In order to ensure the security of IT devices while also reducing the proliferation of “shadow IT” in the government, agencies must work to create “win-win” compromises with device users, according to panelists at Dell EMC World.
“There has to be a way that IT, without having to completely rip and replace and do a massive pivot, can meet the needs of the users and also protect the inside and the infrastructure,” said Mike Wilkerson, senior director of Federal end user computing and mobility at VMware.
One concern with increasing security measures in government devices is that it causes users to implement “shadow IT,” which enables employees to more efficiently get their job done but is not authorized by the agency.
“If an end user isn’t going to accept it, they’re going to find a way to get around you every single time,” said Jeff Marshall, vice president of product engineering at FedData. “If they want to use it and they feel productive and they can collaborate and get their work done, they’re not going to try to get around you.”
Retired Lt. Gen. Ronnie Hawkins Jr., former director of the Defense Information Systems Agency, advocated for accountability on the part of both the users and the IT officials providing services and applications.
“I think you need to hold people accountable that are not using the IT that is available to them in the right means. And then you need to hold the IT provider, wherever that might be, also accountable for not meeting the needs,” said Hawkins.
According Frank Konieczny, CTO of the U.S. Air Force, his department uses a waiver process that allows people to use an unapproved application if it involves an immediate need to a critical mission.
“It’s not black and white,” Konieczny said. “If it was black and white the security guys would say you can’t touch anything, you can’t connect anything.”
According to Marshall, finding this balance between usability and security is critical for the government’s ability to recruit new IT talent.
“Now we have this new generation that has to be connected constantly,” Marshall said, adding that younger professionals don’t generally like working in an environment in which they’re required to give up all of their connectivity. “Now you actually have a cultural problem where you can’t recruit people, you can’t recruit real talent.”
Konieczny added that security training has to be organized so that it promotes talent retention, rather than punishment of employees.
“The people have to know that this is a training exercise. You can make it more of a game for the guys,” said Konieczny, explaining that employees are likely to leave in the face of “witch hunts.”
“There’s no silver bullet to it,” said Marshall. “Some people make dumb mistakes.”