Share this postAsk a CTO is an irregular column where I answer anonymous questions from a technical leadership perspective. You can ask questions using this form.
I have two answers to two questions this time around:
Security vs. productivity
Where do you draw the line between security and productivity? What are the drawbacks of totally locking down user workstations and onerous password, 2FA, convoluted permissions and never-ending zero trust implementations?
Security and productivity don’t have to be at odds: they should reinforce each other. They’re not at different ends of a continuum.
The purpose of IT is to support everyone’s work by empowering them to use technology efficiently and safely. Therefore, any good IT strategy is rooted in service design.
Anyone who builds a product needs to consider the user journey of the person they want to use it: their individual steps from discovering the product through to becoming a dedicated user. IT service delivery is a product, too, and the people who provide it need to consider the work journey of its recipients just as carefully. Consider their jobs to be done: the stuff they need to do, the workarounds they’ve created for themselves, the things they’re studiously avoiding doing. And understand that everyone’s role has different requirements: only a few people need access to payroll, for example, and engineers really need access to install their own libraries and developer tools.
There’s also got to be a “why” for everything that’s implemented: the worst IT policies are created by people who do something because they think they should, perhaps because they perceive that other people are doing them. Do you really need to rotate your passwords every 90 days? (I’ll spare you a search: the answer is no.)
And you need to be open to the idea that you’ve got it wrong. Nobody knows their work better than the people who are doing it. Security policies exist for a reason: unchecked software installs or poor password practices can put the whole organization at risk. But the way those policies are designed and enforced makes all the difference. IT departments lock down workstations in part so that people don’t install random software that might turn out to be harmful; they’d better also have a friendly process for helping people to install software that isn’t part of their core supported offerings but turns out to be needed for someone to do their job.
All these elements need to be in place: well-considered user journeys for every role, a considered reason for everything you’ve implemented, great training and bedside manner, and an openness to change, in partnership with a strong understanding of the risks and the products and approaches that might address them. Once these things are there, a good IT strategy should actually improve productivity rather than get in its way, even as it implements security procedures like managed devices, MFA, least privilege security, zero trust, SSO, and so on.
A good password manager makes passwords and MFA easier than manually typing credentials. Good SSO just requires a touch to seamlessly log in. Good IT support is a ubiquitous, friendly presence with good bedside manner. Good device management means that you don’t have to worry about keeping your machine up to date. Those things are all necessary for good security, but they also take out steps to common workflows and, once they become a habit, are easier for most users than life without them.
Conversely, if you don’t implement these things from a human-centered perspective, people are going to resent the changes, and you run the risk of getting in the way of people’s work. When that happens, they’ll try to work around you, and your entire organization is less secure. Security really depends on everyone being aligned, which in turn depends on an IT department being laser-focused on being of service.
Keeping up with the Joneses
How do you decide which trends are worth adopting?
There are three things you need to know, in order of importance:
- What is your organization’s mission, vision, and strategy? In other words, what are your goals? What are your problems to solve?
- What are the jobs to be done of the individual people in your organization? Where are the points of friction in their workdays?
- What are the emerging trends? What are the pros, cons, ethical considerations, and potential risks of a new technology or approach?
I’ll start with the last first. It’s good to be informed, but that means cutting through marketing and sales excitement to understand the underlying nuances. Many new technologies — and certainly the ones high-profile enough to become “trends” — have an attendant hype cycle. The first step to parsing coverage is understanding that the hype cycle exists; the second is to find voices you trust and listen to their commentary.
My feed reader is loaded with thousands of subscriptions not just because I like blogging and RSS (although I do!), but because these voices keep me informed. Many of them will disagree with each other, and some of them come from perspectives that are very different to my own; these different angles allow me to construct my own informed opinion. I don’t rely on TechCrunch or similar sites for trend analysis because they tend to amplify hype rather than provide nuanced perspectives. Instead, I filter through relevant connections whose opinions I trust.
But it all comes down to those organizational goals and the problems you need to solve. Implementing any technology for technology’s sake is a fool’s game: it all has to be in service of your organizational strategy or improving the working lives of the people who implement it. Does it address your strategic problems? Does it reduce friction for your colleagues? How?
That can be more complex than it sounds. For example, if your goas include hiring top-tier engineers, that isn’t just about salary: it’s also about the tools and environment you provide. A company that invests in high-end hardware, flexible work policies, or a strong internal developer experience may attract better talent than one that skimps on these details. A company that has an open mind about AI may be more attractive to investors than one that takes a more dogmatic approach. And so on.
Finally, ethical risk is organizational risk. It’s important to understand the ethical considerations and impacts of a new technology as a core part of its pros and cons. Overlooking the dubious ethics of a team or a technology’s environmental footprint is likely to lead to problems down the road, even if the technology may seem like it’s super-popular today. These things have a tendency to manifest as real speed bumps down the road.
Stay focused on your goals, cut through the hype by listening to diverse experts, understand the risks, stay human-centered, and always think for yourself.
Ask a CTO
Do you have questions that you’d like a technical leader to answer? You can ask questions using this form. I’ll try to answer in a future post.
