On July 30, The Wall Street Journal published an article entitled "Ten Things Your IT Department Won't Tell You." The article discussed ways users could circumvent IT security and other restrictions, in the interest of getting their work done. Reaction came swiftly, in particular from TechRepublic editor Jason Hiner, in a "Sanity Check" blog. Jason pointed out that following the advice might apparently make the jobs of users easier, but also would expose the company to computer security threats and to potential legal action.
I agree with Jason that users who follow these tips could cause problems. At the same time, I want to approach this issue from a different angle, and suggest that it illustrates how good customer service, in addition to making a working relationship more pleasant, actually enhances IT security.
She's been cheated one too many times
She's never fooled around
He's still lyin', she's still cryin',
She's not foolin' now.This refrain, from the Brooks & Dunn song She's Not the Cheatin' Kind, echoes the common country music theme of infidelity.Now I'm no marriage counselor, I'm not endorsing infidelity and I'm not questioning or attacking the morals of users who circumvent IT policies. I will suggest, however, that such users do what they do because they believe, rightly or wrongly, that the IT department is unable or unwilling to help them achieve their objectives. In this way, they're like the spouse who seeks attention elsewhere. In both cases, the circumvention of policies is merely symptomatic, and may signal deeper issues.
I ran into a similar situation two years ago, at a law firm in Washington, D.C. There, the manager of the help desk told me that although the telephones in the firm had caller ID capability, this capability was lacking in the phones of the help desk. When I asked why, she said that some help desk analysts were deliberately avoiding the calls of "challenging" callers. By suppressing caller ID, she reasoned, this problem would go away. I responded by suggesting a better approach, namely to help the staff deal with these challenging callers, and to speak with those callers and their supervisors. In addition, I pointed out the possible unintended consequences of this policy: that the help desk analysts might become more reluctant to answer ANY calls at all.
So it is with the users who circumvent IT. It's wrong, of course. However, remember that there's a possible business reason for why they're doing it. Consider talking with them to find out their needs. In particular, be creative and try to come up with alternative solutions that allow them the information they need, but which still leave your security infrastructure protected.
In other words, be careful about just issuing an edict about what they can and can't do, and the sites they can and can't visit. Doing so may simply induce them to try to defeat your policies, even if they previously weren't really interested in doing so. On the other hand, showing customers that you're willing to partner with them (and not be just a pain in the neck), will increase the chances that they'll respect your restrictions. In other words, providing good customer service can help enhance IT security.
Calvin Sun is an attorney who writes about technology and legal issues for TechRepublic.