Regulation or Advocacy?

Ramon Padilla Jr. explains why IT organizations shouldn't think of regulation or advocacy but rather have a healthy balance of both.

In this world of worms, viruses, security vulnerabilities, hardware and software non-interoperability, and just plain old malfunction, it's a wonder sometimes that IT organizations can remember that they are service providers.

Instead, because of the constant bombardment of threats and malfunctions mentioned above, IT finds itself, almost by design, as IT regulators rather than enablers, finding ways to tell the end user NO rather than helping them find solutions to their business problems.

Stop and think about it. How many articles have you come across recently (particularly regarding security) in which the end user is described as a threat or a risk and measures need to be put into place to guard against them/protect them from themselves?

This is not to say that any of what I mentioned above is wrong, but there comes a point—when in the pursuit of a bullet-proof system/network—that a mentality of regulator takes over the IT organization, and it becomes more about what the user can't do rather than how we can help the user to do something.

This then begins to permeate the culture of the organization, and you end up with an oppressive IT organization that seems more like an overlord than an enabler. Then the IT organization wonders why they aren't being considered a strategic business partner! The fact of the matter is, no one is going to want to partner with you when they hate your guts.

On the flip side, we know that securing the computing environment and having well thought out policies and procedures is crucial to running an effective and efficient IT organization. Please note that I said "well thought out," and not knee-jerk or reactionary policies and procedures, which is often the case, particularly when an IT shop is struggling to do more with less and barely managing to keep the wheels on things. Then it is easier to make wide-ranging, blanket policies that shut down many things for the sake of security or operations.

The key word for this discussion is balance. By balance one means "to be in or come into equilibrium." In that sense, it isn't regulation or advocacy; it is the healthy balance of both.

So when setting a policy, a thoughtful process should take place as to what the impact of the policy will be in regards to processes and procedures and employees' work lives. I will give you an example: Many IT organizations these days have made the blanket policy to block an employee's access to personal e-mail via a Web browser. Therefore, access to Hotmail, Earthlink, or Yahoo accounts is made impossible. This is done for the sake of security.

Now I ask you, is this going too far for the sake of security? In my opinion, the answer is yes, and I will give you my reason why.

Most governmental organizations treat the use of Web browsing and e-mail like the telephone. Some personal use is permitted, but it is not to be abused. Government employees surf the Web during lunch and breaks and communicate personal business via e-mail on a fairly regular basis.

Now I personally, as a government CIO who knows that all communications are accessible via open record laws, would prefer my organization's employees to do their personal communications via their home ISP using Web mail. This keeps organizational mail strictly for business while giving the employee the legitimate ability to address personal issues via e-mail just as they do with the telephone. With this, you have a nice clean separation between work and personal e-mail and you can work to strictly enforce the no-personal-use of company e-mail.

The majority of the large ISPs already employ virus scanning within their Web mail interface and most IT organizations are employing anti-virus software at the desktop, so the actual risk is that there is a hole in which IT cannot control 100% of the content going into and out of the organizational network.

Is that worth taking away the ability to use personal Web mail and forcing personal traffic onto the corporate network? This is where balance comes into play. If my organization is the CIA, I might feel very justified in doing so. In fact, in their case, their corporate network and the outside world probably meet in a very, very restricted way.

However, most of us aren't working for the CIA and keeping state secrets from leaving the organization is not priority #1. For many of us, balance would mean allowing access for the reason explained above.

This is only one example of probably dozens of policy decisions that are made each year with a regulatory frame of mind, rather than one where the needs of the end user are thoroughly considered.

Again, I am not trying to paint IT as a bad guy, but more importantly, trying to point out that in our zeal to protect ourselves and our organizations, one can go too far in one direction and tip the scales so far that you create an environment that is difficult to work in. This is where IT governance committees can play a huge part in helping to review policy to insure that all aspects are considered before policies are put into place.

Lastly, remember that policies are not chiseled in stone. They need to be reviewed at least on a yearly basis to see if they are still relevant and if there have been any new developments technologically that—if put into place—can invalidate them.

Editor's Picks

Free Newsletters, In your Inbox