As software proliferated, it grew to accomodate not only specialized function but classes of function. For example, some software was designed to military specifications, and had its own set of requirements. Other software needed to be used exclusively in a business-corporate environment. That type of software, called “corporate” for lack of a better term, is designed around the concerns of groups of people working together. It attempts to verify who is doing any action, keeps logs and accounting, and blocks any actions that could circumvent the corporate objectives.
In contrast to corporate software, consumer software is designed to be easier to use, and to make common tasks into functions, so that Mom and Dad can perform a combination picture edit, upload to web site and send IMs to friends notifying them of the new images. It might be tempting to write it off as junk software except that so many of our innovations come from the consumer world, because people using software for play and not work (hint, humanity) find the more interesting applications which are not directly related to task control.
In The 8 Most Dangerous Computer Technologies, corporate IT is shown its future: consumer ware leads the pack as far as new features, and corporates will have to adapt to keep up. In the article, the writer(s) detail several of the new challenges, including the potential security horror of USB drives, the ubiquity of web mail, cell phones, chat and voice over IP. The solution they edge toward is one corporate America might not like at first.
Instead of banning the consumer software, they began an assimilation program. It was okay to bring in a USB drive, long the bane and fear of administrators, if you used their encryption software on it so that if you lost it, you wouldn’t also give data to the world at large. I think this is a step in the right direction, and I’d take it even further, taking advantage of something I’ve learned from Google. If you offer people free breakfast, free dinner, and a chance to socialize, they’ll hang out around the office. I think Google will find that this is effective only for the first three years of an employee’s time at the company, but it’s equally relevant to an inverse scenario.
That inverse is what most of us face, which is being in an office when we need to be out doing the things we need to do to keep our households in order. I’ll bet most of you have ducked out at lunch to pay a bill, researched a purchase online, or called to make a doctor’s appointment from work. Unlike Google, where they want to keep people at work longer, we are at work longer and want to be doing what we need to do after work but don’t have time. For these two problems, a variation on the same solution exists.
Instead of viewing employees as having a value by the hour, I think businesses should view them as community members with a yearly cost that should balance their direct contribution to business income. For some employees, like receptionists, this is difficult to measure directly but it’s evident that it exists, since a business without a receptionist would have no clients. In those cases, you should measure the amount of their job they do correctly and assign it an arbitrary percentage of the income production. This tells you what the employee returns to the community that is the business.
If you view your employees as community members, it is no longer important to you to see them working every hour of the day. You hire them to get a job done, and you don’t care how long it takes, unless it’s obvious that more people are needed. You might even tolerate people going home early. One thing that you will tolerate in this new view is their use of business resources for personal use. They are members of your community, and in a community, everyone’s Job One is survival, but they recognize that without the community that’s not possible, so it’s a very close second.
With the business as community outlook, it becomes obvious what to do with consumer software. Embrace it. You can relax and stop ranting about people using Gmail, a giant security hole, or USB drivers, or AIM. Plan these into your IT strategy because you are no longer responsible for dividing business needs from employee needs. You’re a community and the business-critical tasks you do are what determines your survival. Even indirect aid to those is important, so keeping employees happily having normal lives is important, which means allowing AIM and MSN on your network is important.
From this mindset, we can see a need for a new strategy and technologies in IT security. Instead of banning products, look at traffic. Who’s sending large files out, and can we determine they’re not MP3s? Is someone’s machine connecting to a lot of other machines briefly and then moving on? Traffic analysis, deep packet sniffing, and behavior profiling are the tools of this new environment. It is one based on community, so it accepts that a wider range of tools will be used, and then tries to limit their use to non-destructive means.
Over the past months, I have seen too many people worry themselves gray about hours accounting and IT security when their real problems are elsewhere. I can’t make people stop screwing off on the internet, and I definitely am not going to be able to intercept thumb drives and AIM. I can do something ultra-draconian like shutting down USB ports and heavily filtering traffic, but that will damage as many legitimate uses as illegitimate ones. Instead a change in strategy is called for.