Most IT professionals understand the need to work late from time to time. Suggest it’s a normal part of the profession, though, and you’ll get an earful. If I were a cynical sort, I’d think many IT professionals just aren’t happy without something to complain about.

Several weeks ago, I listed IT being a ghost town at 5pm as one of seven warning signs of a complacent IT organization. Not, I hasten to add, a certain diagnostic — just a warning sign. Into the fray steps Steve Delahunty:

“I had a … boss who complained that people were complacent … The problem was that when he left he didn’t peek into every cubicle and office. The lack of people around the halls in his view meant there was nobody there late. But also, we now can all work as easily at home as from the office. Meaning that I would often get online at night and see so many of my staff on their instant messenger clients it was like we were almost fully staffed online at 9pm with many folks working on work projects.”

Which brings up two points. The first is to be careful how you interpret what you see … and don’t see. Just as a doctor, facing a patient with a high fever, has a lot more work to do before reaching a diagnosis, a manager facing empty cubicles needs to dig in a bit before reaching a diagnosis of complacency.

The second is the subject of this week’s missive (credit where it’s due: it’s a recommendation by my partner, Steve Nazian): If you haven’t developed an instant messaging strategy for your company — one that facilitates its use while building in secure design, not one that locks it down — you’re creating, not preventing, a security hole.

We have more than two decades of experience managing and mismanaging personal technologies. Personal computers, electronic mail, remote system access, contact management software, personal digital assistants, Blackberries … it’s always depressingly the same:

1. IT forbids their use.

2. They leak in through the windows and side doors anyway.

3. A few employees are disciplined for violating company policy.

4. A rational executive somewhere in the business raises a huge stink about IT preventing employees from doing their work.

5. The CIO, recognizing the political liability of trying to keep the tide from coming in any longer, develops a strategy for managing the new technology instead of banning it.

This time it’s instant messaging. If you try to prevent it, employees will figure out a way to use it anyway. And once again, because their use is illicit, the workarounds will almost certainly create security holes. It’s akin to the well-known consequence of requiring strong passwords and forcing frequent changes: Post-It notes containing the hard-to-remember passwords stuck to computer monitors throughout the company.

There are still, in this industry, those who think the goal of security is to create an environment in which intrusions are impossible. If you’re one of these people, I can help. It’s actually quite easy. You can achieve it with three simple steps:

First, disconnect your internal network from the Internet. Second, disconnect all personal computers from the internal network, remove all disk drives and USB ports, and make printers illegal. And third, ban laptop computers from the enterprise altogether.

Of course, you’ll prevent employees from performing any useful work, but that’s just the unfortunate and unavoidable side effect of making the enterprise secure. It’s the nature of the beast. Security creates friction in business processes. The more secure you are, the higher the cost and slower the pace of doing business.

The best IT professionals put into practice what IT executives advise the rest of the company: They use information technology to maximize their own effectiveness. The best employees elsewhere in the company do likewise. Isn’t that the whole point of information technology — to help individual employees, workgroups, departments, divisions, and the enterprise as a whole work more effectively?

Instant messaging is simply the latest of the many tools available for enhancing personal effectiveness. In dealing with it, you have two choices.

You can either embrace it, and in doing so promote the very healthy attitude it represents. Or you can try to prevent it. Which is to say: You can either encourage a good attitude and improved security, or a bad attitude coupled with security holes.

Sad to say, far too many IT executives, faced with these alternatives, will instinctively choose the latter.

Everyone knows most Americans have five pounds of undigested beef in their intestines. They know it because a character in Beverly Hills Cop said so. From there it became accepted truth, just because everyone knows it.

Just because everyone knows something doesn’t make it right.

Let’s start 2005 the right way … by ridiculing other people, ideas, and events, and in particular, what everyone knows.

For example, last year most Americans were thrilled when Burt Rutan’s privately funded SpaceShipOne reached outer space. Me too.

Everyone knows the flight demonstrated the power of private enterprise. It’s the BIG/GAS (Business Is Great/Government and Academics are Stupid) theory in full flower: The flight just barely exceeded what the government-funded X-15 achieved in the 1960s. Somehow, achieving parity four decades later doesn’t strike me as a demonstration of the free market’s superiority, no matter how exciting the accomplishment.

My apologies for the tedious nitpicking.

Everyone also knows that:

  • The U.S. economy is roaring back. The state of the economy has a lot to do with what you as an IT leader will have to contend with this year, so a prediction at the year’s start doesn’t seem inappropriate.Despite what everyone knows, the economy is dreadfully fragile. I’ll spare you the detailed economic analysis and jump to the clincher: Every administration in history, Democratic as well as Republican, has done everything possible to inflate the economy prior to a presidential election. If what we saw in the fourth quarter of 2004 was the best the incumbent could manage, imagine how bad it’s going to be now that the election is over. Plan accordingly. At worst you’ll be pleasantly surprised.
  • You should move to a Service-Oriented Architecture (SOA). And I agree, SOAs are a superior way to organize, build, and integrate applications, although the methodologies for deciding how to decompose your business into services are less mature than those used to design object hierarchies.What everyone doesn’t know is how to move to an SOA when you have only limited influence over the architecture of vendor-supplied applications. Agreeing that SOAs are the future is easier than figuring out how to make them the present.
  • Storage management is a big honking expense for IT. Except that storage now costs, in round numbers, nothing. It’s less than a dollar per gigabyte on a PC. You can add a terabyte or so of network attached storage (NAS) for chump change. But lots of smart people say, over and over again, that storage management is eating CIOs alive.If storage costs next to nothing, and storage management is such a huge expense, spend your money on storage, not on storage management. Yes, I know it can’t be that simple. I just don’t know what I’m missing. Help me out.
  • Spyware is the next big security threat. Everyone knows this. And this time, everyone is right. Spyware is a mess. It’s far worse than spam because legitimate businesses use it every day, assuming, of course, that you consider Doubleclick’s clients legitimate businesses.This is a repetitively self-inflicted wound, too. For decades, American business has mounted a huge BIG/GAS lobby to de-legitimize any and all governmental regulation. For years, American businesses have craved as much information about their customer’s habits as they can get. And for years, American software companies have lobbied and litigated to make sure their software licenses give buyers as few of the traditional rights of ownership as possible.We’re reached the point where a PC’s putative owner has little more right to control its use and contents than the providers of the software that runs on it and the owners of the websites it visits.So when Doubleclick pioneered the technique of surreptitiously installing code on PCs to track users’ browsing habits, who would complain? Too many corporate victims are also perpetrators, using Doubleclick or similar services for marketing purposes. As for consumers, who, other than Ralph Nader, cares about them?

    In the up-is-down world of computer software, the pattern has been set, and it doesn’t support the right of the PC owner or user. The result: American businesses are simultaneously on the receiving end of a world of customer information and of IT aggravation.

    If you haven’t already, have your security team select a high-quality, enterprise-class spyware detection system in 2005. Purveyors of spyware might have a legal right to install it, but you have an equally legal right to uninstall it. Let’s hope it stays that way.

* * *

I suppose I should end on an optimistic note. This is, after all, the start of a new year, and the notions of clean starts and limitless possibilities are traditional.

As they should be. 2005 will bring its share of challenges. So has every other year. That’s the problem with not living in utopia. But that’s okay.

Utopia would, after all, be an incredibly boring place to live.