mind.

I am involved in a lot of meetings with executives and other IT professionals and before any actual productivity occurs, I have to spend time convincing everyone that the sky isn’t falling in on our information and information systems.  After everyone is settled and the meeting begins, the mere mention of BYOD, the cloud, shadow IT, or wireless brings about a very strong response of “oh, no, those technologies are extremely dangerous, they should never be implemented in this environment.”  What?  I can understand, somewhat, how a non-IT-savvy executive might say this, but from IT professionals, that should never happen.  New technologies and innovations should not be shunned or kept out of organizations that would most likely profit (or at least increase their profit) by implementing them.  Where is this coming from?

Let’s clear some things up.  First, the IT industry has spent the better part of the last 20 years promoting cybersecurity through scare tactics.  Media outlets thirst for a breach, any loss or even potential loss of information, and they splash it in the headlines.  Reporters try to make a name for themselves by finding a story and over sensationalizing it.  Even though the mainstream IT industry has only been around for the better 20 years there are still naysayers that want to tell us how bad it is.  Now, after so many people have become the victims of data loss and identity theft, we have reached a point that most people have at least some idea or are somewhat concerned about the security of their information.  However, these scare tactics also worked on our IT security folks and they pounded down the security Kool-Aid.  It still surprises me how many IT professionals say “no” to new technologies without the slightest hesitation.  How did this happen?  Well, if you cry wolf long enough…

One problem is that we no longer look at the benefits of emerging technologies.  We immediately jump to “it’s so dangerous.”  Well I’m here to say STOP IT!  Stop freaking out your IT security folks.  It is probably making you LESS secure.  Let me give you an example: I recently walked into an environment where pen-testing was a no-no.  I understand that pen-testing is not always the best solution for every environment; however this was not of those situations.  Even though it was something the organization could have benefited from, you could not mention it without the security folks or management turning 18 different shades of green.  The result of the effort: no pen-testing allowed and … continued vulnerabilities and risks to information and information systems.

What about the ol’ “that’s how we’ve always done it here?”  Um… then change.  Nuff said!  Just because it has not been done a particular way before does not justify sticking with an insecure process.  We get a lot of this from the “old schoolers.”  So my statement to you “old schoolers:” get with the program or get replaced.  Your VCR has been blinking 12:00 since you bought it, but the rest of us have been using video-on-demand for a while now.  If you want to stay relevant, embrace what is happening today.  It is usually more effective, more efficient, cheaper, and easier.  Stop being so darn stubborn mom!  (But seriously mom, replace the VCR.  I love you).  Someone has to lead the way.  IT professionals have to push these innovations to continue our progression forward with as much force (if not more) than the “old schoolers” are pushing back.  Someone has to do it, and there are many examples in the IT industry of those that have pushed and pushed innovation until “society” changed, Bill Gates, Steve Jobs, and the rest of their contemporaries come to mind.

Look, every new technology has issues we need to deal with, and I am with the “old schoolers” in the fact that we cannot just implement new technology without facing those issues, especially regarding security.  So face them.  Security is one of the major issues today.  We cannot hide our collective heads in the sand and hope the technology goes away.  The fact is more security equals less productivity, and vice versa.  We need to find a balance.  Yes, I do believe we still need to say “no” sometimes, but only after a detailed analysis has been undertaken.  Let us actually look at the security risks, especially in the analysis phase of the system development lifecycle (that is the subject of another paper), find the best controls, and embrace what is going to eventually come anyway.  Educated IT professionals can either be the ones finding the solutions to the problems or we can continue to perpetuate the problem.  BTW, isn’t security all about a risk based approach?  So ask yourself: Does this new technology make the mission more effective, more efficient, less expensive, and can we implement it in a way that will not compromise the confidentiality, integrity, or availability of our information or information systems?  If so, then maybe you should consider the option of first looking at how the new technology can be implemented in a secure fashion while still accomplishing the goal of improving efficiency and/or lowering costs. Trust me, it will keep you and your organization relevant and reflect forward thinking.

Don’t know how to say “yes?”  Well, tap into the great minds of others.  Google uses a wireless network so maybe your organization should google Google.  Or find some of the Ron Ross types of the world who are innovative and forward thinking.  A perfect example would be NIST’s SP800-160 (still in draft) on creating new trustworthy and resilient systems.

Oh, and btw… those “dangerous hackers”, well they ARE using new technologies and they know you aren’t.

mind. and $p!k3