CIOs Uncensored: The Wall Street Journal's Irresponsible And Dangerous Attack On Corporate IT
An article that instructs people on how to get around corporate IT policies sends many wrong messages.
Do you feel your cybersecurity policies are a joke?
Do you take customer and employee privacy seriously?
Do you treat confidential and highly sensitive information with the seriousness and security it deserves and that the law demands?
Do you think your IT department exists to drive business value, or to cause employees headaches?
Do you look fondly on employees who flaunt and defy high-level corporate policies?
I ask these questions -- silly though they may be -- because a newspaper I've long respected has recently published a breathtakingly misguided article that sharply contradicts what I thought were the obvious answers to those questions. Here are a few quick excerpts from The Wall Street Journal article, headlined (misleadingly) "Ten Things Your IT Department Won't Tell You":
"Specifically, we asked [hackers] to find the top 10 secrets our IT departments don't want us to know. How to surf to blocked sites without leaving any traces, for instance, or carry on instant-message chats without having to download software."
From the section on "How To Send Giant Files": "The Risk: Because these services send your files over the Web, they're outside of your company's control. That makes it easier for a wily hacker to intercept files during their travels."
From the section "How To Search For Your Work Documents From Home": "Getting hold of your company's internal documents could give others insight into your plans, and losing certain information could have legal repercussions. In particular, myriad state laws regulate how a company has to react when it loses private information about customers or employees; most require notifying those people about the breach in writing. Sending these notifications can be costly for your company -- not to mention damaging to its reputation."
Now, call me uptight, but reporter Vauhini Vara's description of the repercussions of a privacy breach sounds a touch naive, wouldn't you say? I mean, couldn't she have stretched a bit and ventured into the wild unknown of, well, what is right and wrong? I wish I could tell you but I can't, because the reporter didn't respond to my e-mail inquiry. But here's the letter I wrote to her:
hi vauhini----thanks for the interesting article. full disclosure: i have multiple dogs in this fight as i'm editorial director for a group of websites, conferences, and magazines that cover business technology and its application in the corporate world. our brands include InformationWeek, Interop, TechWeb, Web 2.0 Summit, and many others.
i tip my hat to you for coming up with and executing on a provocative and compelling idea. but there was something about it that was more than a little discomforting, and perhaps the best way for me to express that unease is by turning to your own words: "To find out whether it's possible to get around the IT departments, we asked Web experts for some advice. Specifically, we asked them to find the top 10 secrets our IT departments don't want us to know. How to surf to blocked sites without leaving any traces, for instance, or carry on instant-message chats without having to download software." now, without question, there are many IT departments with backward policies, small-minded rules and regulations, and petty practices---those deserve to be mocked publicly and need to be changed internally, or else those companies will rapidly become irrelevant because their priorities are way out of joint with 21st-century global business. but your piece went well beyond that---you solicited input on how employees can cheat their employers without being caught, and to do so in areas of enormous sensitivity to employees, their employers, and even customers and suppliers as well. and so i wondered if you would, as a followup, perhaps share with your readers "Ten Secrets Your CFO and Finance Department Don't Want You To Know." perhaps you could enlighten folks on how to view financial documents and results they are not authorized to see; perhaps you could inform them on how to disseminate inside information without getting caught; and perhaps you could share secrets on how employees can give confidential company information to stock analysts without anyone ever finding out. or maybe not----perhaps you feel such articles would be inadvisable or maybe even inappropriate. in that context, is your tutorial on how to scam corporate IT policies so much different?
as i've said, many IT professionals have failed to transform themselves into business technologists whose top priority is delivering business and customer value, and instead remain mired in a misguided role as high priests overseeing inscrutable machines detached from reality---the sooner companies weed out such deadwood, the better. but your article pushed far beyond that and delivered a clear message that all IT departments are a joke and, indeed, ought to be circumvented at every opportunity. i doubt very much that such a policy would go over well at The Wall Street Journal (imho, the greatest media property in the world) or at Dow Jones, so i have to wonder why in the world you and your editors felt it would be appropriate to foist such potentially dangerous ideas about IT on the business world at large?
thanks for your time, and all the best.
I really don't think this whole discussion -- the Journal's article and my reactions to it -- is about IT. I think it's about right and wrong, responsibility vs. irresponsibility, and knowing the difference between what we can do versus what we should do. Should we all be able to laugh at ourselves and to chuckle at the reputation our profession has been given (or has earned)? Absolutely. Is it OK for the Journal to publish such a piece, particularly when it's framed in way of schoolkids passing notes in class describing the wacky things they'll do on the playground? It sure is -- that's not my gripe.
Rather, my gripe is that the WSJ article sends many wrong messages: That corporate IT is a joke. That corporate policies are silly constructs that inhibit employees from doing what they want. That the employee/employer relationship is a sham. That trust is a fairy tale. That personal responsibility is a myth. And that it's OK to break every rule you can as long as you know the risks and don't get caught.
And that's all just wrong. And no matter how advanced our technology gets -- or how "sophisticated" our outlooks get -- it always will be.
To find out more about Bob Evans, please visit his page.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.