A month back I wrote about the dilemma of properly filling out the “Race” field of various forms, now that the concept of race has been scientifically laid to rest. Readers of this column suggested two useful alternatives: “Human” and “440 meter relay.”

As you might imagine, a column on race in IT provoked more commentary than just that. So:

  • No, I didn’t say hair, eye and skin color aren’t heritable. I said they don’t follow one another around in the population. Race is only meaningful if different heritable traits are linked.
  • Why did I except affirmative action from my overall position that race is irrelevant? That race is a demonstrably useless concept bears on how you hire and promote employees. Affirmative action — an attempt to provide remediation for institutionalized disadvantages, not to confer arbitrary, unfair advantage, by the way — is a matter of public policy. That puts it beyond the scope of this column. To clarify: In my role as InfoWorld columnist I’m neither endorsing nor rejecting affirmative action.
  • A few readers raised a fascinating point: While they work hard to avoid racial and ethnic bigotry, they feel quite comfortable with cultural bias. Me too. Some cultures I can’t coexist with at all. And even among the wide variety of cultures most of us find completely benign, different ones promote wildly different values. Ethnicities whose cultures extol academic achievement, hard work, and creative problem solving, for example, will almost always end up with more collective sustainable wealth than others that don’t, even in the complete absence of bigotry, making the public policy issues enormously complicated. The impact on how you hire and promote is, however, minimal: Except as adjusted by your employer’s affirmative action policy, base both decisions purely on merit.
  • At the staff level, IT is pretty diverse. IT management is less heterogeneous. Racism at work? Several readers of varying ethnicities suggested a more subtle mechanism. Executives and managers frequently have proteges — individuals they consider especially promising, and whose career paths they metaphorically pave.

    Being more comfortable with someone in my-group than someone in not-my-group isn’t racism. It’s human nature, and my-group isn’t something most people define consciously. So here’s my challenge: First, figure out if you have a protege — you might without even realizing it. If you do, ask yourself this perhaps uncomfortable question: Is he or she the most promising individual in your team, or merely the one you’re most comfortable with?

How much freedom are you willing to trade for security?

Carlton Vogt has been exploring this subject in his thought-provoking “Ethics Matters” columns, available on Infoworld.com. It’s a complex, difficult public policy issue, which means it’s better suited to happy hour than business hours.

During the work day, your worry is how much flexibility you’re willing to trade for IT security. The issues are similar. Unlike national security, though, IT security is a day-to-day worry for any CTO or CIO who deserves to hold onto a job.

Chad Dickerson appears to like the idea of outsourcing IT security. I sympathize, too: IT security is a difficult, highly technical, rapidly changing, irritating, expensive, and worst of all non-value-adding function. Most CTOs hate dealing with it almost as much as they hate the result of not dealing with it. And for smaller companies that lack enough mass to fund a full-time IT security position, outsourcing might be the only realistic option available.

Outsourcing IT security worries me, though. No, not because you can’t trust any outsiders with the keys to your kingdom — “Who watches the watchers” is just as big a problem with employees as outsiders.

Here’s my concern: IT’s job is to make employees and business functions more effective. That means delivering as much functionality as possible. In terms of technology this means access to information and transactions from wherever employees happen to be working.

From a security perspective, the richer the functionality and more broadly you make it accessible, the more security holes you open up. “Flexibility my eye,” I’d say if I were contractually accountable for your security. “I’m going to lock down everything that isn’t absolutely necessary to have open. Prove you need it or you can’t have it: That’s my motto!”

By staffing the security function internally you have at least a fighting chance of achieving a balance.

But IT security is still a difficult, highly technical, and rapidly changing field. It’s hard for an internal security staff to stay current, it’s easy to become spread too thin, and establishing necessary boundaries can be awkward when you’re a staff member.

So after you staff the function internally, make sure you schedule regular IT security audits with an outside specialist.

Flexibility is important, sure, but you still need someone to watch the watcher.