• United States



by Josh Bernoff and Ted Schadler, Forrester

Keeping HEROs safe

Dec 01, 20106 mins
Data and Information Security

It's critical to empower employees. But here are four situations where you probably still have to say "no". Excerpt from Empowered: Unleash Your Employees, Energize Your Customers, Transform Your Business

It’s time to face the risks that lurk in the HERO-powered business.

Because employees, armed with the technologies of the groundswell, are not just powerful, they’re dangerous. Like all powerful tools, these technologies carry risks.

What could go wrong?

For one thing, as Domino’s Pizza found out in April of 2009, employees can upload videos to YouTube. In this case, it was two pizza makers stuffing cheese up their noses and performing other unspeakable acts on food that appeared destined for delivery to customers. No matter that the perpetrators eventually denied ever delivering unsanitary food, Domino’s still suffered brand damage.

Your employees don’t do that? What about the Sprint employee who posted details about the Palm Pre phone on a blog, violating a nondisclosure agreement?

And it’s not just malicious employees. At Cisco, an employee posted a job opening, inadvertently revealing a change in strategic direction. At Microsoft, a product manager announced he was changing jobs, revealing the unannounced news that a product was being discontinued. And we haven’t even gotten to security breaches. An employee at a global bank just told us that, unable to remember the passwords to the twelve corporate systems he used, he wrote them all down on a piece of paper taped to his laptop.

Employees are a danger to themselves and their companies because they use whatever technology they can get their hands on. This technology has potential risks. So how can you lock down technology to keep them from doing any of these things?

You can’t.

There was a time years ago when IT security meant locking down your network and corporate databases, putting everything behind the drawbridge and moat that protect the corporate castle, and giving only authorized people the password. Secrets were safe. Well, mostly safe.

But now the communication tools are wherever your employees are. Responding to customers at the speed of the groundswell, HEROes in your company use email, instant messages, blogs, blog comments, Facebook, LinkedIn, Twitter, YouTube, Flickr, Skype,WebEx, Google Docs, YouSendIt, and hundreds of other sites and tools, more every day. They work, not just on corporate PCs, but on their own computers, iPhones, BlackBerry phones, and tablet PCs. As we saw in chapter 7, over 40 percent of information workers are provisioning their own technology. How are you supposed to lock all this down? One IT security professional described his job to us as “a world gone mad.”

You can’t protect things any more by locking down the network and password-protecting the databases. While IT was busy securing the network perimeter to keep secrets inside and intruders outside, the perimeter moved. It moved to wherever an employee is trying to work. It’s as if you had built a giant fortress to protect your village from marauders only to wake up one morning and find that the villagers had moved all their houses into the fields beyond the safety of the fortress. They won’t come back in where it’s safe. It doesn’t suit their needs. It makes getting things done too slow and it prevents them from working in the ways they need. They like it out in the fields.

Malcolm Harkins has a great way to describe this. As Intel’s chief information security officer, he’s responsible for keeping the company’s secrets and people safe. At his first security team meeting in 2005, his team was complaining that the security perimeter had vanished. Securing the corporate network was no longer enough to protect the company.

But Malcolm saw it differently. He saw that the perimeter hadn’t vanished, “it had moved and we just missed it.”

You can’t lock all this stuff down. The more you try, the more you slow down and trip up the HEROes. You need a new IT security strategy. And just like your customer strategy, you’re going to have to depend on the one thing you have going for you—the intelligence of your workforce. Or as Malcolm Harkins says, “Make people the new perimeter.”

When To Say No To A HERO

We’re not naive. There are still times when you and your IT security team and legal staff must say no to an employee HERO, when her actions are just too dangerous to continue. But the goal should always be to analyze the real risks so that eventually you can say yes.

For example, the rules around customer communications in the U.S. financial industry now require archiving and retaining sales employees’ tweets and Facebook updates. So, until IT can find and implement a solution to intercept and archive the messages, banks are right to ban these activities for sales and service people for customer messages, until interception and archiving solutions become available.

Here are four situations where you should probably just say no:

When your regulator has created new laws that you can’t yet comply with. This applies to many banking, brokerage, and insurance applications, as well as applications in some life sciences companies. It doesn’t mean shutting down internal deployments of social technology or cloud computing, but it does make external applications more complex.

When your customer contracts prevent you from sharing anything about the contract. This applies to external communications for the defense industry. Building a secure collaboration platform for you and your customer to use is okay, and may even be required. Internal social applications are fine. But employees must be highly aware of laws banning the export of intellectual property and sharing customer secrets.

When your legal team has issued an opinion that prevents it. This often happens when the legal team hasn’t yet figured out the legal risks. For example, are video conferences “electronic communications” like emails that have to be archived? Or are they “voice communications” like phone calls that don’t? The U.S. law hasn’t decided, but you must. Your legal team is responsible for keeping the company—and you—out of court. Listen to them, but also make them part of your policy team.

When your HERO could be compromising customer or employee data. Privacy laws in the United States and especially in Europe and some Asian countries make it clear when any information about an employee or consumer must be protected. Here, you can get to yes, but it’s even more important to set up and train people on the principles.

Reprinted by permission of Harvard Business Review Press. Excerpted from Empowered: Unleash Your Employees, Energize Your Customers, and Transform Your Business by Josh Bernoff and Ted Schadler. Copyright 2010 Forrester Research, Inc.