informa
/
Risk
Commentary

The Clinton Email Kerfuffle & Shadow IT

For security pros the issue is not government transparency. It's the fact that users, regardless of seniority, will always pick convenience over security.

A Google News search for “Hillary Clinton email” returns more than 100 million articles in less than a minute about how the former Secretary of State used her personal email account while at the State Department. There is quite a bit of legitimate discussion about whether or not a government employee should do that. But for security pros, this is the wrong discussion because it misses the core point: convenience will always trump policy.

Hillary’s behavior -- like the rest of us -- is inevitable and information security policy needs to change to respond effectively to it.

When it comes to security, most employees in organizations have the best intentions. But those intentions take a back seat when the technologies they use do not support getting the job done. Individuals will always prioritize user experience no matter how senior they are in an organization. This is the reality of human behavior. We should expect it instead of be surprised by it.

The true lesson of the Clinton email controversy is that effective IT and security policy needs to work hand-in-hand, not in conflict, with an employee’s preferred user experience.

"I thought it would be easier to carry just one device for my work and for my personal emails instead of two,” Clinton said at a press conference last week.

This is the most public pronouncement we have seen of why the bring-your-own trend is so prevalent in business. Clinton wanted to use one email account (of her choice) on one device instead of two email accounts on two devices. The reality of the situation is that she didn’t have to make that tradeoff, because modern enterprise mobility management solutions would have allowed her to securely use both her personal and work email accounts on the same device. But my initial conclusion still holds: “easier” won and “difficult” lost.

Clinton’s assumptions are an accurate representation of every employee in every organization. In order to put together a sustainable IT program, enterprises must understand both the behaviors of the individual and the tools those individuals feel they need to effectively to do their jobs. This starts with an analysis of the tasks employees are trying to complete, and what devices or apps they feel make them most productive and effective in completing them. It then becomes the job of IT to provide services that accomplish these goals. If IT can deliver compelling services with a great user experience, employees will not have to go and find their own in the so-called Shadow IT.

Clinton is a perfect example of this: an individual using the technology of her choice to do her work. Ironically, even today, IT could have easily met her needs but what was likely missing was an awareness that this is what users actually wanted.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5