Something’s Gotta Give, And It’s You

By David Payne, VP Systems Engineering, Code42

IT has lost the ability to unilaterally command which software employees access and what devices they carry. Anybody with a credit card can get the tools he or she needs to work fast and unencumbered. This freedom has significant impact on data security. But there’s no going back to a time when employees acquiesce just because IT says no.

The adversarial relationship that has festered between IT and “end users” prevents learning and increases vulnerability.

For example: Is it the user’s fault when a window pops up on his screen suggesting he update his Flash player and the false link unleashes a virus into the network?

Or what about this one: Despite the policy (written for the company road warriors) about always using the VPN and never storing sensitive data on laptops, who’s to blame when the device is breached, with hundreds of customer documents and details, during a week-long international sales trip?

In a lot of scenarios, the right technology and small shifts in behavior can change (and mend) the relationship between employees and IT and InfoSec—and in so doing improve data security.

German philosopher, critic and poet Friedrich Nietzsche summarized the way people live and think in the phrase, “He who has a why to live for, can bear almost any how.” I use this aphorism to describe the new relationship IT must forge with workers. Instead of policing end users and erecting barriers to protect them from themselves, IT needs to innovate around the people it supports. That means seeing them as people striving to meet their business goals, not end users who must be admonished for their own good.

Does that mean IT has lost the war? Not at all. When IT supports the work of employees—without sacrificing data security and integrity—they must deeply understand the way and the why employees do what they do. The question becomes not, “Why don’t employees save files on the file server like I told them to?” but, “What technology will make file backup automatic and inconspicuous so employees don’t have to worry about it?”

In reverse, this shift will help employees better understand the “why” of IT and InfoSec and encourage employees to examine how their behavior affects the security posture of the organization.

“I understand some of these restrictions are here to protect all of us, not to prevent me from getting my work done.”

When IT sees people (rather than end users) trying to get important jobs done with the least resistance, and employees see IT and InfoSec as protecting the business, data security feels and looks more like a team sport than a boxing match.