This article was linked to by some of the usual EMC suspects; a fluff and puff piece about Private Cloud with the normal warnings about security in the Public Cloud. It is this section of the article which I find especially disturbing both in tone and message…
I’ll leave you with what has become my favorite story and it was told at CIO 100: Apparently, two engineers at a pharmaceutical company had to complete a critical project quickly and bid it out to IT. IT came back with a massive cost and a timeline in months. The engineers instead used their credit cards to use cloud services and completed the project in a few weeks and won an award for cost savings. The day after winning the award, both were terminated for violating the firm’s security policy as the project, which was ultra-secret, hadn’t been adequately secured.
I can almost imagine the teller of the tale’s gleeful smile as he recounted that story, perhaps the CIO involved. Now I think there should have been several different actions, none of which lead to the dismissal of two obviously talented and thoughtful engineers.
1) The CIO should have been hauled up and made to explain why his team could not provide the services that the engineers needed in a cost effective and timely manner. He put them in the position that do their job properly, they had to bend the rules. In fact he should be the person loosing his job and as a result of his inability to provide service; the company had had to terminate two valuable employees.
2) The team which looks after security should have been asked to look at the project and what the engineers had done; make a proper security assessment and work with them to ensure that such projects could be delivered in the Public Cloud in a secure manner. Proper procedures and guidelines should be put in place to support innovation.
But instead, a vengeful IT department decided that best thing to do is to shut down anyone innovating in their space.
And if anyone thinks that the large pharmaceuticals are not using public cloud; you should probably think again. They are regularly and I suspect securely; or perhaps, its not 100% secure but the opportunity for quicker delivery is worth risk.
Security is an issue but don’t let vendors and IT departments use it to block innovation and keep their castle intact. Security needs to move on from ‘No!’ to ‘How can we help you achieve your goals!?’; a bit like IT departments in general.
I agree with most of your thoughts — the key point in my is that one can certainly innovate without being irresponsible. As employees of the company, they were entrusted in certain regards, and — if one is to take the story at face value — that trust was broken.
Yes, the CIO should have been able to provide the requested services, using either internal or external sources. And, yes, the security team should have given things a look-see.
But neither are an excuse for the outcome, are they?
— Chuck
“Apparently, two engineers at a pharmaceutical company had to complete a critical project quickly and bid it out to IT. IT came back with a massive cost and a timeline in months.”
It may well have been that the two engineers were put in an impossible position…they either broke the rules to deliver this critical project or they failed to deliver. I wonder which the shareholders and the board really would prefer? From the little we know about this story, if they were guilty of anything, they were guilty of making decisions above their pay-grade. They probably ought to have gone to their boss and said ‘Look, if we work with the internal IT guys, we aren’t going to deliver…but there is another way….’
Great write up, I hope unfair dismissal laws are strong in their location.
If all “guilty” corporate IT professionals were sacked for letting corporate data leak into Dropbox, Carbonite, Google Docs, etc…. There would be mass sackings across the planet…. It’s a tidal wave, the question is not how to stop it… But how to work with it.
I beg to differ.
We don’t know what the classification was of the data which they placed with this cloud provider. We don’t know how the organisation classified the cloud provider when used in this manner. Data governance is a serious subject, and in an organisation like theirs, they may well have knowingly perpetrated a dismissal offence.
If this were a mild breach, then some sort of internal discipline would be appropriate. But the term “ultra-secret” suggests that the data which they put outside corporate governance was of a high level of classification.
I agree with Dunstan.
Most decent sized companies have standards and compliance they must adhere to at a minimum and more often now a legal obligation to protect their data. If these same kind of actions are what led to Sony to have a number of security issues, I doubt we would be having this conversation.
Put another way, the reason why organizations become silo-ed is the ensure the proper skill set is applied to an area. It is no more appropriate for these researchers to take these matters into their own hands than it is for me (an IT guy) to review our corporate balance sheet and make what I think are helpful corrections. Both expose our employers significantly and these tasks we take upon ourselves is not part of our roles and responsibilities. Bluntly, none of our business.
Agreed though that it would be fair to question IT on delivery cost and time-lines and why these guys got an award to begin with. I definitely understand the inspiration for the post.