This article was linked to by some of the usual EMC suspects; a fluff and puff piece about Private Cloud with the normal warnings about security in the Public Cloud. It is this section of the article which I find especially disturbing both in tone and message…
I’ll leave you with what has become my favorite story and it was told at CIO 100: Apparently, two engineers at a pharmaceutical company had to complete a critical project quickly and bid it out to IT. IT came back with a massive cost and a timeline in months. The engineers instead used their credit cards to use cloud services and completed the project in a few weeks and won an award for cost savings. The day after winning the award, both were terminated for violating the firm’s security policy as the project, which was ultra-secret, hadn’t been adequately secured.
I can almost imagine the teller of the tale’s gleeful smile as he recounted that story, perhaps the CIO involved. Now I think there should have been several different actions, none of which lead to the dismissal of two obviously talented and thoughtful engineers.
1) The CIO should have been hauled up and made to explain why his team could not provide the services that the engineers needed in a cost effective and timely manner. He put them in the position that do their job properly, they had to bend the rules. In fact he should be the person loosing his job and as a result of his inability to provide service; the company had had to terminate two valuable employees.
2) The team which looks after security should have been asked to look at the project and what the engineers had done; make a proper security assessment and work with them to ensure that such projects could be delivered in the Public Cloud in a secure manner. Proper procedures and guidelines should be put in place to support innovation.
But instead, a vengeful IT department decided that best thing to do is to shut down anyone innovating in their space.
And if anyone thinks that the large pharmaceuticals are not using public cloud; you should probably think again. They are regularly and I suspect securely; or perhaps, its not 100% secure but the opportunity for quicker delivery is worth risk.
Security is an issue but don’t let vendors and IT departments use it to block innovation and keep their castle intact. Security needs to move on from ‘No!’ to ‘How can we help you achieve your goals!?’; a bit like IT departments in general.