Security Experts:

What Employees Want vs. What IT Wants - The Venn Diagram that Doesn't Overlap

In 1880, John Venn, a logician and mathematician born in Hull, England, developed what is now known as the Venn diagram. His goal was to visually represent mathematical propositions using inclusive or exclusive circles. But of course, this eventually extended to represent any type of relationship, not just mathematical elements.

On August 4th 2014, for example, Google celebrated Venn’s 180th birthday with an animated Google Doodle. Users choose two circles and the doodle gives you an object that overlaps between the two circles; choose “mammals” and “has wings”, you’ll get a bat.

If we applied this to the cloud, would a proposition incorporating “what employees want” and “what IT wants” produce an actual output, or is it the Venn diagram that doesn’t overlap? (Bonus points for all the math nerds out there, who deduce that if no intersect happens, it’s actually an Euler diagram.)

Cloud Venn Diagram

Striking A Balance

A large part of what employees want is the ability to do their jobs more efficiently. They want to be able to collaborate internally and externally, and share content. They want to use the devices they need to get their jobs done, and they want to work from Starbucks, from their kid’s soccer field practice and in a hotel room.

The cloud helps them achieve that. A business unit can sign up for a SaaS application, and onboard employees immediately. Users don’t have to wait for the application to be deployed, nor worry about setup or maintenance. The SaaS application inherently enables collaboration and anywhere any device access.

IT, on the other hand is responsible and accountable for the availability and security of the business, and the easiest way to do that is to limit the avenues of risks. But, sometimes, this backfires. Locking down corporate mobile devices encourages employees to use their own mobile devices in search of productivity. Forcing users to access cloud services through a VPN defeats the agility of these services by making them slow and thus also encourages circumvention.

One thing is for sure-- turning off the cloud is not an option. IT is a cost center, it cannot impact the productivity of any profit center. So, how do we get these two vastly different propositions to intersect, such that both IT and employees get what they want?

Is There A Solution?

First, IT needs to get out of the “jail warden” mentality and shift to a “crossing guard” mentality. Security, mobility and collaboration are not mutually exclusive. Instead of just being the department of “no”, IT must work with employees, in particular those within business units, to understand the reasoning behind why they are doing what they are doing.

For example, if users are now sending corporate data to their personal Dropbox or SugarSync accounts, then IT can sanction the use of Box to enable a common, corporate-approved content management system for collaboration. The transition will not occur overnight, but if the new, sanctioned application addresses employees’ needs, migration will eventually occur.

Sure, there will be laggarts. But, going back to our “crossing guard” analogy, a crossing guard’s job is to ensure people know where the crosswalk is and to keep them safe when they utilize it to cross the street. However, a crossing guard must accept the fact that people will jaywalk and it’s not their job to stop them, but rather encourage them to cross safely at the crosswalk.

Converging What Employees and IT want

Beyond changing the IT mindset, IT should also:

Deploy identity access management (IAM) solutions - These IAM services enable employees to access sanctioned cloud applications using their corporate credentials. They solve two of the biggest problems in cloud adoptions-- eliminating the plethora of user credentials, and the de-provisioning of access to terminated employees.

Categorize data in the cloud – Not all information is equal. It is important to categorize data in the cloud to know who the information can be shared with. The key is not to create too many categories that it is overwhelming and practical. One of the simplest ways of course is whether it can be defined as “toxic” (data that could be damaging to you if it leaves your control) or not. Intellectual property, personal healthcare information (PHI), personal credit card information, personal identifiable information (PII) all fall in this bucket.

In some cases, encryption may be required for the privacy of certain data– many service providers already offer end-to-end encryption. But understand that while encryption provides privacy of the data from the cloud providers, it is not a security solution.

Transform the IT skill set – As more and more businesses adopt SaaS applications, IT can now transform into an information economy. Instead of the day to day operations of deploying and managing applications, IT can oversee and ensure the viability of the cloud providers operations. To augment the cloud provider security, there is also a new category of products Gartner calls “Cloud Access Security Brokers” that focus on extending IT purview to enterprise data in the cloud. Cloud Access Security Brokers give you granular visibility and control over enterprise data in cloud applications from within the cloud rather than outside of it. IT should investigate whether a Cloud Access Security Broker is right for the organization instead of just relying on the security offered by the cloud provider.

In summary, cloud adoption should be a collaborative rather than prescriptive process between employees and IT. Ultimately, with the right mindset and strategy, what employees want and what IT wants can become a proper union in a Venn diagram.

view counter
Danelle is CMO at Blue Hexagon. She has more than 15 years of experience bringing new technologies to market. Prior to Blue Hexagon, Danelle was VP Marketing at SafeBreach where she built the marketing team and defined the Breach and Attack Simulation category. Previously, she led strategy and marketing at Adallom, a cloud security company acquired by Microsoft. She was also Director, Security Solutions at Palo Alto Networks, driving growth in critical IT initiatives like virtualization, network segmentation and mobility. Danelle was co-founder of a high-speed networking chipset startup, co-author of an IP Communications Book and holds 2 U.S. Patents. You can follow her at @DanelleAu.