The Ottawa Citizen reported on May 11 (http://ottawacitizen.com/news/politics/political-staffers-compromising-security-in-ministerial-regional-offices-document) that staff in Federal regional minister’s offices were inappropriately installing wifi devices. This is presented as an “employees behaving badly” story. Their behaviour “nullifies the security measures in place” according to the Department of Public Works. If security is compromised, or there is a leak, it is Public Works who will take the blame, says security officer Daniel Desmarais.
Shadow IT (unauthorized self-help solutions) flourishes in environments where IT and IT security fail to enable the organizational need for timely access to information. The use of unauthorized removable storage, jail broken mobile devices, and a black market in local administrator passwords for desktops and laptops are all too often a symptom of staff looking for ways to do their jobs with inadequate tools. Victims of the clash between the increasing demands of the digital information tsunami and old school lock-down security, staff look for work-arounds in order to survive.
To be clear, one should not condone behaviour that compromises security. But by focusing on the symptoms, it is easy to overlook the cause. IT and IT Security, as part of an enterprise information governance plan, need to become the enablers, and work to ensure that the reasonable information needs of staff can be met. Otherwise this game of blame the victim will never end.