As employees increasingly turn to outside-the-firewall mobile devices and free or low-cost Internet services like Dropbox, the risk of inadvertent data leaks skyrockets.
The appropriate response is not to lock down devices or users. Instead, you have to turn IT into an entrepreneurial group that understands what users need, and creates internal alternatives.
It all starts with classifying data, says Brandon Porco, chief technologist for defense contractor Northrop Grumman.
"We have policies. And as with any company, policies are only as good as you can enforce," says Porco, who is speaking at the CITE Conference next week. "We struggle with people using Dropbox -- you're not supposed to. People use Gmail. We have tools that monitor, especially for email, so we know if someone's doing something silly."
He continues, "But it has to be more than monitoring and policing. It has to be ingrained in the data itself. First you have to tag things. I can tag a document now, and there's DRM software for anything that leaves the corporate firewall. It forces the user to say, this is a 'not-for-public file,' so if they put in Dropbox that's fine, no one else can ever look at it."
Porco suggests that if employees are using an unapproved external tool, perhaps that's an indication that IT isn't doing its job well enough, and needs to come up with a usable but safe internal option.
"This is not 1970 or 1980 where you call IT, you should be able to go to an app store and get what you need. You have to pay for it. If it's of value to you, you have to pay for it, if not, you won't. IT is forced to compete in those areas like a commercial entity, and provide things that the customer wants to use -- if the customer wants to use Dropbox, stand up a Dropbox-like tool."
So how does an IT department keep abreast of ever-changing user needs? By thinking and acting more like a fast-moving startup.
"You need a framework you can follow. Google has it very well-patterned: Launch and iterate. I believe that we as IT are going to have to try some things rapidly," he says. "We're thinking about launching internal startups. OK, we're going to do a Northrop-Grumman Dropbox, and they're going to compete with our storage guys and act like their own company, like a startup. They'll be able to source, they'll have to maintain security. We'll lay out ground rules. But if we're forced to threat these things as products in a startup, it will create more affinity with business partners."
Porco stops short of suggesting that the IT department should be decentralized entirely, as CITE speaker Kevin Jones suggested may be appropriate in some cases. But he certainly agrees that some tech functions can be pushed out to business units.
"In a big company, you need a central function. Your ERPs are off the table. But howw you get data in and out of it shouldn't be off the table."
He points to mobile app development as a good example. "There are a whole suite of tools that allow you to create mobile apps in minutes....So everybody now can use a timesheet app on their iPhones. It goes hand in hand with mobilization. On the other side, central core apps, databases, those types of things, we'll not let you choose those. But how you get your reporting, acces -- I think that's fair game."
Be sure to catch Porco at the CITE Conference in San Francisco on June 2 through 4. He'll talk about the impact of consumerization on corporate IT and will make four predictions that will have IT staffers talking all year long! Register here.