No one gets fired for banning IM

At a recent IT Roadmap show — a travelling road show that brings Network World columnists “to life” — I met two security professionals who lamented their company’s security policy choices. I know that discussing the policy at a show won’t change it, but it’s therapeutic to commiserate about poor security policy decisions. Of course, I only have part of the picture, so it’s unfair to judge those policy choices. I go for therapeutic and interesting over fair in this particular instance.

The company in questions (nameless of course) has chosen to ban all forms of instant messaging. This is a pet peeve of mine because our research shows that IM has a compelling ROI, both in hard dollars in areas such as sales, and even more so in soft productivity dollars. I am a firm believer in security that enables business risk where the risk brings a compelling ROI or competitive differentiation. After all, if we’re not willing to accept some risk we should probably disconnect from the Internet and shut down the business. This argument is over IM but it is exactly the same argument that I had 15 years ago over “connecting to this Internet thing” at financial services firms. I’m guessing that in the earlier part of the previous century there was a security professional arguing against the use of this “telephone” device that was in fashion among the younger generation.

More in Network World

Controlling ‘shadow IT’

But regardless of the relative merits or risk of using IM in a business setting, this same company has every user run Windows as an administrator in order to support some legacy application. Not only is it a supremely bad idea to run Windows as an administrator, it also makes it almost impossible not to ban IM as a follow up decision. If you set your policy to trust the user as admin, you can’t trust them to run any code… This truly boggles the mind and is a classic example of missing the risky forest while obsessing about risky trees.

It reminds me of this documentary video from the 1970s showing anti-nuclear protesters outside a nuclear power plant. They’re all chanting “Nuclear Power Kills!” Every second chant, most of the protesters stop to take a deep drag from their cigarettes. Thirty five years later, would anyone want to bet as to how many of those protesters died from nuclear power vs. smoking? Perhaps when modeling risk in society we have to consider smoking as more dangerous than nuclear power (and therefore consider sugar as more dangerous than terrorism because of the diabetes epidemic).

In a business you must make risk decisions with a comprehensive and self-consistent model. You can’t optimize risk locally — because of the “weakest link” characteristic of security. Which is exactly why I rant about security policies like this. They represent the “no one got fired for banning IM” brand of weak reasoning that allows some security people to drop the consequences of risk-avoidance on business productivity and competitiveness, while making the “safe” choice.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now