT security vulnerabilities are a growing cause for concern for organizations trying to protect their data from printer breaches.
Register Now