I speak with a lot of people who work in IT run departments. Some of them even run the department. What I’ve noticed is that people involved in IT tend to fall into two distinct groups which can be labelled “Control Freaks” and “Freedom Fighters”. These guys are easy to distinguish between.

A typical conversation with a Control Freak will go something like this:

Me: Tell me, what are you hoping to get from this solution ?

Client: We need to stop our users from doing this, we have to prevent them from accessing that data and stop them from sending it out. They shouldn’t get to this site and we don’t want them able to do this.

By contrast a conversation with a Freedom Fighter will sound more like the following.

Me: Tell me, what are you hoping to get from this solution ?

Client: We need our users to be able to do what they have to do, we need to allow them to access data and let them to send it out. They should be able to get to web sites when they need to and we want them to able to do whatever it takes to succeed.

As you can see, the first example is a legacy view of IT about prevention and locking down of systems. The second has IT as an enabler to the business, allowing people to work whilst keeping the business secure. In truth achieving the correct result can be a fine balancing act between the two. If you lock down systems too much then clearly users will either try and work around your security (not good) or the best of the bunch will not want to work under such restrictions and will leave to go somewhere else that suits them better. Again, not good if the best of the talent leaves the business.

By contrast, if you ease up security too much in the hope that users will be productive than you face the risk of more downtime and being the target of malicious attacks which will also bring systems down, possibly destroy brand image, lead to loss of sales and, at the extreme end and depending on the attack could mean the failure of the organisation.

So, which is the right answer; Control Freak or Freedom Fighter ? Perhaps the answer is more Business Enabler.

Me: Tell me, what are you hoping to get from this solution ?

Client: We want to help our users to do what they have to do, we need to allow them to transparently access data they should have access to and no more and let them to send it out in an appropriate manner to the correct recipients for the right uses. They should be able to get to web sites they need to and we want them to be successful.

If you get the balance right then the organisation can work at speed, in a connected fashion with appropriate security controls. Staff will be happy with their systems and happiness leads to better motivation and increased success. It also leads to fewer support calls, an easier life for the helpdesk and more time to do better IT leading to even more improvements.

Redstone have a very good white paper that you can download if you would like a more in depth explanation of this philosophy and how the security decisions you take can help make or break your organisation. Download it here.