I’m calling bulls**t on IT security

For years people worried about technology taking over our lives. What they should have worried about was Information Technology (IT) departments. It’s time for someone to step up and call bulls**t, so I guess I’m volunteering.

“The only thing we have to fear is fear itself,” the famous line spoken by President Franklin Roosevelt, still resonates to this day. The meaning, however, has taken on a whole new scope for me and others frustrated by IT security experts who feed on fear and wield their tremendous power to eliminate productivity.

David Pogue from the New York Times recently wrote a great column about this subject. Pogue wrote:

I understand the IT person’s position: “I was hired to protect the network. If I fail, I lose my job. Convenience and productivity are really secondary.” Maybe companies need to hire a PT person as well (Productivity Technology), somebody who’s a counterweight to the IT person. Somebody whose job it is to argue: “Oh, come on. Is this really necessary?”

Finally – a voice of reason that is large enough and loud enough that someone might pay attention. You hear the stories every day of companies blocking access to social media and various websites because of “viruses, malware and hackers, oh my!” You hear about IT departments putting draconian measures into place simply to log on to a laptop computer  (or even a smartphone) because there’s the chance someone might steal it. If you’re involved in anything near the healthcare field, you get to deal with HIPAA — the federal government’s off-base and overzealous attempt to beat providers and insurance companies to a pulp if someone’s private health information is inadvertently released.

I’m not naive and I realize there are people in the world intent on wreaking havoc with computer viruses and who would like to access networked data for ill-gotten gain. But I have a colleague who has to change her computer password at work every 60 days and the new code cannot have any resemblance to the past 24 she used. Another colleague has to enter a password every time he wants to use his company-supplied smartphone. He must change the password every 60 days. If he types the code incorrectly five times, the phone self-destructs, immediately wiping out all content in its main memory and the installed memory card. And there are several people I know who cannot use the USB ports on their computers at work because they’ve been locked down.

It seems to me that the ones most successful at ill-gotten gains these days are the software companies peddling fear and their IT henchmen. Companies that produce and market blocking programs or security suites stand to gain millions of dollars if they can convince people the Internet is a dark and evil place from which companies need protection.

The Internet can be a scary place, but what’s scarier is how many businesses have given in to fear and are sacrificing employee productivity, convenience and morale by trying to stay safe from what is, for many, merely a perceived threat.

Photo courtesy of t3mujin’s Flickr photostream.)

12 comments on “I’m calling bulls**t on IT security

  1. Pingback: Tweets that mention I’m calling bulls**t on IT security « Here Comes Later -- Topsy.com

  2. This is one of the most important reasons it’s vital to get C-suite buy-in for social media initiatives. While IT staff certainly wield considerable power, that power is typically granted to them by the executives.

    At my last job, we had IT staff who blocked just about everything you can imagine. Our marketing, communications and PR departments came together and created valid arguments not just for allowing us to use social media for “official” company business, but also for allowing more liberal use of social media and the web for all employees. We presented our proposal to the CEO and he agreed.

    We then met with IT staff to discuss the shift, getting their buy-in. It really turned out to be a win-win.


    • I agree with you for the most part Ryan. The trouble is, the larger the organization, the less contact people who truly understand the power of social media have with the C-Suite, and yet IT seems to have a direct line upstairs. That makes it especially difficult to get your message delivered and get buy-in from executives before the IT henchmen have poisoned their minds.


  3. Spot on, Ari. In fact, availability is one of the long-forgotten legs of the security triad. If people can’t use the systems they need, what’s the point of security?

    The other thing that’s ridiculous about locking down the USB ports and blocking Gmail and so forth is that the systems are never the weak point in a security system. The users are! The users who will happily give away their 17-character password with capital letters, numbers, special characters, and secret codes that can only be entered by Croatian savants to anyone who calls and says they’re from the helpdesk.

    So, get a decent AV program and firewall system. That’ll protect you from the script kiddies and trojans. If you have a legitimate concern about corporate espionage, institute security awareness training for users, the principle of least access, and active monitoring of data activity. But don’t filter access to Google Documents. That’s just ridiculous.


    • Well said Will. One of the arguments I’ve made about HIPAA and other such “threats” is that you have to train the employees in a way that they will understand what they are doing and the consequences of it. There’s a story going around about a vice president at a hospital who refused to shut down the facility’s Facebook page after nurses violated someone’s privacy. He argued that you could violate HIPAA in an elevator and it wasn’t Facebook’s fault. Instead, he pushed for better employee training. Imagine how great it would be to work for an insightful boss like that!


  4. As of this morning, Ari, I would have agreed with you 100 percent, but then the calls and emails started coming: http://www.justnews.com/news/23667025/detail.html

    A hacker has the potential to cause significant public relations problems and have a much greater impact on productivity for a business than anyone realizes. Maybe the answer is a better working relations with our IT departments to find a better balance.


    • Colleen, this is unfortunate, but it shouldn’t change your willingness to agree with me! 🙂

      Seriously, this is an attempt by some lowlife hacker to draw attention to their work, and the media is only too happy to oblige. If the media wouldn’t hype these stories, it would have been nothing more than a sign seen by motorists who happen to drive past it while it was hacked. They would, I hope, realize it was a prank and not believe it was the transportation department’s actual message. This sign and this hacker — who should be severely and publicly punished if found — didn’t cause a drop in productivity today. What did was the hype that the media used to sell news stories.

      The worst part is, some blocking-software company is going to use even more hype around this incident as a way to scare additional executives into wasting millions of dollars on new and exciting ways to screw with their employees instead of investing in making their products better or their customer service departments more capable. Imagine how much R & D or customer service could be beefed up at companies if the IT Department wasn’t sucking the budget dry trying to prevent perceived security threats!


      • Ari,
        your frustation is not uncommon. However misguided. Do you think that TJMAXX would love an opportunity to go back in time and protect itself? Maybe the death penalty for the hackers would be a better deterrent? Can you explain how Facebook and other social media
        can increase productivity for the average office person? you sound a lot like the guy in Office Space (the movie). 15 minutes of work in an eight hour day. entitlement should be your mantra. good luck!!
        Ill go back to my computer in my basement with four hundred firewall rules and bad guy prevention. I sure dont want to let the hackers
        steal my identitity. I ager you will some day be recanting your bashing of IT and security.


        • JimBoB,

          Thanks for your comment, and if you’re in support of severe penalties for hackers, then we at least have one thing we can agree upon. It’s become too common for hackers to simply be shrugged off as a fact of life instead of as serious criminals that need to be dealt with appropriately.

          There are numerous ways for companies to improve their success because employees are given access to social media sites. Certainly there are cases where such access wouldn’t be appropriate, but blanket blocking is a mistake. As Shel Holtz, founder of StopBlocking.org, is fond of saying, I’m not an employee rights advocate, I’m an advocate for organizations to succeed. Shel has a good blog post that references this issue.

          If you think people who support open access to the Internet are really just trying to get out of working, you need to spend some time with us as we are taking care of business in the early morning hours and often late into the night when things need to get done and can get done because of things like social networking and cloud computing.

          And, for the record, I’m not bashing the people who work in IT — without them, many of the great features of technology we all use at work and home wouldn’t be possible. But I do believe there is an inordinate amount of power bestowed upon some IT departments and they have been granted that power because they are unnecessarily scaring management into believing they need it. Of course, having a nanny federal government, a sensationalistic news industry and software companies intent on making money don’t help, either.


  5. Great article highlighting the need for a balance between security and efficiency. If everyone had a much higher computer/data security awareness, perhaps the security pros could relax a bit. Check a (free) blog, “The Business-Technology Weave” (can Google to it) – it reflects what this article is saying. In other words, there are smart ways of doing and solving things (that is, while retaining ease-of-use systems, etc.) and there are dumb ways (such as crippling security measures and hoops). The blog is hosted at IT Knowledge Exchange – that site gets over a million hits a month for good reason – it has great Q&A forums for everything technical and otherwise – ALL FREE. The blog author also has a book we use at work, “I.T. WARS” (you can Google that too). It has a great Security chapter, and others that treat security. Highly recommended. Great stuff.


  6. While this article does manage to occupy space on your blog, this article appears to be suffering from an innate similarity to the brown stuff that is regularly deposited on local farmers fields when cows are present.

    You need to think of security as a form of insurance to protect your hard earned physical and intellectual property. Although we all feel that our house will never burn down and our car will not be stolen or be involved in an accident, we all invest in the best insurance we feel we can afford.

    Being in the communications field I would have though you would have been more aware that propagating an erroneous message is vastly more detrimental than having no message at all.

    Obviously you have not yet taken the time to read any security related research on the effects of security breaches and the monetary and legal consequences of failure to implement due diligence effectively.

    Please take time in the future to include enough backspaces in your articles as to delete them entirely before publishing so as to free up some valuable internet space for articles from someone who has a clue.



    • Thanks for the comment, although since you posted it anonymously without bothering to claim your thoughts, to the point of creating a temporary e-mail address to avoid any sort of responsibility for your thoughts, everything you have written here isn’t worth the electricity used to post it.

      I welcome comments of all sorts and people who are willing to have a discussion are always welcome to start one here. However, intelligent, vibrant and useful discussions always begin with telling people your name.

      Feel free to come back and share your insights and your opinion. Both are welcome here — but additional comments made with anonymity are not. Please see my comment policy; this is covered in the first bullet point.


What do you think? Please let everyone know!

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s