Security and customer service: Why they go hand in hand

On July 30, The Wall Street Journal published an article entitled “Ten Things Your IT Department Won’t Tell You." The article discussed ways users could circumvent IT security and other restrictions, in the interest of getting their work done. Reaction came swiftly, in particular from TechRepublic editor Jason Hiner, in a "Sanity Check" blog. Jason pointed out that following the advice might apparently make the jobs of users easier, but also would expose the company to computer security threats and to potential legal action.

I agree with Jason that users who follow these tips could cause problems. At the same time, I want to approach this issue from a different angle, and suggest that it illustrates how good customer service, in addition to making a working relationship more pleasant, actually enhances IT security.

She’s not the cheatin’ kind

She’s been cheated one too many times

She’s never fooled around

He’s still lyin’, she’s still cryin’,

She’s not foolin’ now.

This refrain, from the Brooks & Dunn song She’s Not the Cheatin’ Kind, echoes the common country music theme of infidelity.Now I’m no marriage counselor, I’m not endorsing infidelity and I’m not questioning or attacking the morals of users who circumvent IT policies. I will suggest, however, that such users do what they do because they believe, rightly or wrongly, that the IT department is unable or unwilling to help them achieve their objectives. In this way, they're like the spouse who seeks attention elsewhere. In both cases, the circumvention of policies is merely symptomatic, and may signal deeper issues.

I ran into a similar situation two years ago, at a law firm in Washington, D.C. There, the manager of the help desk told me that although the telephones in the firm had caller ID capability, this capability was lacking in the phones of the help desk. When I asked why, she said that some help desk analysts were deliberately avoiding the calls of “challenging” callers. By suppressing caller ID, she reasoned, this problem would go away. I responded by suggesting a better approach, namely to help the staff deal with these challenging callers, and to speak with those callers and their supervisors. In addition, I pointed out the possible unintended consequences of this policy: that the help desk analysts might become more reluctant to answer ANY calls at all.

So it is with the users who circumvent IT. It’s wrong, of course. However, remember that there’s a possible business reason for why they’re doing it. Consider talking with them to find out their needs. In particular, be creative and try to come up with alternative solutions that allow them the information they need, but which still leave your security infrastructure protected.

In other words, be careful about just issuing an edict about what they can and can’t do, and the sites they can and can’t visit. Doing so may simply induce them to try to defeat your policies, even if they previously weren’t really interested in doing so. On the other hand, showing customers that you’re willing to partner with them (and not be just a pain in the neck), will increase the chances that they’ll respect your restrictions. In other words, providing good customer service can help enhance IT security.

Questions or comments? I can be reached at


Calvin Sun is an attorney who writes about technology and legal issues for TechRepublic.


It's true that sometimes an end user circumventing security policies is just someone that feels the IT department is holding him/her back, and that there needs to be some kind of attempt to address the (perceived) needs of that end user. It's true that sometimes a policy of prohibiting certain behaviors is too broad and restrictive. On the other hand, there are times when such policies are exactly what they need to be, and an employee violating those policies can lead to tremendous problems and expenses for the company. Sometimes, when end users are prohibited from visiting a given website, it's because that website is loaded up with malware that can directly impact security. Sometimes, the end user needs to be restricted from certain behaviors, and that end user [b]needs to stop trying to get around those restrictions[/b]. If an employee is doing something that exposes the company directly to such risks, and is doing so in a manner that is obviously in violation of security policy, that employee may need to be disciplined or even fired. It's harsh but true. On the other hand, if the end user manages to get around the technical restrictions that would keep that end user from circumventing policy, or if the end user has reason to think it's "not that bad" because there are other, similar policies prohibiting behavior that [b]isn't[/b] detrimental to the company, the people in IT who institute such policies may also need to be reviewed. Violating security policy is bad, but diluting it with arbitrary and unnecessary restrictions is just as bad, in part because it can ultimately encourage people to violate security policy.


If IT is preventing the business from doing business, then they are shooting themselves in the foot. The business side of the company needs to make money, and IT should not get in the way of that. Your paycheck money doesn't get generated out of thin air! Check my blog for more on this topic:

Editor's Picks