Software

Did The Wall Street Journal sabotage businesses by publishing tips on how to circumvent IT?

TechRepublic's Jason Hiner characterizes the The Wall Street Journal's tips for circumventing IT as dangerous and irresponsible and says that many of them could have very negative consequences for businesses, IT departments, and users.

In the Monday, July 30, edition of The Wall Street Journal, there was a special section on technology that led with the article "Ten Things Your IT Department Won't Tell You" by Vauhini Vara. If you haven't read the article, you should take a look because some of your users may have have already seen it, and as a result they may be engaging in activities that put themselves and your IT department at risk.

The Journal Report front page for Monday, July 30, 2007

Here is the list of the 10 items in Vara's article:

  1. How to send giant files
  2. How to use software that your company won't let you download
  3. How to visit the Web sites your company blocks
  4. How to clear your tracks on your work laptop
  5. How to search for your work documents from home
  6. How to store work files online
  7. How to keep your privacy when using Web email
  8. How to access your work email remotely when your company won't spring for a BlackBerry
  9. How to access your personal email on your BlackBerry
  10. How to look like you're working

Vara breaks down each item into four sections -- The Problem, The Trick, The Risk, and How to Stay Safe.

Make no mistake, this article was extremely popular. The Wall Street Journal publishes its list of the Most Viewed and Most Emailed articles on WSJ.com for each day, and for July 30, "Ten Things Your IT Department Won't Tell You" was one of only two articles that made the top five on both lists. It was No. 1 on both. Sanity check The problem is that the information in this article is unequivocally damaging for businesses and their IT departments, as well as for the users that The Wall Street Journal is supposedly trying to serve. While I am generally a fan of The Wall Street Journal -- and its tech coverage is typically rock solid -- I was very disappointed by this piece. Although it did not reveal any information that couldn't be found elsewhere, I don't like the fact that the Journal spoon-fed a bunch of dangerous tips to users and all but encouraged a quiet revolt against the IT department.

A few of Vara's tips are fairly innocuous, such as "How to send giant files" and "How to clear your tracks on your work laptop." In fact, many IT pros could pass those items to users along with some tips of when and how to use them. The large file issue can ease the burden on e-mail attachments and storage and the "clear your tracks" tip can be turned into a good privacy and security practice.

However, several of the other tips are dangerous to the point of idiocy, especially "How to use software that your company blocks," "How to visit Web sites your company blocks," "How to search your work documents from home," and "How to access your work email remotely when your company won't spring for a BlackBerry."

The issue of showing users how to access software and sites that the company has filtered is a recipe for disaster. Often the stuff that is banned is banned because it can introduce spyware and malware to the system or it can bog down the computer and/or the network. When users find ways around that, they introduce significant security and privacy risks to the company, and they can potentially decrease their own productivity by clogging up their machines with spyware and adware.

In terms of "How to search your work documents from home," Vara recommends using Google Desktop to sync documents between a work PC and a home PC. That might be okay for a few consultants and small businesses, but it's a terrifically bad idea for anyone in the corporate world (The Wall Street Journal's core audience). The implications for privacy, confidentiality, and compliance are severe and serious, especially if any of the files involved contain customer or financial data. Plus, there are easier ways to handle the issue that preserve security, such as a VPN connection and Remote Desktop from a home PC to a work PC. And then there's the issue of "How to access your work email remotely when your company won't spring for a BlackBerry." Forwarding work e-mails to personal e-mail accounts and devices -- as the Journal article advises -- is another potential disaster waiting to happen. It raises the same issues of confidentiality and compliance because when you forward all mail, it is very likely that you'll end up sending customer data and corporate financial information to your personal accounts. While the Journal article ostensibly shows some responsibility and restraint by including sections on "The Risks" and "How to Stay Safe" for each of the 10 items, the author either does not fully understand all of the security and compliance risks involved or simply chose to make light of many of them. Either scenario is a strong indictment against the article. The compliance issues, while mentioned in the article, are much more serious than Vara seems to realize because they can expose a company to major financial risk (in the form of fines, lawsuits, and legal fees). Likewise, the security issues are much more serious than the Journal article presents them. Hackers have gone professional (and in some cases joined forces with organized crime) and are out there looking for employees and companies to steal data from and use for blackmail or money laundering. The TJX security scandal could serve as a sober warning to that effect, once all of the details come to light.

While users often get frustrated with the IT department and the restrictions that it puts in place, the answer is not to train people how to make an end run around IT. In many companies, there's already too much of a disconnect between IT and the rest of the organization because of the fact that IT often plays the role of a police officer -- to serve and to protect.

The root problem that The Wall Street Journal was trying to address is that many users want and need to do some personal computing on their work machines and/or access work apps and data from their home machines or devices. That's a reality that businesses and IT must face, and they must come up with some workable solutions.

Since many of today's users access their e-mail and work during "off hours," it's certainly reasonable that they should also be able to do a little bit of personal computing during company time. There simply needs to be a safe and relatively easy way for them to do it. Some companies have solved this with separate virtual machines, using VMware or Virtual PC or a Web-based solution like G.ho.st. Other solutions need to be explored, and big players such as Apple and Microsoft, as well as small vendors with creative solutions, need to all be involved. This will be an important part of the next generation of operating systems, devices, and a borderless information security strategy.

For The Wall Street Journal, which depicted itself as a "public trust" during its recent acquisition tug-o-war with News Corp, fueling a turf war between IT and its users is not the kind of journalism that meets the high mandate it has set for itself.

For IT departments, the genie is out of the bottle on many of these tips and tricks that allow users to circumvent IT procedures. As a result, IT departments need to aggressively partner with employees, educate them on the severity of security and compliance risks, and find ways to meet the needs of users whose computing experience now overlaps between work and home.

What do you think about The Wall Street Journal's list? How do you think IT can help users bridge work computing and home computing while still maintaining data security? Join the discussion.

About

Jason Hiner is the Global Editor in Chief of TechRepublic and Global Long Form Editor of ZDNet. He is an award-winning journalist who writes about the people, products, and ideas that are revolutionizing the ways we live and work in the 21st century.

171 comments
info
info

It seems I.T. "procedures" are more and more the cart that drives the horse of business. My husband is a data analyst on the business side in the insurance field. Due to "procedures", his IT department would not allow him access to certain job-relevant data for well over a year. What was the point of that? All it did was drive him nuts.

anniemae46
anniemae46

As an IT person and a long-time reader of the WSJ, I too was a bit startled at the author???s recommendations???especially points 2., 5. and 6. I am not so much worried about potential power feuds between IT and users, but more about serious security breaches and their consequences for people in IT as well as in Management.

roberto.cuti
roberto.cuti

Very usefull list. Probabily several IT managers are now checking if one or more of the ten issues could also happens on their IT platforms.

harold
harold

Just like most jouralism these days. Good press but not well thought out. Most of what they recommend is at least troublesome and some is downright illegal and could result in termination for the employee foolish enough to try it and a fine or lawsuit for the company. IT depts do have a PR problem and are often poor at communicating why things are the way they are. Most times these rules are there because the ramifications of those services overwhealm the system which was not designed for them and has the out come of making business needed services unavalible. IT Departments are msotly just doing what mgt tells them to do based on what the Business needs.

bdmeyer44
bdmeyer44

Very irresponsible. Anything for a buck. They have prostituted their credibility to make a sale. I wonder how much it will hurt them in lost subscriptions in the future. I know they won't get mine.

Chaz Chance#
Chaz Chance#

Interesting how many of the products/services mentioned in the WSJ article also advertise on TechRepublic...

chaz15
chaz15

IT departments do sometimes NEED to put in place restrictions that their company's EMPLOYERS put on use of company computers, as opposed to PERSONAL use of WORK computers (which is always against IT policies). These are in compliance with COMPANY policies that the EMPLOYEES agree to via their contract of EMPLOYMENT. These restrictions are NOT subversive, quite the contrary, they protect the COMPANY from breach of confidence, disclosure (accidental or otherwise) of private and personal COMPANY HELD information, and of the COMPANY not being held for breaches of common law or company law by EMPLOYEES. They are also to protect the company from leaked company information. These are VERY important points. While obviously users can search for ways around IT policies, to do so is INVARIABLY in breach of contracts of employment and any such breaches can result in disciplinary action or quite likely and fairly in dismissal. Users can always negotiate on points of interpretation or implementation of policy, such as ability to access a particular website. IT departments HAVE to err on the side of caution where there is a risk of Trojans or serious computer viruses. Perhaps IT departments should be more vigorous in letting employees know when the user has (intentionally or unintentionally) breached IT policy and this has been monitored by the IT staff. Finally for all the people out there calling IT staff or their company policy killjoys, please remember WHO YOU WORK FOR. It is down to the COMPANY to decide COMPANY POLICY. If they have delegated any of this policy making to the IT CEO, so be it !!!!!!!!

Trib
Trib

Now those of us who hit a brick wall when we mention security have fully documented ammo to push past objections. Use this to your advantage if you can.

georgeou
georgeou

The WSJ article is just a symptom of a much deeper problem between IT and the Business. Until we deal with the root of the issue, it will never be resolved. A. IT serves the business and it should NEVER forget that. IT needs to figure out how to address every one of the user's needs or come up with a reasonable alternative if they can't have it exactly the way they want it. Too many IT departments have just gotten use to saying NO without considering the impact to the user and the business. Sensible remote access solutions that are locked down for security need to be worked out. When I was in IT, we actually taught the help desk on how to configure home routers so that we can help users secure their home network. Giving the users a laptop with convenient Outlook rich client over HTTPS access will go a long way to make user's lives easy. B. Once IT has done everything in its power to give the users what they need within reason, everything else needs to be blocked severely with technological and policy restrictions and Sr. Management up to the CEO needs to sign off on it. Sr. Management is ultimately responsible for the company's security and they need to decide (with the help of IT to explain the technical part) what they want to allow and what they don't want to allow.

m.d.hiers
m.d.hiers

Well I read the Wall Street Journal and the author forgot 1 important risk. If your tring to bypass corprate policies you could LOSE YOUR JOB. Those policies are there for a reason. It is not your computer or data it belongs to the company.

jacksonzimmerman
jacksonzimmerman

Corporations have IT departments because the average age group of corp. management grew up without computers. When the teenager of today is tommorrows management - the concept of having an IT dept to "run computers" for them will be as ridiculuous as hiring an "expert" to dial your phone for you. Until that day, IT will ALWAYS be an OBSTACLE to effeciency.

delebute
delebute

Seeing this type of information in WSJ, just shows that many of the behaviors that we in IT tell Management or our clients about their respective networks and user policies only gets cemented by this article. we have had at two dozen of our clients contact us and say "can they really do these things?" and we acknowledge them, we are now getting their attention about security, montiroing etc. It has actually helped our business. THANKS WSJ!!!

ognicco
ognicco

I saw nothing new in that article. And I'm not in the rocket science end of the IT game. Maybe you should take a hint from my Commanche ancestors who said," Don't sweat small shit!"

jossyy578
jossyy578

I cant believe this, seems to be that the person that wrote the article is a 60 yo as&^le.

mrinternet
mrinternet

Oh my God...this has been going on since the out-of-work big eight accounting firms for Enron and Worldcom came up with the overnight sensation - overseas OUTSOURCING ! Watch any TV lately other than late night infomercials to see how some AD agencies characterize the IT Dept. - lame... geeky, stupid. I wonder how that happened? Yep - I agree that acting like anyone is now able to diagnose like an expert a "Computer" after reading the Wall Street Journal article is as wacko as the Mormon Mitt Romney proclaiming it is American to own a gun and be your own law enforcement agency after his 15 minute NRA hunting adventure made him a expert marksman the world over!

gphoto45
gphoto45

Fired two people already. The tricks to "look like you are working" didn't work. Two more are on probation, putting secure compny files online, to access them later. The P2P program that that ariticle helped them to install, cost more money than the writer makes a year, to repair the infection, and compromised security. WSJ should have a letter on thier desk from our attorney. Sound familar, WSJ? Wonder how many nuclear power plant schematics are getting stored on the net, lately? Who is your biggest stockholder, WSJ, Bin Laden? What a total lack of responsibility and sensibility!

devin.rambo
devin.rambo

"The Problem: Anyone without a BlackBerry knows the feeling: There's a lull in the conversation when you're out to dinner or an after-work beer, and everyone reaches for their pocket to grab their BlackBerry, leaving you alone to stir your drink." So "the problem" here is not one of technology, but one of being in an awkward social situation. Boo effing hoo. That's not a reason to circumvent the security procedures your company has implemented for a reason. And if you hang out with people whose only response to a "lull in the conversation" is to pull out their Blackberry, maybe you need some new friends anyway. I expected journalistic standards to slip at the Journal after the Murdoch acquisition; I didn't expect it to happen quite so soon. Will the Journal be publishing articles on how to firebomb abortion clinics next?

jhoffman
jhoffman

So, until the Wall Street Journal published the list this information was unavailable in the wild?

markc
markc

The WSJ fails to grasp the reason many of these restrictions are in place in the first place -- irresponsible employees who don't, or won't try, to understand the reason for the restrictions. One year we blocked untrusted ActiveX and Java applications at the perimeter. Even though we demonstrated how an untrusted Java app could wreak havoc on a user's machine we still had people saying that stopping "untrusted" Java was a bad idea because the chances of "something bad" happening was slim. We have even had people try to disable their antivirus software because something they were trying to install would not install (something about a virus.....) IT must protect user's against themselves in order to provide a respectable uptime for the corporate network. But, IT must also help users get their work done, and to that end we offer a service to our users by installing antivirus and antispyware on our users home computers. The WSJ should be ashamed for violating IT's trust.

larrywl
larrywl

Didn't they just get picked up by the outfit that runs the eminently authoritative NY Post and National Enquirer? Get used to it. I'm looking forward to future WSJ articles like "Elvis found working on IT help desk" and "An Apple Ipod can replace your desktop"

Chug
Chug

Absolutely irresponsible of The Wall Street Journal. Every one of those items would flat out get somebody fired at my company if they are found out. Storing company files on, or passing through, a 3rd party system is absolutely out of the question. Putting software like AOL's IM on your work computer at work can have serious impacts on the network, especially for remote offices with limited bandwidth connections. A company does need to be responsive to their users' needs though. My company provides VPN for accessing work files from home, and our own web access for getting to work e-mail if you don't have a Blackberry. Lots of web sites are blocked, but we do have a system for getting sites unblocked if the user can demonstrate a valid business reason.

David.Williams
David.Williams

Maybe managers should think twice before telling subordinates to "do what it takes" to get the job done! Maybe some people are interpreting "do what it takes" as circumventing security!

rajeev_nice
rajeev_nice

just another sensational article to gain some publicity and hence sell other work of fiction... In our company, we promote tele-working and facilitate a secure channel for accessing non-critical information remotely. At the same time, the IT security and policies cannot be compromised for the sake of some. Moreover, there is always a cost-benefit trade-off for all such procedures and policies.. So.. I dont give it a damn as we know my job and we take it seriously.

rickeyln
rickeyln

Yes, Maybe people can find this stuff with a quick Google/Amazon/whatever search -but why help them out by giving it to them?

ipeters61
ipeters61

I don't trust them anymore. I'm going back to Hartford Courant Editorials.

a.southern
a.southern

The last tip, by the way, is SOOOOOO lame. Everyone knows you have your work window active, and then devote the bottom 15% of your screen to the leisurely surfing/unofficial activity. That way, you're not emblasened with "GOOGLE" or "FORWARD"/"BACK" arrows at the top when your boss walks past. Still use the {Alt}{Tab} combo though, just to lose the evidence. -AS

sean.ennor
sean.ennor

It seems to me that criticising someone [like WSJ] for exposing vulnerabilities is counter productive. If the article had been entitled; Top 10 risks CSOs should plug. The IT community would have applauded it. If we are naive enough to believe these risk areas are not exploited until a big journal writes about them, then we are kidding no one but ourselves.

JosB
JosB

"In many companies, there???s already too much of a disconnect between IT and the rest of the organization because of the fact that IT often plays the role of a policeman ??? to serve and to protect." I think this is a large part of the problem. IT just can't make clear that what they do is to make business operate. When I was in a pure technical IT function, I noticed a lot of work was done to keep IT operate and managed easy. However, this seemed to be the goal of IT, and not supporting the business in getting company goals. It's one of the reasons I switched to the business side of IT. I still see a lot of things happen in our (technical) IT department that have nothing to do with business problems and all with not being able to manage current business 'demand'. I see things like "we don't support that because it's policy", where the real reason is that they just don't know how to keep things in control. If that is the case, say so. We had a struggle about opening port 22 (outbound) on our firewall for legitimate business purposes because IT could not figure out how to restrict access to one specific site. I do see that business demand is also not always clear, but that's why IT and business should talk to each other more often. Business should be able to tell why they need certain things and IT should be able to tell why they don't allow certain things, without pointing to 'policy'. I'd love to hear "We don't allow remote storage of those files, because that could cause a confidentiallity breach, which would lead to compliance issues on our SoX statement. What are your specific needs that make you ask for remote storage?". This would mean 2 things: - IT shows some understanding of the business environment - IT is willing to help find a solution I think those two are the main failures in many IT departments.

chepenguin
chepenguin

SO funny to read all these IT techs getting their knickers in a twist over this. The WSJ is not irresponsible - YOU are if these tricks are possible on your systems and shouldn't be! Personally, I would much rather go for allowing users to do everything (yes everything) they want, yet provide them with the best (silent, invisible, background) protection possible – (that is to say primarily anti-virus and back-ups.). I have never understood limited email – just monitor and educate those who have 5000 message in the inbox etc. A PC is a tool, same as a pencil. You wouldn’t hand out blunt pencils ‘just in case someone stabbed themselves’ would you? No. Get a life IT guys, get over yourselves, you are part of the future, stop living in the past.

dawgit
dawgit

"Yellow Jouralism" Nothing new, and certainly not "News". -d

doc-cafein
doc-cafein

After reading such an improductive paper, my sole hope is to see several companies being badly hurt and damaged by employees using such poor tricks, then suing the WSJ for huge losses in their business. I used to consider the WSJ as a professional news paper. I'll treat them now like business terrorists.

Wayne M.
Wayne M.

Inline management is the appropriate vehicle for monitoring an employee's separation of personal and work activities. Most comapnies have long since given up trying to track employees personal telephone use from their work related use. No one really tracks whether photocopies are made for work related use or personal use. Treat professional workers as professionals and remember the professionals work for the company not the IT department.

Tig2
Tig2

We must always remember that we are business "facilitators", not business blockers. We need to play a visible role in communicating corporate strategy in terms of where the "no" is and why. Example- "I need to acesess www.sharemyfiles.com to facilitate my work". "Perhaps this is a better way". Or even "No, we can't allow that, but we can allow this" is better communication. And absolutely true- the corporate policy must not only be communicated, but maintained at the senior level. Without that, we are helpless. George, great input! Edited for trusting that spellchecker thingie.

dawgit
dawgit

Too many in the IT field have started to think they are the business. Most businesses are not, however in the 'IT' business. They do though 'use' IT to do their business. IT is a tool and 'we' are the tool masters. We should remember that when the 'tool' becomes a 'toll', we are out. -d

RFink
RFink

That's true, but it is a good reason? I've been on both sides of the fence and my attitude has always been, "If management approves a software package then it approves ALL of its features as well." I will have more respect for management when it lets technical people make the technical decisions, in the mean time let the users play. In my experience whenever there's a clash between the users and management I tend to favor the users because management comes up with some of the most idiotic deadlines and requirements but won't provide the users with the tools.

Chaz Chance#
Chaz Chance#

A long time ago (1980's) I used to teach word-processing to typists who wanted to remain employable with the introduction of computers. Now the typing pool has gone, and we all type our own letters on the computer. As the computer merges with telephone technology, will we see the desktop computer disappear? What will be the point of an IT department then?

Wayne M.
Wayne M.

I suspect IT departments will disappear. I suspect that computer hardware and software will cease to be a company provided asset and employees will be expected to provide their own (much like a good car mechanic provides his own tools). This has already come to pass somewhat for cell phones and PDAs and often times laptops for consultants. It already is often the case for teleworkers as well. As responsibility scales back to backoffice servers and physical cabling, IT will see its role and influence diminish.

Double DeBo
Double DeBo

When I first started with this company IT Policies were an unknown. I have since written policies for IT that are enforced. The two most important lists are Approved Applications List (AAL) and Forbidden Websites List (FWL). Network Audit scans are done randomly but at a minimum monthly. We use a 3 phase approach to violations of the two above lists, 1. Verbal and Written Warning, 2. Written Warning and two day suspension without pay, and 3. Termination of employment. Since writing the AAL and FWL there have been two #1's and at least 10 #2/3's. People just love to push their luck for some reason.

JoeBeckner
JoeBeckner

I guess this is the kind of sensationalist journalism we will see out of the Wall Street Journal as a result of the Rupert Murdoch takeover. You are right, it didn't take long for the WSJ to start to slip in its journalistic standards.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

Do you publish a story about how to build a bomb just because it is available in the wild? Bill

craftamics
craftamics

In Windows XP, + locks the workstation with a login screen and the desktop wallpaper the only things showing. Then your visitor has no idea what was on the screen moments ago. I never know when I will be asked to accompany someone to a meeting or a discussion in the hallway or someone else's office, so I am in the habit of doing the + as soon as someone shows up at my cube. Keeps my workstation safe from "walk-by" hackers. It also prevents misunderstandings about what is on my screen since I never know what Google will list in search results. Some very legitimate business searches have had some strange results show up in the list.

blarman
blarman

Having worked in IT for over ten years, and most of that for a Fortune 50 tech company, my experience is that disconnects are frequently present due to management problems. A disconnect is a communications problem, and managers are responsible for facilitating and enabling effective communications. Whether that is between business units and IT or customers or whoever, it is a valuable skill that few people have and use effectively. Add to this the fact that rarely are IT programs given the information they need to assist the business in developing with the future in mind. Without collaboration between business and IT in forward-looking planning efforts, how are things supposed to mesh? I would be careful not to put all the blame on the IT department.

shelleykm
shelleykm

I've been in IT for almost 15 years now. While I agree communication between IT and (insert department here) is one of the biggest hurdles to getting business done, let us not forget the ineptitude of IT management in general. I've worked in large and small businesses that have had one thing in common: they didn't understand the role of IT in their business. Was it to support the CEO? The engineers? The sales staff? Not only did they not understand the role of IT, they were unwilling to draw lines in the ever-shifting sand. They were indifferent about training/educating the users about IT in general (what we do, why we do it, the effects on our business, etc). Of course, you can't educate until you know what you're doing. I'm not a mechanic, but I know when my car runs out of gas, I fill it; I know to check my tires for air pressure; I know to get my oil changed every 3000 miles or when the "change oil" idiot light comes on in the car. I know how my car sounds when it runs; I know to look under my car every now and then to make sure nothing is leaking (which would be a BAD sign). IT isn't asking the end user to be an IT pro, but we usually ask for basic awareness ... which apparently is beyond the scope of most. We all have our horror stories, and I'm sure we'd all like to disclose them ... except for contracts/agreements we may have signed. I can only hope those good IT pros in those nightmarish environments can find a way out before they get burned out. I did...

crevans17
crevans17

Treat the professionals as professionals. Most employees do nothing more than check personal email here and other harmless things of that nature. A computer usage policy and audit when wrong doing is discovered should be enough. No need to get wild and lock everyone down, but definitely have some sort of limitations in place. They are at work not in jail! Block myspace if you have to and if a user is smart enough to use a proxy: 1. good for them, or 2. block their access to using a proxy. Simple enough.

georgeou
georgeou

The users own the data and the security, IT are the Shepherd of data and security. IT is there to help meet the security guidelines decided upon by Sr. Management.

Tell It Like I See It
Tell It Like I See It

While the role that IT plays will definitely change, I don't see it "disappearing". It may become somewhat dispersed into other departments. Still, I think that some vestiges of it will remain for a long time to come. You have servers that need updated and maintained (and secured). This will likely remain true for quite a while, even if SaaS picks up. Not all servers can truly be removed from the backoffice. The Help Desk function probably won't disappear for a long time to come (unfortunately). It seems people feel it is more efficient to have "troubleshooting" people available with one number, even if the job of the Help Desk of the future is simply to know who you should call in any given situation. Securing the company's network will still be a function of someone for a long time to come. This would include giving people rights for their cell phones to access company data (even if it is on a SaaS system). For security reasons, this may be centralized as well. The communications links will still have to be managed, including the telecom link to your smartphone. It could also include wireless connections for laptops. Speaking of laptops, I think some kind of computer with permanent storage and local processing capacity will remain for a long time. Your laptop will work nicely on a flight; your smartphone won't. And heaven forbid that your critical presentation be someplace where you get no signal! Companies will likely want the purchase centralized so they can take advantage of discounts. Now for those who say that the workers of the future will provide their own computers, well, they'll probably also demand more money as well (in order to compensate themselves for their own computer). In that case, the company may find it cheaper to use a volume discount and supply the computer for the user in order to get a lowered salary. Outsourcing is proof of how companies love lower salaries. Software updates, anti-virus updates, etc. all have to be managed. Part of the reason for centralizing these is to ensure that the company is protected; you can't disperse management of things like these without sacrificing the very security it is supposed to give you. Oh, yeah, as for typists -- many CxO types have secretaries who perform multiple functions for them, including typing of letters and memos and even e-mails. So it seems to me that they still exist, but their job has morphed dramatically.

Neon Samurai
Neon Samurai

I don't think the workstation will go away though it will evolve into a smaller and more secure box on your desk. Even if it does get replaced by a smartphone with some sort of larger display, there's far too much tech running before the desktop connection that will need to be supported.

craftamics
craftamics

Software as a Service capability is growing and companies to supply and support it are building. In ten years or so, I expect whatever enterprise application you need to use will be accessed in a secure and encrypted manner via a web browser interface and the actual files/applications will be running in an outsourced data center somewhere else. The hardware for a major company's application servers would be mirrored in geographically separated data centers with automated fault failover. Then, only the service companys will have heavyweight IT talent. Non-IT companies would then have a few experienced and knowledgeable IT types to help choose a good service supplier and manage the contracts.

JosB
JosB

You are assuming that the 'car' and 'driver' are problems, where I think the 'road' is the real problem. We can educate people how to use their car and how to drive. They might not always do that well, but when you call a workshop that your car does not steer, they can help you. When you call the same workshop that you can't get from A to B, they will ask if you can drive and steer. If so, they can't help you anymore, since technical everything is alright. You need to call someone who can give directions. Now the real problem is, who is in charge of the road? Is it IT, who put roadblocks wherever they want (from user perspective) to keep things simple for them or is it business, who want clean highways from A to B, unless there are good reasons to restrict traffic. Furtermore, should IT determine A and B, or is that business? I think it's safe to state that business should be in control of the route and destination and that IT can help building the road and providing means of transport. It could be cars, trains or airplanes, as long as they can support maintaining them. What I see a lot of times is that IT is controling both the road and means of transport and have huge influence on the route. IT should shift that responsibility to business. Losing control may feel bad, but IT's role is support and not control!

shardeth-15902278
shardeth-15902278

So how much computer knowledge is equivalent to your level of car knowledge? where is the defining line between checking the fuel gauge and replacing the timing belt? Particulary considering the degree of change that occurs in IT?

jr_hearty
jr_hearty

I can't elaborate in this forum, but I understand the environment you describe very well.

Marty the Borg
Marty the Borg

I agree that users should know at least the basics, and I'm wondering where the best place to acquire them is. In your automobile analogy, where did you learn those basics? Was it the auto dealer? Your mechanic? The parts store?

Wayne M.
Wayne M.

Although I understand the business model being espoused, I don't feel the current technology used for web-based applications is satisfactory for business use. The connectionless HTTP model simply does not provide the reliability nor responsiveness of client server or telnet systems of 20-30 years ago running over much lower bandwidth connections. HTTP systems are plagued by data drops and data duplication issues. Furthermore, there is no graceful degradation when the system is oversubscribed; web systems have a definite L-curve collapse. Page based data validation is not terribly user friendly and the alternatives are either pushing more code back to the client or introducing a character mode to allow validation at the server. I agree that it does not make sense for most companies to have a dedicated department to develop software or to manage licenses and updates to software. I just do not believe that the current web framework is up to the task to delivering business class software to users.

Wayne M.
Wayne M.

Part of the problem is that as computer systems have become decentralized, IT departments have remained centralized. This has lead to serious issues of control and responsibility between distributed business managers and centralized IT decision making. The way forward is for IT to push a lot of control issues back to the business management and serve as a facilitator between business elements. Purchasing budget and decision making for desktop hardware and software needs to be pushed back to line management. IT does not need to be in the loop in deciding who gets a laptop, extra memory, or extra hard disk space. Business departments should be responsible for purchasing their own server space. IT does not need to enforce disk usage rules. A manager can choose to either restrict use or pay for extra space. IT should focus on protecting departments from each other rather the protecting the entire network from users. Use routers and firewalls to isolate a work group that becomes infected rather than playing nursemaid trying to prevent potential problems. Business managers should be given the responsibility to create accounts and grant access privileges. They are the ones assigning work, they should be the ones to grant access to the data and systems to do the work. By pushing the control issues back to business, IT can now focus on providing enabling technologies to business instead. These control issues are the underlying issue driving the IT vs. the rest of the world debate.

JosB
JosB

craftamics wrote: "IT has to work with management to find solutions that empower the users without weakening the system's security." Security is a business problem and not an IT problem (or at least should be). Security is about protecting assest, things that enable a company/department to achieve company mission and goals. That includes more than just systems, however, many companies rely heavy on IT infrastructure to achieve their goals. It is the role of the IT department to keep telling general management: "Hey, this is not 'OUR' system, it is 'YOUR' business". This is what I meant with "IT's role is support and not control". IT should give and push control of IT to the business. Business should take ownership. When the job of someone in IT department is at stake because business has not done their job, something is very wrong. However, this still seems common practice. Let me give you some insight on my professional background, it might shed some light on this. I work at an investment department ( + $50bln assets under management) of an organisation and have a role that can be compared with the security officer. It's my responsibility to make sure IT knows about business security requirements and implements them whenever possible. And to make sure IT does not restrict too much, so business is hurt. It's also my responsibility to help business gain insight in their information related risks (which is broader then only IT) and help them migrate those. Financial risks are covered by an other department, however, I do have knowledge about the financial risks and the area where information risks can lead to financial risks. Migrating IT responsibility and security to business has taken several years, so I know it's not an easy task. However, the current situation makes responsibilities clear, when there are problems, business is in the lead and IT helps them out. Even in a pure IT-related event (massive network problems early this year, causing a day downtime), it is business that sets priorities for the IT department and make sure they are enabled to fix things. Except some CMT communication issues, things went smooth considering the impact of the event.

craftamics
craftamics

JosB's last paragraph says "IT's role is support and not control". If they are going to get fired for a security breach or a system meltdown from malware and management is not supportive of user computer security education and enforcing policy with consequences, then lock-down and control is the only way to keep the system, and their job, safe. Managment has to have the fortitude to formulate workable, secure policies and enforce them. IT has to work with management to find solutions that empower the users without weakening the system's security.

jmarkovic32
jmarkovic32

I know jack squat about cars other than how to drive one, gas it up, and what the stuff on the dash means. Anyone who owns a car knows the basics. Not everyone who operates a computer knows the basics. Believe me, I work in a healthcare environment where the ladies at the front desk were working in that environment long before computers were mainstream in the office. What they know about the computer is limited to a specific program and muscle memory (I've seen users not be able to tell me their passwords unless they typed it into notepad). So we actually have computer illiterate folks using computers. I guess it's up to management to REQUIRE a user to have basic computer skills covered in any 101 level college computer class. With the younger employees, you know the folks with MySpace pages and smartphones, you really don't get bugged that much by them, but the downside is that they're the most likely to cause a security incident. It's also necessary to educate and train users on policies and procedures related to the system. Once you do that, you can enforce the policy and make them accountable for their actions. All of this can be done during orientation. When a new employee comes in, they give me 15 minutes to give them a crash course, sign some AUPs and get their password information.