InformationWeek

August 3, 1998

Secret CIO:
Mea Culpa! Mea Culpa!

We made complicated what could have been made simple. Security and convenience are not mutually exclusive.

By Herbert W. Lovelace

he problem with being overly smug is the uncomfortable feeling you get when you recognize you have become as bureaucratic as the people you disdain. This flaw in my little world hit home just after I had been dismissive of a telephone call from our VP of Human Resources, Stephanie Stone.

Stephanie isn't one of my favorite people; she combines all of the lovable traits of a supreme egotist with those of a compulsive complainer. So when she told me in no uncertain terms that our new network-access security procedures were unnecessarily complicated, I responded indifferently that I would investigate her complaints as soon as I had an opportunity--which in my mind would be sometime after the millennium.

It was no more than five minutes later that Karen Lovell, our VP of Planning and someone I respect, phoned and said I ought to look into the new security procedures. She said one of her people had just spent five days getting more and more frustrated with the simple task of getting a network identification code and password. I take Karen seriously, so I decided I'd better find out what was happening in my IT shop, since I'm supposed to be the boss.

To summarize a long and embarrassing story, I learned that recent exhortations to my staff to make sure that we don't have any security breaches on the network had been taken to heart, but not to head.

Here is the process we cleverly developed, and that I had just defended to Stephanie: First, we have a form, which has to be signed by two levels of managers, for people to obtain an E-mail address. Next is a separate document to get Internet authorization, and yet another one to be completed to gain mobile-computing access.

I assembled the appropriate IT managers. When I asked why we didn't have one form with the proper check-off blocks, I was informed that because each of these services has a different lead support person in our IT organization, it was easier for filing purposes and control--whatever that is--if we had different documents.

I closed my eyes, counted silently for a few seconds, and asked why we filed the forms--and why we couldn't just have the manager of the employee send one of us an E-mail authorizing use of the needed areas? There was quiet in the room and I saw these earnest souls wondering why the boss was being so troublesome.

Finally, Bruce Madison--who is head of our desktop support and has little to do with our security function but a lot to do with keeping users satisfied--piped up and said maybe he and his colleagues could come back to me in a few days with a simplified process. I said that would be a good idea. Having completed a difficult meeting, I decided not to delay the painful part any longer. I picked up the phone to call Karen and Stephanie.

As always, Karen was cordial. I explained to her that we would immediately grant access to her new employee--before the end of the day--and that, further, we were revamping the whole procedure.

I then swallowed hard and called Stephanie to apologize. I repeated essentially what I had told Karen and thanked her for her input. I'd like to say she was gracious, but she wasn't. After all, she is obnoxious when she is wrong, so you can imagine what she's like when she's right. What's worse, she had every right to be annoyed. We made complicated what could have been made simple. Security and convenience are not mutually exclusive.

At least I learned a few important lessons. First, even a pain in the butt can be right. Second, and more important, you need to keep in touch with your users--even the ones you don't like--to know what's really happening in your own organization.

Herbert W. Lovelace is the CIO at a multibillion-dollar international company. Herb practices his day job under an alias and has changed the names of colleagues to protect the guilty. You can send him E-mail at lovelace@home.com. He'll provide real answers--and whimsical comments--to your questions on InformationWeek Online at www.InformationWeek.com.