The battlefield of protecting corporate data has been shifting towards employees’ consumer devices and services that are only partially, if at all, controlled by the employer’s IT security staff. Bruce Schneier highlights this trend as a counter-point in the article Should enterprises give in to IT consumerization at the expense of security? As Bruce points out,
The meta-trend here is consumerization: cool technologies show up for the consumer market before they’re available to the business market. Every corporation is under pressure from its employees to allow them to use these new technologies at work, and that pressure is only getting stronger. Younger employees simply aren’t going to stand for using last year’s stuff, and they’re not going to carry around a second laptop. They’re either going to figure out ways around the corporate security rules, or they’re going to take another job with a more trendy company. Either way, senior management is going to tell security to get out of the way. […] Either way, it’s going to be harder and harder to say no.
This is another reminder that corporate IT security teams are but one component of the complex ecosystem that makes companies function.
Always saying “no” has already given many security professionals a bad name. The challenge, of course, is to figure out out how to say “yes” while working within the context of the organization’s overall risk management framework… if such a framework exists at all.