There are 2 sides to adopting mobility. First is desire for innovation, the opportunity to drive better business with new technologies and thus increase revenue. Second is the fear of changes, the threat of holes in new processes which could result in enormous losses. Today I’d like to talk about the balance between these two sides, the balance between usability and security.
(thoughts of a typical employee)
My day-to-day job requires lots of documents’ processing and working with my company’s internal tools. It also requires leaving to other offices, thus spending about 20% of my work time out of the office. I often save copies of documents on my laptop and mobile devices to be able to work with them on the move. It helps me doing my job faster. But recently all our department had to enroll for a program which forbids any storage of work documents. From now on I take pictures of most relevant documents. I realize that it’s a security threat, but I’d better get my job done than conform to overrated security policies.
(thoughts of security officer)
My company operates extremely sensitive data. Its exposure may result in my company’s bankruptcy. I control its storage by locating data centers in my own premises. I control its flaw by using secure mailing services from providers I can trust. Recently I got acknowledged that this data is under a great threat, because employees use tools to keep it on their mobile device. Fortunately I’ve overcome this challenge by introducing MDM solution into everyone’s device. I’ve protected the data from any other usages by strict policies, which all of the employees are obliged to follow.
We see a typical clash of interests. An employee just looks for the easiest way to get his job done. Security officer wants to make sure its done in a safe way. Both are right. So where is the solution?
Which one should change the attitude? A user, who has signed security policy and will respond for violating it, or security officer, who’s responsible for any data leakage?
I believe from this point I’m switching from objective to subjective thinking.
I’ll rephrase the last question. If data gets leaked, who will suffer more? The employee, who gets fired, pays fine and potentially goes to jail, or the Company, which will go through numerous courts and potentially cease to exist? Or put it other way – who’s more aware of this risk? Whose interest it is to protect the data? Who should adapt to the situation? You see where I’m driving at.
The irony is that regardless of how much we try, we can’t force to drop their habits, change their own ways of doing things and impose our rules. The best we can do, is encourage them to switch to a new way, which would conform them even better. And here’s why
The Good, The Bad and The Lazy
Back in 2007, Apple did a wonderful thing. They made it so simple to use a mobile phone, and so functional in a meantime! This have set a very high standards of expectations from users. As things got simpler got lazier. And now an app can’t be considered competitive unless UX is intuitive. If people need to make more than trivial efforts to get what they want from app they simply quit and use another one. That’s where we’ve brought ourselves, that’s what consumerization of IT is.
And now this big wave of consumerization is getting into the enterprise. The world where large systems with dozens of buttons on one screen and frankly complex UX has been a standard for years, gets hit by these small screens and highly trivial use cases. The employee and simplicity of his actions start to be the priority. Ignoring this priority means that employee will be much less productive, or worse – he’ll find another way to complete his action, bypassing all our validation and security rules
But using fancy apps is not the same as using enterprise software. Work is not always fun and simple. And that’s the part where users have to realize their responsibility as an employee. This is the difference between enterprise and consumer apps. Employees still have to use the app, even if they don’t like it.
Their productivity is another question though.
It’s not about who’s responsible for failure, it’s about avoiding it. It’s just that in this case, limitations are less effective than flexibility. It’s possible to achieve same security goals without losing much productivity.
I’d like to conclude with a real life example of what happens when employees are forced to the job they don’t want to. I witnessed it 2 weeks ago, after I started writing this article. It was the middle of Ukrainian revolution 2013, November 11th, Kiev. People were protesting for 3rd week, and one night government gave order to stop the protest by “cleaning” the protesters by force. But most of the policeman didn’t feel like fighting their co-citizens, who didn’t do nothing wrong. They still couldn’t refuse following their orders, otherwise they’d be arrested themselves. So what it ended up with was a very weak attack from police, with policeman uncertainly pushing the people. This resulted in strong victory by the protesters, who stood their ground and defended themselves, thus total failure of government’s plans