1. Share the Sandbox
The IT department used to control all technology. And among corporate IT staff, many still feel that users aren't responsible enough to handle technology on their own. If you doubt this, search Slashdot.org for the term "luser".
That's one reason why corporate IT is often quick to dismiss technology projects initiated by users. But technology encompasses too many categories for the modern IT department to keep up. CIOs have to start thinking differently about what they really need to be responsible for and which responsibilities they can share with users. The way to start is by identifying what is critical to protect the enterprise. One emerging strategy is to secure the network and not worry about client devices — until they connect with the network.
David Steinour, CIO of Furman University, had to learn how to secure a network while at the same time maintaining zero control over what it is used for. Once, several years ago, Steinour worked at a different school, where he limited access to peer-to-peer file-sharing networks. He thought he had good reasons: He was receiving complaints about copyright infringement from the music industry, and the traffic was eating up almost all his bandwidth. After limiting access, the university president — received complaints from parents and students. The complaints finally stopped when Steinour explained his rationale, but the experience taught him that he could not control everything users put on their computers or limit what they download. The faculty, for instance, had legitimate reasons for using file sharing.
Nevertheless, Steinour stakes his job on protecting the network. Before anyone at Furman can connect to the enterprise network, her computer has to undergo a scan and have its virus definitions updated. The first time a user connects, this takes about a half hour. The process is invisible thereafter. "There is no possible way we can police everything that goes on," says Steinour. "So I protect the institution, not the individual."
The same network-centric approach can work in a corporate environment. "I am a data socialist," says Young, exhibiting this new virtue. "I don't own the data. My customers own the data." Young has realized that he can't control everything that the businesses on the Ute reservation want to do with IT any better than he can predict them. For instance, the equity traders who work for the tribe's investment fund have to do all kinds of research; it would handicap them if Young blocked certain Internet sites or refused to let them use certain research tools. "I am open to having other forms of tech in our mix without being a snob about it," he says. "We have guys downloading data from FTP sites.
"I am more wide open today than I have ever been," he adds, but "it's not like I opened up port 80 and said have fun."
In fact, Young has compensated for loosening the control on what end users do by tightening his control on the part of IT that no one else can touch without his permission: the corporate network. "I know everything that is happening on my network at all times," he says matter-of-factly. He uses a variety of applications, including content filtering software and intrusion detection and monitoring tools, to gain real-time insight into everything that is happening. If he finds something on the network that shouldn't be there, he acts. It's a way of ensuring security without inhibiting users. And in those rare instances where Young does have to restrict an activity, it is as part of a compromise. For example, he doesn't allow people to send encrypted JPEG and GIF files because virus prevention software can't detect viruses embedded in them. But anyone who wants to send an image can send it unencrypted, or send a link to the Web site where the image resides.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.