IT’s security blanket hampers response to digital disruption
Remember fear and trembling in the face of open source software (OSS)? Circa, say, 2006 — as the OSS vendor space was exploding and early adopters were revealing measurable benefits and impacts — the prevailing attitude among enterprise IT departments was still . . . resistance.
A familiar flock of anxieties about OSS solutions were redeployed with slight variation in order to justify fearing to tread where only a fool, evidently, had rushed in.
- The companies and communities are too new.
- They don’t have real enterprise experience or commitment.
- Who’s responsible if something goes wrong?
All of these rolled up into the ultimate IT trump card: It’s not secure enough for us. It’s hard to take the other side in that internal argument, since, regardless of the validity of your technical proofs, the perception is you’re arguing for insecurity.
Fast forward a few years, and two remarkable things have occurred.
Pack up all my cares and woes . . .
First, the flock of objections has migrated . . . to the cloud. As I noted in the course of this SearchCM podcast, virtually the identical set of anxieties and perceived dangers formerly attached to OSS is now expressed about cloud computing services. With one exception. Whereas OSS companies were said to be run by hippies (Nordic hippies!) in ponytails and t-shirts, cloud companies are infamously run by kids. (Insert your favorite average-age-of-Box-employees joke here.)
Box’s announcement this week of security, user management, and business intelligence upgrades is, in the first instance, about impressive new technical and user experience features. But, like Huddle’s January press release about further wins in the hyper-timid government sector, and Dropbox’s recent play for enterprise credentials with admin upgrades, the announcement is also part of the dance that is forced upon vendors and other proponents of innovative technologies and services by the Linus Van Pelts on the buy side.
Cloud vendors have to constantly talk about improved security because it’s the only way they can keep the door cracked open at enterprises that are eager to reject them. Product teams and marketing at these vendors should work in parallel (if they aren’t already) to ensure a steady flow of security “improvements” and “enterprise-ready features.” Even if it were possible, solving the problem definitively all at once would be a mistake, since it would ignore IT’s need for a slow talking cure.
No one here can love or understand me
Oh what hard luck stories they all hand me . . .
Meanwhile, the second remarkable thing that has happened is that . . . many organizations still resist open source. As Alex Williams reported on TechCrunch, “open source fear mongering is still a reality.” Some of the lingering resistance is due to genuine confusion about the impact of even newer innovations such as RESTful APIs. (A similar confusion around virtualization is afflicting cloud computing discussions.) Some of it is due to vendor maneuvering, as companies threatened by open source dispute the benefits. (See Williams’ account of a discussion with TIBCO CEO Vivek Ranadive.)
But mostly it’s due to good old fashioned resistance to change. As the lead architect at the UK’s Home Office has noted, the top 10 reasons why the UK government IT is afraid of open source include “lethargy and ‘died in the wool’ attitudes,” “red tape,” and “cultural issues as a whole.” In other words, even after (most of) the fear is alleviated, organizations find it difficult to make the transition. (For more on resistance and helping others overcome it, see my colleague Kyle Dover’s latest post.)
What does it all mean? First, make no mistake: CIOs and IT teams have the highest possible responsibility to look after the security and sustainability of the IT systems. What often passes as “fear about security-fitness” can encompasses multiple specific and highly critical concerns about data encryption, fragmentation, user authorization, backups, wipes from retired servers, reporting, and much else — as well as “non-technical” questions about regulatory compliance with data storage requirements.
But even in this rich sense, security concerns shouldn’t be treated simply as a roadblock. CIOs are not building inspectors, who investigate and then put up a sign saying “Not fit for habitation.” CIOs and IT teams are engineers, and they ought to be allowed (and encouraged) to find clever and elegant solutions to the perceived problems. The security trump card should be played only when no such solution is available at an acceptable cost/benefits ratio.
Second, and more importantly: It could be argued that I’ve only exposed a familiar pattern. Early adopter organizations adopt early, because, for various reasons, they are willing to take the risk. Mainstream organizations don’t, because they (wisely) await assured conditions (security and otherwise), proven benefits, and established best practices.
All true . . . except that the world has fundamentally changed in the last six years. (Hint: Six years ago there were no touch screen smart phones, no tablets, effectively no mobile web, and Facebook was virtually unknown.)
According to the established saying, “Culture eats strategy for breakfast.” The problem, however, is that the ever-accelerating pace of change leaves less and less time for a wait-and-see attitude. In the era of digital disruption, you have only two choices — be a (self) disruptor or suffer disruption — and self-disruption has to move (at least) as fast as the disruptive technologies and innovations themselves. Those who hesitate due to a “conservative corporate culture” will find that the strategies they resist will eat their culture for lunch.