Wednesday, July 29, 2009
Loosening Security Controls to Boost Innovation
Douglas Merrill, Google's former CIO, on how to make peace between workers and IT departments.
By Erica Naone
At many businesses today, there's a fight between workers and their information
technology (IT) departments. Employees want to use instant-messaging programs
to communicate or export documents to Google Docs, while company security
officers get heartburn at the idea of so much company data being scattered
around.
At the keynote address this morning at the Black Hat computer-security
conference in Las Vegas, Douglas Merrill, who recently left EMI Music's digital
group and was formerly chief information officer and vice president of
engineering at Google, said that companies should reconsider this adversarial
relationship.
According to Merrill, studies show that employees can increase company
returns when they have the freedom to innovate by trying new software and new
workflows. However, those returns disappear when employees are made to feel
that their activities are illicit.
As an example of how companies can give workers freedom without compromising
security, Merrill described his experience at Google. "Google's
engineering culture was all about working the way you want to work," he
said. Employees could use any operating system and work from any convenient
location--the office, home, a coffee shop, or wherever. As a result, it was
impractical to rely on traditional security solutions, such as installing
antivirus software on each device employees used.
Instead, Merrill said, Google addressed security by building up its
infrastructure. For example, the company put antivirus protection on its mail
server, which is the main source of viruses that infect the network. They also
watched their network traffic patterns for any unusual spikes.
Merrill said that companies need to find new ways to accommodate employees
while also securing their systems. Trying to change behavior, like asking
employees to stop using instant messaging, only stands to stifle innovation.
Massachusetts Institute of Technology
Comments
Those of us who've been doing this a while--and been paying attention--already know how handle the fight between workers and the IT departments.
It goes by a couple of different names, but it primarily involves all three sides--the workers, the IT staff, and managment--learning to focus on the needs of the business and not on the technology.
Most companies are not tech companies, and even most older technology companies are not filled primarily with "techies".
But the internet is full of people who work to get around "unreasonable" restrictions, and then provide those workarounds to people who may be restricted for good reason.
The internet is also full of people who will use those workarounds to get access they shouldn't.
Front line workers are often the most knowledgeable about their work, and their input should ALWAYS be sought out for process improvements, but these same workers often only see their part of the process, or the parts of the process that are "next" to them. Management needs to have visibility across the work-flow and needs to work to make sure that employees "get" why sometimes things work the way they do.
The IT Department needs to understand at a fundamental level that the network, the servers and the rest of the IT infrastructure exists to serve the business case. Management needs to understand that both the "geeks" in the IT department and the workers are humans and will provide better service to the company if reasonable accommodations are made (e.g. allowing properly proxied and monitored instant messaging can enhance productivity by keeping people from wandering outside to use their cellphone for 20 minutes every other hour) and "the workers" need to understand that they are hired and paid to do a job, to accomplish tasks and do stuff (well, managlement and IT need to learn this too).
Ultimately management needs to foster an environment where all three classes work together.
Regards,
Petro.
:wq
petro
08/06/2009
Posts:1
Since you can have private and public projects with or without moderation on togethearth.com, it can be totally invisible or a good way to advertise your research goals and find new experts.
j2l
08/07/2009
Posts:1