Stu Laura, our intrepid CIO, takes on a failed and flawed model: providing Least Access to data.
Remember our friend Stu Laura, the CIO who daily fights the internal battles on Mahogany Row? Let’s check in to see what's aggravating him this week.
Laura: I'm going to change my first name to Zoloft or Prozac or something. These ongoing wars inside our shop between those who want access to internal data and those who want to restrict access and lower risk are killing me! They want it both ways and they can’t have it both ways.
Anderson: Stu, you've never suffered fools gladly. You work for a data-rich company. You exist by having your financial samurai continually come up with such arcane products that no one understands them--and then selling them to clueless customers, right?
Laura: You bet. Sometimes, however, the innovations have nothing to do with the customer and have everything to do with internal systems. But the real line in the sand is deciding who can get what access to which data. Our model was a failed and flawed one--Least Access--which meant that we give only minimal levels of access to people so that they can carry out their jobs. It's the equivalent of “name, rank, serial number,” but that gets right in the way of the sort of creativity and initiative that we need to build arcane but profitable products! Creativity happens on the edge. Least Access just doesn’t work. It never has worked and it never will. We found that at least half of our staff was over-entitled, and maybe that figure is close to 90%!
Anderson: So the problem is that the more you follow the rules, the more you restrict access, the lower your risk. But at the same time, you don’t get the “bonus” of coming up with creative solutions that cross boundaries?
Laura: Katherine Hepburn once said: "If you obey all the rules, you miss all the fun," and I didn’t even know she knew IT. But it's true. We have tried and tried to find a balance between the two--and we can’t.
Anderson: Surely there's some data that shouldn’t be shared.
Laura: Of course. Our most sensitive data we will never allow to escalate. But there's an enormous amount of data that is “gray”--not really strategic but which has some value. It's this second category where the battle lines are forming.
Anderson: What's the root problem?
Laura: Asked like the consulting puke you used to be! The problem is that some idiot thinks that this is a computer science problem when it's not. It's just one more dead flounder that they've dropped in my lap.
Anderson: OK, if it's not a computer science problem, what kind of problem is it?
Laura: It’s a business management problem! We can implement a strategy, but that's it. Management’s goal should be not to limit access to data, but to figure out a way to facilitate access. They haven’t and they won’t. They want to brag about the benefits when the company comes up with something great, something really innovative, but they want deep cover to protect their rears when and if we have given the wrong level of access to the wrong people.
Anderson: Now who’s mouthing platitudes?
Laura: The real key around here is timeliness. By the time someone who needs data gets the approvals of the Nazi gatekeepers around here, we have lost the ability to move quickly. We use approval cycles as a way to quickly squash great ideas. We kill with kindness and best intentions.
Laura: The only thing that might work--and I emphasize might--is if we allow people to escalate and then come down very hard after the fact on those who abuse the privilege.
Anderson: Will that plan work?
Laura: I don’t see why not. In fact, I'm waiting for approval of it now.
Howard Anderson, founder of Yankee Group and co-founder of Battery Ventures, is currently the William Porter Professor of Entrepreneurship at MIT. He can be reached at email@example.com.
For more Global CIO perspectives, check out Global CIO.
At the 2011 InformationWeek 500 Conference, C-level executives from leading global companies will gather to discuss how their organizations are turbo-charging business execution and growth--how their accelerated enterprises manage cash more effectively, invest more wisely, delight customers more consistently, manage risk more profitably. The conference will feature a range of keynote, panel, and workshop sessions. St. Regis Monarch Beach, Calif., Sept. 11-13. Find out more and register.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.