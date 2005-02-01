Dear Bob ...

I just can't agree with the recent newsletter on Instant Messaging.

Yes, people will try to sneak in things that violate security policy.

They should be treated extremely harshly. Solitary confinement at Devil's Island would be a minimum. No exceptions. I would add, at a minimum, Abu Ghraib type "stress" positions to those who knew what they were doing and the risks they put *us* at and ignored the rules even with that knowledge.

Absolute security is not possible but acceptable security is not possible with laptops, blueberries, flashsticks, IM, etc. being used by anyone that thinks that they know better than the security department and are too important or can't be bothered to do what the people who are paying them have requested.

Do you think the CIA, NSA, NRO, DIA, NGA, et al ( but I omit DoS, congress, white house, and NSC intentionally) could function to protect the USA by accommodating immature and selfish employees who put their convenience first? Why not just publish our secrets in the Times for Al Qaeda to read?

I was just the victim (along with 32.000 others) of a break in that makes us all imminent ID theft victims. I have gotten a virus from this same org's web site in the past. [Fortunately the next NAV update caught it and fixed that problem]. These people actually have a fairly good security policy, knowledge, and tools in place.

The problem is that some people violate the policy. They just can't be inconvenienced by having to play by the rules that keep us all safe. Their immaturity and lack of social skills put us all at risk.

Their convenience is my externality. Who should pay the price?

Clearly those immature selfish types who think that IMming and using blueberries are more important than following the rules that keep us all safe should be the ones who suffer. But with your recommendations, the innocent will suffer and have to pay the price for these asocial people.

The real question is: is there a business need for blueberries and IM at all? If not then they should be banned, and the punishment for using them brutal and swift. If there is a business case, then it should be *integrated* into the *system* and infrastructure that supports the enterprise; and only if it can be done in a secure manner that ensures that the risks do no undo the benefits.

Just letting these selfish idiots get away with breaking the rules and then trying to tack on some security to accommodate their actions is pure folly. Look at windoze and the approach they used. There was no security architected in. They keep adding patches that just open up more holes.

Why do you think the inmates should run the asylum? Letting people do whatever they want is bad business strategy and will lead to unintended yet anticipatable consequences.

- Jack the Whipper

Dear Jack ...

Well that's kind of harsh. I'm left wondering, with no little trepidation, what kind of punishment you'd like to see meted out for jaywalking. I'm guessing it's of the capital variety.

We're at cross purposes in this discussion. Should employees be encouraged to ignore security policy? Of course not. That isn't the question.

Which is to say, when IT restricts its vision to using draconian punishment to prevent the use of useful and innovative information technologies, it's being stupid. When it tells employees it knows better than they do what tools they need to do their work, it's being arrogant. And when, faced with new and interesting technologies, its total response is prevention, it's abrogating its responsibility for providing technology leadership to the enterprise.

And when IT is stupid, arrogant, and abrogates its responsibility, I have a hard time focusing too much of my attention on a need to increase punishment for employees who have decided to take matters into their own hands, finding better ways to do their work.

One other point, at the risk of getting self-righteous and all: Of all the cliches used in business, the one about letting the inmates run the asylum is very high up there on the offensiveness-o-meter. In an asylum, the inmates are, one hopes, insane or the asylum wouldn't be their place of residence. It's how the asylum chooses those in attendance.

A well-run business, in contrast, chooses its employees based on their ability to get the work done - on their skills, motivation and character. At the risk of pointing out the obvious, there are no parallels between the two situations.

Except that if you work in a company whose executives are fond of that phrase, you must be nuts for staying.

- Bob

--------