This story from law.com came across my desk a few days ago: The law firm Elliott Greenleaf & Siedzikowski is suing a former partner and his new firm for stealing data and diverting work. According to the complaint the former partner and two junior attorneys abruptly resigned from the law firm, but before they left, they locked their offices leaving their computers connected to the firm and the firm's Dropbox account.
It gets complicated. The staff couldn't break into the locked offices because the building is owned by the defendant and leases it to his former firm. Elliott Greenleaf & Siedzikowski also claims that 5% of the firm's backup tapes where deleted by the defendant and data continues to be stolen through a combination of Dropbox, remote access, and network access. (Something about the story, as told, doesn't make sense: Even if the PC was in a locked office, surely they had some way to disconnect it from the network, unless they also had no access to the network wiring. But that's not the main point here.)
Think about explaining that scenario to human resources staff who might never have heard of Dropbox, peer to peer, or the cloud, let alone understand the benefits and risks they pose to the enterprise. Explaining IT to HR is like explaining IT to your mom. And in many cases HR's computer policy was written before social, portables, and CoIT (consumerization of IT). It runs mostly along the lines of no pornography, do not violate any laws, keep information confidential, and do not use the network for your profit. It rings of 2006.
Without an updated policy, IT is left to create it ad hoc. The problem with that is IT on its own has no teeth. Though it would like to think otherwise, IT is just another service provider, like document services, or marketing. One of the byproducts of consumerization is that it has removed much of the mystique behind information technology. Users are increasingly solving their own technical problems, and they might challenge the tech that is telling them no.
Policy must come from human resources. It and IT needs to craft a realistic contemporary policy whose scope spans the employment arc of the user, recruiting and hiring, day to day, and the exit.
Graduates entering the workforce today have less regard for security, less respect for the IT department, consider the Internet as important as air, water, food and shelter, and would be willing to take less pay so they could use their own devices. They have a definite set of expectations from the company they're applying to. That's the CoIT tsunami. Now if HR has its hand in writing the policy, it could attract a better caliber of recruit because it would be speaking their language. And the new recruit will become a happy user because IT's deliverables will more closely align with HR's promises.
Remember, CoIT is a good thing. It allows employees to use the tools they want, which makes them more productive. The point is not to craft a bulletproof text to lock them down, but to define the limitations--whatever they are--and the consequences of violating them. HR's role is to communicate unambiguously what is permitted and what is not, because IT can enforce just about any policy. With application-level firewalls such as those from Palo Alto Networks, network admins can tweak access in whole new ways. For example, users would be able to visit Facebook, but not post to it. Or to post, but not to play games. IT can afford granular control especially in a law firm the size of Elliot Greenleaf. Products such as iPrism can block peer-to-peer connections with a click. But if an employee demands SugarSync because a client is using it, IT cannot revise the policy without input from HR and possibly other groups.
Could a strong policy have prevented the data loss that Elliot Greenleaf claims? That's a bit tricky in law firms. Partners own the joint and when they don't want to abide by the policy, they simply don't.
The initiative of the two departments hammering out a policy won't come from HR. It's up to IT to reach out to HR because I would bet your HR department is oblivious to the challenges. It's dealing with a paradigm shift of its own, which some have coined the consumerization of HR. Though not the same, there are some parallels with CoIT. For one, users are answering their HR questions remotely without ever calling HR. The similarities could be an entry point for IT to start the conversation.