It doesn’t hurt so much anymore.
A couple of weeks ago I was forced to acknowledge that long before the idea was mentioned here in KJR, Gartner published a prediction that increasingly, end-users would own their own PCs.
Daniel Fleagle was kind enough to point me to an article by John Dvorak advocating knowledge-worker ownership of PCs that pre-dated the Gartner reference by more than three years (“Know-Nothing Knowledge Workers Must Go!” PC Magazine, 2/1/2002). It’s well worth the time you’ll need to read it (ManagementSpeak for “It agrees with all of my personal biases”).
More on the subject of PC policy — on whether and how far to open up employee PCs:
A cautionary tale: Last week I helped my father install some software. It might have been on the installation disk. It might have been lurking somewhere until the installation process opened a door for it. Whatever it was, his system became infested with the SmitFraud virus.
McAfee didn’t detect it, even with a full system scan. Neither did Spyware Doctor. A bit of research found a cure, and all is well but only because I happened to be visiting and recognized that the screen message “informing” us that the system was infected with Spyware — Click Here to solve the problem — was a Trojan horse, not a legitimate warning.
Does this negate everything I’ve been saying the last several weeks?
No. Dad and I have both used PCs since 1980. This is the first infection either of us have seen that wasn’t detected and prevented by standard anti-malware measures. Do the math — that’s one difficult-to-handle infection per 16,000 days of personal computing, more or less.
The nature of security: Here’s a reminder: The point of a company’s security policy is to establish the company’s desired balance between managing risk and doing business.
It isn’t to eliminate all risk. If it were, it’s easily achieved: Eliminate all technology more advanced than a 10-key calculator and a typewriter from all desktops, and go back to 3270 terminals for any computer use that absolutely can’t be avoided.
The nature of risk: IT security spends its time thinking about three risks — data loss, damage to systems, and fraud. These risks certainly matter.
They aren’t, however, the only risks companies have to deal with, or even the most important. Think about these much more serious risks to the enterprise: Employees who are complacent, or, worse, apathetic; employees who see no purpose in showing initiative; employees who feel distrusted by their managers and act accordingly; a general lack of innovative spirit; and the absence of a “culture of discipline” (to use Jim Collins’ term).
Data loss, damaged systems and fraud can lead to financial penalties. The other risks can turn a company from a vital force to a lifeless, staggering zombie.
Evidence it can work: Among the Comments posted in response to my Advice Line blog entry, “Getting to 21st century IT – User-owned PCs?” (3/4/2008) was one pointing out that open PCs are just a day in the life of university IT. Academics and students both install whatever they please, and central IT is expected to keep everything running.
More evidence it can work: Here’s a comment posted in response to another Advice Line entry, “More on whether or not to open up PCs,” (3/8/2008):
“My desktop team of 4 field technicians (they do double duty answering the helpdesk phones) support 900 users and 1300 devices at our headquarters building. We have no AD (still NT4!) and therefore no desktop lockdown policies. Everyone is a local admin on their own equipment. And you know what? We do just fine!”
The nature of employees: A lot of my correspondence on this subject has centered on what employees are like. Many of the correspondents who hate the idea of opening up PCs describe their fellow employees in terms otherwise reserved for pre-adolescent children — naive, foolish, ignorant, reckless and self-indulgent.
Those who advocate openness universally describe their co-workers as responsible adults focused on getting their work done.
One comment to those in the pre-adolescent camp: The same policies and procedures that led your employer to hire these untrustworthy souls were the ones that led to your own employment.
Benjamin Franklin advised that, “Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety.”
In business terms, I’d translate that to, “Those who would give up employees who take responsibility and initiative in an attempt to achieve perfect safety deserve neither responsible employees nor safety.”