I had planned this week to get back to my suggestions regarding the make-up of your internal Web2.0 group, but a few colleagues brought something to my attention that I thought might be more timely. Most of the articles I have been following over the last few months have been on the potential value and the practice of using Web2.0 as a business tool. Most of these articles vaguely reference the "security concerns" brought about by Web2.0 technologies, but they fail to provide guidance or cite any specific dangers. So, the vague threat of potential malware embedded in Web2.0 apps doesn't hold much water with me. Everything we do in IT has this potential. That's exactly why you have an Information Security program. However, this week I read an article from Sarah Perez, Your Web 2.0 App is a Security Threat, that subtly raises the other IT fear regarding Web 2.0 technologies - namely that misuse of Web2.0 technologies can endanger the confidentiality of your corporate data and information as well as pose a threat to legal compliance. The article itself is a broad review of a new product called ACE, which is designed to make it easier for IT to shut down rogue Web2.0 applications. The point Sarah raises regarding the potential dangers of rogue web apps is dead-on in its concern. Under-the-radar apps can pose a serious threat to your infrastructure and they must be monitored and controlled.
However, although I appreciate the value of a tool like ACE, I think it is futile to consider such
a tool to be the solution as to how we as IT managers can "control" Web2.0. Due to its very nature, you cannot shut down Web2.0. Trying to isolate and filter "Web 2.0 technologies" is like trying to nail Jello to a tree. Sure, you'll be able to pinpoint whatever the hot technologies of today are, but tomorrow three more will spring up to replace it. As Chesterfield County CIO Barry Condrey pointed out in his feedback to the article, you will be forever chasing your tail in a futile "whack-a-mole" syndrome. You will be much more successful in your security efforts if you engage your user population in a give-and-take dialog to help you find a middle ground that everyone can live with and then implement the technologies that support the mutually-agreeable approach.
NOTE TO THE READER: Feel free to skip the next paragraph of introspective and perhaps self-indulgent "How I Got Here" detail. Although germane, it isn't required in order to get to the point of this post.
It wasn't until I got to the executive level of technology management that I truly began to appreciate the necessity, value and process of maintaining balanced technology service delivery. Most of us who are focused in one area of technology service get very, very good at it. You thrive on technical challenges and you typically work in a world of black and white answers. When I was in that stage of my career, I frequently had run-ins with customers who liked to toss their "flies" into my technology miracle cure-all ointment, or at least that's how I saw it. Although I was (almost) always patient and I tried to remain customer-service oriented with them, I was frequently vexed. I felt that they were just being difficult (and wrong) because they didn't have enough to do or because they were just uninformed. So I got frustrated with them because I couldn't focus on the "right" solution immediately and they got frustrated with me because I was trying to categorize or jump to conclusions about their needs. (As an aside, here's a big "I'm Sorry" shout-out to all of you former customer co-workers who might come across this in your net travels.) Over time and with experience, and moving up through the ranks, my technology and business knowledge became much wider and more shallow. Multiple discipline multi-tasking and business management skills became the order of the day. It became much easier for me to truly appreciate and honestly value the business user needs. No longer was I focused on the technical solution...now it was more about focusing on just the solution. (Is that a collective "duh" I hear from those you who have been at the exec level for a long time?)
For those of us who are in the IT field, we must be constantly vigilant lest we fall into the rut of getting wrapped up in the technology for the sake of technology. Advocating, marketing and even proselytizing for technology as an enabler should be a big part of our job focus. But don't let the tail wag the dog. We need to be one of those funky chameleons with one eye towards our users (business needs) and one eye towards our infrastructure (technology capability and requirements). I often think of my role as that of a sales engineer - I need to know my tech stuff, I need to know what my customers need and I need to know how to put those things together.
As I have said in previous posts, Web2.0 at its core is not about technology. Technology is merely the method used to redefine the way an organization communicates and collaborates with its customers. Likewise, technologies such as ACE are also enablers in terms of focusing that Web2.0 adoption into secure and reliable channels. But they are not the sole savior, nor should they be. The answer is to rely first on well-crafted policy that balances the need for security of information and systems with the business needs of your users. I spoke to Sarah offline and although we may take different paths to get there, we share the goal of having an organization that runs technology in a safe and controlled manner to the benefit of all internal and external customers. Here in Roanoke County, we use a product similar to ACE to filter web applications because I don't want any covert apps popping up in the departments either, whether they are business legit or not. But before we install a technology solution, we need to get a strong, flexible and reasonable policy and practice in place to govern the use of Web2.0 in the enterprise. This policy cannot be solely a product of the IT department. We've got to have the conversation with all the stakeholders at the table in order for something of this magnitude to be effective. Everyone involved needs to approach the issue with an open mind and stay focused on the ultimate goal of improving the organization. IT folks must be willing to refrain from assumptions and be flexible on some of the traditionally locked-down areas and practices. Business users must be willing to adhere to the tenants of the policy and abide by the security and technology that must remain intact in order to preserve the security of an organization's resources.
Once you have the global policy in place and the details have been communicated to the organization, then you can fire up an application like ACE, provided it can be modified and customized to meet the current and evolving needs of your organization. By then, everyone should be on board with the technologies adopted and not finding ways around the policy. Violators should be disciplined accordingly because of the potential danger to technology resource integrity and the privacy and security of your corporate information. I'd also recommend periodic reviews of the policy to ensure that it remains in line with the changing needs of the organization and the new Web2.0 technologies that spring up on a regular basis. This follow-up will provide business users with a conduit to raise issues regarding the policy and security technologies and it will hopefully curtail attempts at circumventing policy direction.
Don't get me wrong - I know this not going to be a simple process. You may experience wailing and a great gnashing of teeth, but the end result will pay off in dividends for all involved. As a former boss told me early on in our working together - "the best solution is not often the easiest".
Virtually Yours,
Greever
Subscribe to this blog's feed
Leave a comment