According to many readers, not only is the pen mightier than the sword, but the electronic spreadsheet has more edges and power than either of them.
Dozens of you sent me versions of the “renegade spreadsheet” story in response to my April 29th column on the mainframe mentality. The renegade spreadsheet is an unaudited spreadsheet created by a careless end-user that leads to disaster because (a) a customer saw it and took its business elsewhere; (b) the president made a critical decision based on it and ruined the company; or (c) the information in the spreadsheet was uploaded back into the enterprise database, corrupting the data in a way that forever changed the course of history.
While I’m sure renegade spreadsheets (and other end-user-generated disasters) have considerably more substance than urban legends of huge crocodiles in the New York sewers, I’m confident we can come up with better solutions than the preventive steps many IS directors seem to be leaning toward these days.
Here’s the core issue: most of us understand how the notion of management has transformed when it comes to manager/employee relationships: making decisions and directing processes has given way to leading by example, setting goals, coaching on how to be more effective, and attending to team dynamics.
IS manages our organizations’ technology. We need to make the same conceptual shift from control to empowerment here. In a previous column I pointed out the difference between preventing failure and encouraging success. Apply the same philosophy to managing the technology you provide to your end-users.
Here’s a starting point for what we might call an “End-User Computing Manifesto”:
- Where IS has established a standard, end-users must adhere to that standard. If you’ve settled on OS/2, for example, nobody has the right to be a prima donna and insist on Windows/95 instead, any more than they can insist on using a different voice mail system from the rest of the company.
- Where IS has established no standard, end-users have the right to purchase and install whatever software they choose to help them be more effective. IS promises no support for this software, but may choose to help out as time and staff are available. IS will never say, “We don’t provide this kind of tool and we won’t let you buy it either.”
- In case of disaster, IS will restore any system to a standard default configuration
- End-users will never be given administrative access to any shared resource.
- IS will never prevent end-users from developing their own applications.
- Responsibility for the accuracy and integrity of applications developed (or purchased) without the involvement of IS is the responsibility of the department manager.
- IS will provide training for department managers on how to manage small-scale application development and maintenance.
- Either IS or internal audit (or both) will provide consulting and review services for end-user-developed applications as requested.
- End-users may never, ever, assign themselves an IP address, as this may kill the whole network. IS, in turn, will manage networks so end-users never experience the temptation, either by using DHCP (or something similar) or by using a self-administering protocol like Novell’s IPX.
- End-users may only upload information into production databases through audited validation programs provided for that purpose.
- IS will provide convenient facilities for remote network access. End-users may never, under any circumstances, install and use a remote-access software package on their desktop system, as this will provide an unsecured, easily hacked entry point to the network.
In my experience, policies like these, clearly communicated and consistently enforced, protect corporate resources without stifling end-user creativity. If any of you have additions to this list, send them in and I’ll include them (or at least the ones I like!) in a future column.