Any organizational change management expert will tell you how tough it is to get employees to adopt new ways of doing things. So, managing change from an organizational standpoint, whether it's the pain of new enterprise resource planning software or new security policies on the network, is typically one of a mature IT organization's toughest thing to do. (Immature IT doesn't even try, and stands there bewildered when initiatives fail, but that's a topic for another day.)
When is it hardest to change an organization? When budgets are flush. When people feel comfortable. When there doesn't seem to be an impending threat to the organization. Think of it as your corporate picnic. The sun is shining, and all is well. Yelling at people that they need to move to a shelter will get you looked at strangely. It won't work.
It's easiest to change an organization when things are already difficult. When it's raining, or even if you have a credible weather forecast, it's pretty easy to get folks to move to the shelter. So, savvy IT managers look at budget crises as an opportunity to change practices for the better. There's really no better time.
Security vs. Flexibility
There's usually something of a conflict between IT and the most innovative users in an organization, not because IT is stupid and belligerent, but because there is an inherent tension between flexibility and security. It's similar to the tension between stability and innovation. Witness, for example, the Fedora project vs Red Hat Enterprise Linux. Fedora will give you all of the whistles and bells, but it's not exactly what you want to be using as your 24x7 rock-steady data center server.
New technologies that are out of IT's direct span of control also give seasoned IT engineers the willies, be it software as a service, infrastructure as a service, or even desktop as a service.
At the same time, the resources that most IT organizations have fewer resources to handle basic, everyday needs. If your organization has lost headcount, you know what I mean. But even if your organization has "just" lost temp funding or has canceled service contracts because of a budget squeeze, you still know what I mean. More stuff to do, fewer resources to do it with. Therefore, IT battens down the hatches, and "frequent flier" or high maintenance users or departments have to take a back seat.
As IT gets squeezed, you can bet that these users will be tempted to take matters into their own hands. I recently wrote that technology consumer cockiness is at an all time high. So, just as IT is least prepared to deal with it, users may be inviting security and reliability issues by going rogue and bypassing network security.
Now add this to disconcerting analysis from the folks at SecureWorks, who found that there is a thriving marketplace for "pay per install" malware, where criminals will pay about $140 to install "crypted" (hidden from virus protection through dynamic encryption techniques) malware per 1000 computers with IP addresses in the United States. So, these "clever" users who bypass your security and standardization methodologies are putting themselves and your organization at significant risk.
Change We Need
Budget cuts have put organizations into a heightened state of alert. It's raining at the picnic. So it's actually the perfect time to start clamping down on some legitimately risky and expensive activities, while loosening up on others (in a supervised way, of course). Here's one possible battle plan for 2010.
Have a Management Discussion. Now is the time to talk to management about how much "unlimited" IT support costs. Explain that total PC freedom equals unlimited IT support. Get a sense for the degree of liberation versus control that the CEO will support. Go in with a plan about what you think you can support versus what you don't think is wise to support. Be prepared to discuss resource level, and be open to some degree of outsourcing if what the CEO wants is different than what you can deliver. Remember: this conversation is about a mutual interest: getting the enterprise what it needs from its technology investment.
Liberate the Service Desk. Most folks agree that some level of control is needed to keep support costs down. Gartner states that a well-managed desktop PC can be 42% less expensive to keep than an unmanaged one. And a report from Faronics corporation earlier this year concluded that organizations could expect 40% fewer support tickets per desktop when using lockdown software. Expect that not all users will be able to be locked down, but similarly, expect that many users will be able to live with a reduced level of free-for-all. Achieving a balance is important. Look at your service desk tickets. How many hours are you spending unscrewing user PCs when they shoot themselves in the foot?
Engage Your Smart Users Your smart users will be able to bypass lockdown. In our recent "Radical Desktops" InformationWeek Analytics research survey of 376 business technology professionals, we found that about half of IT organizations doing user workstation lockdown said that they knew smart users were circumventing their controls. Tell them (better yet, show them) that it's raining out and they need to seek shelter!
Let Go, Just A Little. Do you really need to control everything about how your users use information technology? Let go a little bit. Who are you to tell your users which email system works better for their business needs? If Google's mail offering works better than Exchange for them, great. Help them test it out. They may come running back to you with their tails between their legs, grateful that you helped them test all of that icky enterprise app integration stuff before they went whole hog with their business unit. You'll build credibility with your most flexible users -- who can also be your most risky users. That credibility is important, because you want them to check with you before they go out and do something dopey.
You can't be everywhere, and you can't put a camera in all clever users' offices; your best defense in an era of rising threats and lowered budgets is partnership and an open mind. And who knows, through this partnership, you might actually figure out that new, less expensive ways serve the business just fine. That might mean that you can shrink your budget in some areas and re-invest in innovation in others.
Jonathan Feldman is is an IT executive and analyst working in North Carolina. He has 20 years of security and network infrastructure experience in government, military, healthcare, financial services, and law enforcement. Comment here, write to him at email@example.com, or on Twitter at @_jfeldman.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.