The relationship between the adoption of new technologies and productivity is not always clear. Add in the usual security requirements on top, and the balancing the three becomes a mysterious and dark art.
In the past, the relationship was much clearer. Bring in a machine that did the work of three men and the benefits could be easily calculated. If a group of Luddites targeted your productivity factory with the intent of trashing your machine, hire some large men, and your site was secure. Productivity remained the same, but profits dropped slightly because of the security cost.
Today, if we restrict the discussion to Information Technology, then we can remove quite a few of the HR issues and other imponderables from the equation. Internet Security and Online Security affect productivity but a wise and informed choice of new technologies can minimise the adverse effects.
The landscape of Internet Security and Online Security has changed greatly in the last few years. Publicly acknowledged IT security incidents have increased worries in executive management. At the same time they are reducing IT budgets, and asking Heads of IT to embrace the cloud and social media, in short to do much more with less.
This is a paradox. Employee productivity needs to increase, but malware attacks are moving from single threats, to multiple concurrent threats. It used to be viruses, now we have website hacking, DDoS, ransomware and data theft all happening at once. These threats need to be recognised, solutions identified, and incidents stopped when they occur.
To return to basics, what is the function of IT in relation to productivity? It is to provide the employee with the tools that enable them to carry out their job functions in as an effective, productive and efficient way as possible. Many IT specialists look upon IT as an end in itself, forgetting that to most employees, IT is just a tool to assist them to work better. Accountants don’t really care about the database the company accounting system uses, just that it will give them a trial balance when asked.
We provide mobile devices, laptops, smartphones and VoIP to allow them to work as flexibly as they wish, from wherever and whenever.
If it weren’t for the need for security, life would be much easier. The purpose of IT security, is again in basic terms, to protect company information. The protection covers accidental loss, malicious erasure, theft and sabotage, to name a few. This of necessity will conflict with the need to remove physical and logical barriers that prevent a mobile workforce being able to use data wherever and whenever.
Another fly in the ointment is compliance. In some environments, particularly financial services, there are legal obligations in terms of data security. Some jurisdictions have strict regulations about the handling of employee personal information.
We come back to the question of balance. What is the best compromise between enabling a truly mobile productive workforce, and ensuring the security of corporate data? Can new technology again help?
So how does the IT Head proceed with this high-wire balancing act?
One suggestion that is gaining some traction currently is to look at productivity and security in a holistic manner. The two need not always be in conflict. Rather than taking a case by case view of each, look at policies and procedures, measurement criteria, how productivity and security is measured and monitored and try to see where integrated solutions will provide improved productivity without compromising security.
Consider the CobIT model as a framework for the technology planning process. Critically review the current solutions in place. Quite often in a more mature business, they are a product of custom and habit, rather than an answer to current needs.
The business culture has an effect. If it is one of “Everything is allowed, except that which is explicitly prohibited”, perhaps it needs to change to “Everything is prohibited, except that which is explicitly allowed”. Or vice-versa. What is needed is a root-and-branch, back to the wood review of IT security in terms of what do you do, why do you do it and what you are not doing but should.
Bottom line, balancing productivity and security takes continual careful planning.
Three points to remember:
- Security is a process, not an event. As noted above, it needs continual review, reassessment and adjustment;
- Security is not a network add-on. It is an integral part of the landscape. It must be considered from the birth of a network, definition of the architecture, development of requirements and implementation.
- Security will cost money, both in capital outlay for equipment and software, and in recurrent costs for the staff to manage and maintain the security environment.
Balancing productivity and security can be done, but it needs continual focus. Get it right and all will be well. Get it wrong and you might never notice, but you will have trouble.