Is your IT dept. a regulator or an advocate?

Do employees see IT as a resource that will help them meet business goals? Or people sitting around trying to stop real work from getting done - in the name of security?
Written by Ramon Padilla, Contributor

In this world of worms, viruses, security vulnerabilities, hardware and software non-interoperability, and just plain old malfunction, it's a wonder sometimes that IT organizations can remember that they are service providers.

Because of the constant bombardment of threats and malfunctions mentioned above, IT finds itself, almost by design, as IT regulators rather than enablers, finding ways to tell the end user "NO" rather than helping them find solutions to their business problems.

How many articles have you come across recently (particularly regarding security) in which the end user is described as a threat or a risk and that recommends that measures  need to be put into place to guard against them/protect them from themselves?

This is not to say that any of what I mentioned above is wrong, but there comes a point - when in the pursuit of a bullet-proof system/network - that a mentality of regulator takes over the IT organization, and it becomes more about what the user can't do than how we can help the user to do something.

This then begins to permeate the culture of the organization, and you end up with an oppressive IT organization that seems more like an overlord than an enabler. Then the IT organization wonders why they aren't being considered a strategic business partner! The fact of the matter is, no one is going to want to partner with you when they hate your guts.

On the flip side, we know that securing the computing environment and having well thought-out policies and procedures is crucial to running an effective and efficient IT organization. Well thought-out. Not knee-jerk or reactionary policies and procedures, which is often the case, particularly when an IT shop is struggling to do more with less and barely managing to keep the wheels on things. Then it is easier to make wide-ranging, blanket policies that shut down many things for the sake of security or operations.

The key word for this discussion is balance. Balance means "to be in or come into equilibrium." In that sense, it isn't regulation or advocacy; it is the healthy balance of both.

So when setting a policy, a thoughtful process should take place to determine how the policy will impact processes and procedures and employees' work lives. For example, many IT organizations these days have a blanket policy to block employees' access to personal email via a Web browser. Therefore, access to Hotmail, Earthlink, or Yahoo accounts is made impossible. This is done for the sake of security.

Now I ask you, is this going too far for the sake of security? In my opinion, the answer is yes. Most governmental organizations treat the use of Web browsing and email like the telephone. Some personal use is permitted, but it is not to be abused. Government employees surf the Web during lunch and breaks and communicate personal business via email on a fairly regular basis.

Personally, as a government CIO who knows that all communications are accessible via open record laws, I would prefer my organization's employees to do their personal communications via their home ISP using Web mail. This keeps organizational mail strictly for business while giving the employee the legitimate ability to address personal issues via email just as they do with the telephone. With this, you have a nice clean separation between work and personal email and you can work to strictly enforce the no-personal-use of company email.

The majority of the large ISPs already employ virus scanning within their Web mail interface and most IT organizations are employing anti-virus software at the desktop, so the actual risk is that there is a hole in which IT cannot control 100% of the content going into and out of the organizational network.

Is that worth taking away the ability to use personal Web mail and forcing personal traffic onto the corporate network? This is where balance comes into play. If my organization is the CIA, I might feel very justified in doing so. In fact, in their case, their corporate network and the outside world probably meet in a very, very restricted way.

However, most of us aren't working for the CIA and keeping state secrets from leaving the organization is not priority #1. For many of us, balance would mean allowing access.

This is only one example of probably dozens of policy decisions that are made each year with a regulatory frame of mind, rather than one where the needs of the end user are thoroughly considered.

Again, I am not trying to paint IT as a bad guy, but more importantly, trying to point out that in our zeal to protect ourselves and our organizations, one can go too far in one direction and tip the scales so far that you create an environment that is difficult to work in. This is where IT governance committees can play a huge part in helping to review policy to insure that all aspects are considered before policies are put into place.

Lastly, remember that policies are not chiseled in stone. They need to be reviewed at least on a yearly basis to see if they are still relevant and if there have been any new developments technologically that--if put into place--can invalidate them.
Editorial standards