CIOs Need To Learn To Enable, Not Lock Down, Technology
from the just-different dept
Information Week is running an article about the difficulty some CIOs are having with the fact that just about everyone is at least somewhat tech savvy these days — often just enough to be dangerous. Combine that with the rise of online software in the “Enterprise 2.0” realm and the ability for technology to bubble up rather than come from the top down, and CIOs are finding that their job is changing in ways that they didn’t fully expect. Some certainly don’t see it as a problem, just a different kind of challenge, but it definitely seems like the very role of the CIO needs to change in some significant ways. Rather than managing all of the technology infrastructure of a company, they’re going to have to figure out a way to focus more on enabling other parts of the organization to use technology effectively and efficiently. Obviously, letting individuals or even individual groups in the company set their own tech policy can lead to some problems, but it also opens up the ability for more creativity and new types of communication and apps to bubble up in a more useful manner. This reminds me of a post by Chris Anderson over a year ago. When he was asked to speak to a group of CIOs, he was amazed at how scared they appeared to be by modern technology, rather than energized. There was fear, he noted, that the position of the CIO could soon be extinct. If they’re not willing to recognize how the world is changing, then perhaps that’s appropriate, but there’s no reason why a modern CIO can’t focus on the enabling side, rather than the “lock everything down” view of the world.
Filed Under: bottom up, cios, enterprise 2.0, technology, top down
Comments on “CIOs Need To Learn To Enable, Not Lock Down, Technology”
But on the Tech worker side, it is a major loss of time and productivity when one of those “knows just enough to be dangerous” or even worse, someone who thinks they know enough, messes something up. And I don’t mean they brick their machine, what about when you give users install priveleges and someone gets infected with something because they just click every link they see without thinking?
It sucks to have everything locked down when you know what you are doing, but many people don’t do a good job of keeping secure and the loss of productivity and time on the part of the IT staff (and the whole business if you have to bring the system down) is not worth making it so that random users can feel empowered by the ability to control their own PCs.
Efficient technology use is good, but letting the average user decide how best to do it does not seem like a good option, since they may have some knowledge but people like CIO’s and IT staffers are much more likely to have a good grasp on finding and training users on new technology.
Jimmy... Couldn't agree more
When I first started as a PC tech a loooong time ago, I thought it was almost Communist-like to have the computers on lockdown like my superiors did. However, a years worth of experience changed my view. I’m glad there are no admin rights for users. I’m thrilled that they can’t install software themselves. I’m ecstatic that we use web filtering software and they get blocked from bad-ware sites. I had users who can brick a computer without admin rights! Just imagine what they could do WITH admin rights.
keep it on lockdown!
True enough, fellas, but there needs to be some sort of balance between keeping the network safe from careless or inexperienced users and giving the rest of them a measure of trust; patronising users and treating them like ignorant children is a sure-fire way to foster resentment, and enabling users to do simple stuff for themselves like installing Service Packs saves the Tech Support team a lot of unnecessary legwork.
Re: Servicepacks and the like.
“True enough, fellas, but there needs to be some sort of balance between keeping the network safe from careless or inexperienced users and giving the rest of them a measure of trust”
Like: Installing their own screensavers?
No. An easy in for things like malware, offensive material, and noisemakers.
Like: Installing their own productivity apps?
No. It’s never tested in conjunction with business-critical apps, until they are installed. When it screws with those apps, WHO gets to fix things? WHO gets to listen to the ANGER when those apps are uninstalled in order to get things working again?
Like: Installing service packs.
No. Service packs ALSO must be tested before installation; they can and DO sometimes break business-critical apps.
“…Patronising users and treating them like ignorant children is a sure-fire way to foster resentment, and enabling users to do simple stuff for themselves like installing Service Packs saves the Tech Support team a lot of unnecessary legwork.”
No. Installation of SPs can almost always be scripted to happen automatically, AFTER proper testing has been done.
IT doesn’t like denying people, but THIS IS NOT A GAME. We have to support EVERYONE, and look out for the company as a whole. Users may think “what harm can it do” – without testing to say it’s OK, NOBODY KNOWS! Users may resent being denied, but they don’t know the cost to the company of not having restrictive policies in place. And they (in my 28 years of experience) almost never care, either. It’s all “me, me, me”, and if you say no, they think you are just being capricious. Users almost universally believe that support is easy, that it’s just pressing a few buttons, and that since it’s easy and takes no time, IT is just “mean” or “lazy” or “IT just sucks”. That’s why we hear the universal “Don’t worry, we’ll support it ourselves” line. In EVERY shop I’ve been in, EVERY time, when that kind of ‘deal’ has been accepted, IT ends up supporting the app. Usually in a month or two.
Now, after justifying the cost and testing the implementation, and making sure that authentication, administration and security work with existing systems – heck yeah – users need apps, and companies must remain flexible or go under. But unmanaged desktops and installations in a shop with more than 20 people? That’s a recipe for disaster.
Remember that it’s not just about YOU. It’s about everyone.
Re: Re: Servicepacks and the like.
Well Said….
Makes as much sense as...
.. a company’s finance department giving all employees a credit card with no limit so that employees would be enabled to work “effectively and efficiently.” In addition it, “…also opens up the ability for more creativity and new types of communication and apps to bubble up in a more useful manner.”
When I proposed this to our CFO, I was amazed at how scared he appeared to be by modern financial tools, rather than energized. There was fear, he noted, that the position of the CFO could soon be extinct. Especially if he gave the keys of the asylum to the inmates.
Good point
I’ve been an IT admin (in the bad old days) and a software developer with a bit of admin (recently). Sadly it seems that many these days think:
Complete Lockdown = Standard Systems = Easy Admin = Low Costs (for the IT department)
That is a limited viewpoint but while large corps judge IT departments on smooth, low cost running rather than taking into account the often high costs to the departments being managed (inflexibility, slow response to changes needed such as new software, frustration that increases staff turnover, inability to evaluate new components and applications, etc — real business costs that can lose orders and kill profits).
I don’t favour fully open systems for all users but make sure they have generous rights fully protected by firewalls, AV, anti-spyware, anti-spam, traceability etc rather than privileges they will never need.
Work WITH users: be aware of their real needs even if such interaction is alien to many IT admins and costs more. Accept the small risk associated with new OS’s, frameworks, applications and do staged rollouts in manageable chunks – the business may well suffer in ways you can’t imagine if you choose to wait 2 years to “formally approve” .NET 3.5 before allowing it (as many do)!
FWIW, my (huge multinational) company shows such flexibility and each year shows higher profits and still stays safe – can’t others?
Eactly
“There was fear, he noted, that the position of the CIO could soon be extinct.”
That is the main point. Control is more of a kingdom protection than security.
@ Jake
We run a “Minimum Rights” scheme where I work. I do not believe that my users need anymore rights on the network than they need to do their job efficiently. That is why they are here, to do their job, not mine. My job is to do the updates, secure the computers from viruses and malware, and to fix different issues. If people have time to do my job then they do not have enough to do. Most breaches come from careless and ignorant workers who do not know that by “clicking here to win” they have now opened our network to a virus or bot attack. In regards to service packs and updates. We only install updates after we test them with the current software that we have.
opinions are like....
well, you know the end of that expression. IT has a very IT-centric point of view on this. The reason is that they are both a: Lazy and b: don’t know how to have some limited rights but enough for people to make their own PC work the way they needed. Of course what do you expect, the current IT market is mostly based off the fact that windows is a vulnerability headache but keeps people busy. DBA’s are not a rare breed for things on the other side of the situation either. Taking the situation on a case by case scenario to see which people are technically competent or not would in the long run pay off far more than restricting everyone borderline, since you could run some form of test on them to verify their competency. Aka run them through a malware site and see if they can figure it out, find out what they know, etc. Saves a million times more effort.
Think of the scene in 5th element about breaking something creates new jobs…CIO’s are only there to make the CEO feel cozy.
Re: opinions are like....
It people are lazy? Do you get a call at 2:00 am and have to drag yourself into work because a spreadsheet didn’t balance correctly? Because I sure as heck get that call if the network goes down and overnight processing grinds to a halt.
Enabling not always possible
True as it may be that CIOs need to learn to enable technology, the government has to move first. There are may regulations that basically prevent CIOs from doing exactly that.
Half the time we want to deploy something useful and cool, we run in to exactly that issue.
Tough to find the middle ground
I have been on the IT side and now I’m on the tech side of my job. I feel extremely limited by our corporate lock-down structure. I also know that when IT people view users as “Lusers” there is friction. Only a small percentage of people, very small percentage, in fact, would mindlessly click links and get into trouble.
For me, the bottom line is this — people will live up to, or even DOWN to, your expectations.
Somewhere there has to be a point where IT gets to do their job effectively and efficiently and myself as a user is not shackled by not having the most effective tools.
I’m not sure what EH talks about when s/he says “government has to move first”. Government itself has this very same problem internally like any other company.
I believe that the key is in establishing a corporate culture of mutual respect where the value of IT is recognized and appreciated, and IT stops viewing its clients as a bunch of click-happy Neanderthals.
There is a way to solve this, we just need to move away from the anecdotal water cooler talk and get down to business and work on a solution.
Re: Tough to find the middle ground
Craig, your statement shows that you have obviously never worked in I.T.. OR if you do you have never donw anything technical or had to respond to a server outage or breach of security caused by one of the many click happy users in the network.
EVERYONE wants thier job to be easier of course and I.T. folks are no different but you have to realize something… if you allow everyone local admin rights, when one of your users decides that they just have to see that jpeg of a nude Jennifer Anniston that someone they have never heard of sends them the email… they un-intentionally launch the next day zero attack/exploit into the network. Guess what? All your local admins now have been exposed to the worm that is now rapidly makings its way through your network PC to PC, server to server and is either A. Trashing your files… all of them, or worse… B. Sitting stealthed so you dont even know it is there, gleaning all of your information and sending it out covertly to the hacker that wrote the script for him to sell to whomever will buy it. Customer databases, financial information, personal employee information…
People that say users in an enterprise environment should not be locked down have obviously been graced by not having an event on thier network so they just really do not understand why having users as admins is a HORRIBLE idea…
The art of I.T. Security is finding that break even point, or balance, where security meets work functionality requirements. There are ways to let users run software that is poorly written and require a user to have elevated rights to run that do NOT involve giving them local admin rights as well by the way.
And yes, I AM biased as I am an information security officeer for a government entity but have also worked in the private sector for many years (15 to be exact) as a network admin and architect, so I do know a tiny bit about what I am talking about.
Point Being....
The point i was making is that people are not mad because we are locking down their computers and they are not able to do their work… They are upset because we lock down the things that have nothgin to do with work. I.E. games, personal internet usage, personal email, playing internet games and Fantasy (enter name of sport here). BTW this is one of the most popular ways for your computer to get inffected and compromised.
I get paid to do IT work. That is what i do 98% of the time I am at work. Why is it wrong for us to expect others to do the same.
Do what you get paid to do. I make sure that all of my users are able to do their job. Tell me what is wrong with that!
RE: Government moving first
> I’m not sure what EH talks about when s/he says “government has to move first”. Government itself has this very same problem internally like any other company.
What I’m talking about are the host of arcane regulations that make it difficult, if not impossible, to certify that applications meet the various requirement of the hosts of governmental departments.
Locked Down for Multiple Reasons
I’ve worked in IT since before Windows 3.0, in large and small shops. In a small shop it can make sense to let the users have full rights to their system. In a large organization however it simply doesn’t make sense and for a number of reasons.
One example, in California we have SB 1386 which requires a company to notify an individual if any of their personal information has been put at risk of disclosure. Disclosures of this nature not only impact the people whos personal information may have been put at risk, but also damages the reputation and business of the company. It is in the best interest of the company as well as the customers to do what is necessary to prevent these incidents. Typically these breeches occur because a laptop or desktop computer is stolen which has unencrypted personal data on clients. There are two ways to protect the organization from this: (1) enforcing full disk encryption which cannot be turned off by the user (they do not have admin rights) or (2) preventing the storage of data on the local machine by not giving users rights to store data on the local drive (and flushing caches, temp areas etc.)
Another example: at one organization all of the users were on Windows 98. I personally spent 20% of my time tracking down and cleaning systems which had been infected because users downloaded a program which included either spyware or adware. To make it worse, once one machine was infected it tended to spread the infection to others, so that other users who were being “good netizens” were still punished by the acts of the users who were not “good netizens.” Once we had funds to upgrade to Windows XP, we rolled out desktops and laptops with group policy restrictions preventing this. In the four years following that change, not one single machine was infected by spyware or adware. The systems were more stable and the users were able to get more work done. At first there was some resistance but the users came to see that it really was not keeping them from doing their jobs and it significantly reduced the amount of time they lost by IT having to repeatedly work on their system to undo whatever mistake they had made.
Another reason: licensing and liability. When users have the ability to bring in software from home or that they got from a friend or share copies of Office etc. your organization can easily find itself on the wrong end of a software licensing audit by Micro$oft, the BSA, etc. All it takes is one disgruntled ex-employee to make a phone call and in come the federal marshalls with the BSA folks to perform an audit of all of your systems. The only way you can protect yourself from this liability is to control who can install software and ensure that there is an employee responsible for tracking all licensing of software, where it is installed etc.
Another way to look at it: do you give root to every user on a Unix/Linux machine, or just to those individuals paid to administer them? My bet is the latter. And you probably use sudo as well. And you do not install software that is not needed.
Simply put, the greatest majority of non-IT employees do not require administrative rights to their computers in order to do the job they are paid to do.
The business has a right and an obligation to protect itself from these risks, even if it means that Joe Blow can’t download that “cool screensaver” or “cool game” that is infected with spyware/adware or is a pirated copy. Installing that kind of thing is *not* required by your job, does *not* make you work more efficiently and is *not* in the best interests of the company.
Get over it, get to work, do your job, earn your paycheck, and play with that software at home on your own system on your own time and let the rest of us do our jobs without having to fix your messes.
Compliance Compliance Compliance Compliance
Compliance Compliance Compliance Compliance…
Nice of you to expect the IT folks and senior management to put their jobs, careers, and lives in jeopardy (as well as that of the company) so you can be empowered to use the latest bling.
In 20 years of IT (many at CIO level) I have seen dozens of situations where a well meaning user (aren’t they all?) evades IT policies and controls to “help” the company and end up creating a big pile a %$#% that IT has to clean up.
> I can’t figure out that big old SAP system, I just keep my orders in Excel.
> I’ll just help IT out by installing this little wireless access point over here.
> I never liked that report, so I’ll just download the data and create my own. Other people like it too, (dumb ol IT!) so I’ll just send my report to them to.
> That stupid system won’t let me ship the product if I enter the REAL data, so I’ll just enter what the system wants and it will move on.
> I wrote this really cool application in FoxPro that we use to value all our inventory.
> Well I could have gone though that complex system required by the FAA, but I’m sure my fix to that engine was correct. IT is sooooo bureaucratic!!! All those signatures and stuff!!!
> Billy is leaving the company and he wanted to keep in touch, so I emailed him the HR database.
> Johnny hates our corporate email system, so he just conducts business from his gmail account but then he got fired. Now he is sending email to customers saying their orders are delayed? How could IT have allowed this to happen???
Perspective
It’s interesting to note that the IT guys seem to be missing the issue whilst being dead right. PCs got into companies because they got round the problems of green screens. Computing/IT/Technology was meant to be an enabler – the more you tie it down the less flexible it becomes.
This isn’t the first time this has been an issue – it’s at least the third wave that I have seen (started in 1974 so I do have a slight time advantage)and I write this as an Architect who has managed development divisions and infrastructure consultancies
@ Brent et al
I hate to say it, guys, but there’s a much simpler solution to that kind of issue than complicated filtering systems and privilege restrictions; namely firing everyone who can’t be trusted with an unfiltered Internet connection and replacing them with people who can.
In response to Imric’s comment, I wasn’t actually meaning to imply that users should necessarily install Service Packs etc on their own initiative, merely that they have the ability to run Windows Update themselves rather than wait for the IT Department to send someone round to each individual machine to log in and click a few icons once the all-clear is given; if a majority of a company’s office staff can’t be bothered to listen when sent a memo saying not to run the automatic update program until the IT department has made sure that it won’t knock over a proprietary app, malware on the desktops is probably the least of the company’s problems.
...
Well if i could just get my manager to fire everyone that cant be trustworthy you are right that would make things easier. But i work in state goverment and it takes about 6-8 months and a lot ov evidence to fire someone because of civil service protection. But that still is not the point.
If someone has more rights than they need on a computer then you have just opened it up to attacks. Lets face it, people are careless. They use the same passwords for all aspects of their digital worlds. If i can figure out what a persons password is to say their yahoo email then it is a good possibilty that is what they are using at work also. I want my users to be able to do their job. I make it so that they can. No one has any business installing programs on the work computer. That is not what they are there for.
I have gone into offices and uninstalled games that people have brought and installed. that is not their job. It is also a Copyright violation. I had to uninstall Office 2003 because one of our users did not like WordPerfect. Well neither do i but i had to use it like the rest because we did not have office licenseing.
People get paid to do a job. they need to do it while they are there. As to the updates… we have a WSUS server that installs all of the updates that we authorize, all the users have to do is restart their computers. They have no business trying to do the updates by goin to the windows update site.
How about eating your own dog food
I am an IT Director and have been in the business for a long time. As I have taken on a less technical role over the years, I am beginning to identify with the users who complain constantly about their locked down PCs. I think all the IT folks should try living without administrative rights (without cheating) for six months and then tell us how this practice solves business problems. Also, hire yourself an outside provider to come to your home to perform all updates on your PC instead of doing it yourselves. Once you’ve eaten your own dog food maybe then you’ll be able to focus on modern creative solutions for enabling users instead of just locking them down.
A professor of mine who was a security expert taught me that there is a lot of unnecessary FUD created in the minds of computing users. I wholeheartedly agree with him and the practice of risk management to balance security with accessibility and performance using business drivers as the justification for the application of security measures in an organization.