Anybody who thinks otherwise is only fooling themselves and will be rudely awakened when a security or other serious data breach occurs.
The best way to remedy this and eliminate it as best you can is to create and reinforce an educative program that informs people of the reasons as to why you have to implement these policies and not just labouring on the pitfalls of not adhering to your security policies. As time consuming and labour intensive as it sounds, a period of open discussion and feedback sessions will alleviate some of the staff objections prior to drawing up your policies and generate an enormous amount of goodwill.
Everybody appreciates there needs to be some level of security, especially in heavily regulated or security conscious industries such as financial services, but nobody appreciates dictatorship levels of oppression when they are not completely necessary. Simply saying it’s a disciplinary offence to not adhere to these policies without explaining them thoroughly first or taking an objectionable point of view on board will alienate you from the very people you are trying to protect.
We’ve all been asked by staff across the organisation if they can use third party file sharing services like Dropbox to share data etc. and had to refuse them on security grounds. We all know they use these services (and you probably do as well) and trying to implement an internal, secure enterprise version of a similar technology is very time consuming to manage and expensive not to mention extremely difficult to secure.
Smaller companies with less advanced infrastructure will often use third party file sharing services as a low cost and logical extension to their infrastructure. The security risk to their IPR is no less great than larger corporates but they thrive on the nimble and agile gain that using these services gives their businesses. When new individuals join your organisation from these smaller and more agile businesses through acquisition or organic growth, they will quickly challenge any seemingly draconian procedures you have in place. They will challenge you that their agility and productivity is being stifled by these procedures with the very valid reason they are often brought in to disrupt your existing business working in precisely the way they need to.
We need to take on board these new types of people and the roles they perform, adapting the necessary rules and procedures to allow them to go about their business rather than stifling them with regulation. This is challenging and a bit scary but as long as your security is not diluted too far, adapting to incorporate these new roles and working practices will show your willingness to change and adapt and will not go unnoticed across the organisation.
In the new arena of change and disruption, those who adapt will thrive and those that don’t…. Well, you know how that story ends.
Christian McMahon is Managing Partner – Board & CIO Advisory at Jamaza bvba. Christian is a commercially astute senior IT Executive and digital leader, with 20+ years of influential leadership experience in building value and revenue generating multinational IT organisations. Christian is a recognised blogger and respected expert in the IT sector with significant reach and engagement across social channels. Christian writes regular thought leadership pieces for a number of major online properties and more information from Christian can be found at his blog.