A few years ago, I worked in a company where a full electronic war began between the IT department and the company's employees.
Here's what happened. Amid growing cyber-security threats, the IT manager removed administrative rights from all computers, so that employees would not be able to download harmful software. He raised a firewall to prevent access to many websites, some of which were harmless. If you wanted access to a blocked site, or needed to install new software, you had to ask the IT department.
Pretty quickly, the IT department became a bottleneck. Requests to get access stayed in the queue for days. The IT department's response was to ask employees to prioritize their requests, so the IT department could first deal with the most urgent, production-stopping requests. Sure enough, very quickly all requests became marked as urgent and production-stopping.
Finally, the IT department, caving under the load, started giving employees temporary administrative rights, and opening every website as requested without really checking the security and possible harm that could be caused by those actions.
It became very clear that IT departments focus on the one job they should not be focused on: protecting the company from the inside. Protecting it from its own employees. The people you are supposed to trust the most.
As a result, employees found themselves at odds with the IT department. They would find ways to get around obstacles that the IT department put in front of them. In response, the IT department would fill those security gaps as soon as they found them. It became a daily battle.
Somehow, this just doesn't seem productive.
In my years working in Corporate America I had these arguments with the heads of IT all the time. Here is what I believe the three roles of a good IT department should be:
1. Protect the company and its employees from the outside world
There is no doubt, hackers and cyber-attackers are real, damaging, and here to stay. The damage they can inflict on individuals and companies is substantial. Juniper Research suggests that the cost of data breaches will be over $2 trillion by 2019, 4 times as much as it was estimated to be in 2015. One of the fastest growing technology area is cyber-security, which is now being taught at primary education institutes. An IT department plays a major role in protecting the company from such attacks. It needs to be up to speed on the latest and greatest in protection technologies. It must be vigilant, and it must be pragmatic. However, protecting the organization from the outside doesn't mean protecting it from its own employees. No doubt, employees have much better access to the organization's information infrastructure and can cause more damage than an external attack. People from the outside cannot simply walk into the company and insert a USB flash drive with a virus in one of the computers (except in the movies...), but employees have access to the "soft belly" of the organization. They have access inside the firewall. However, the way to protect the organization from an unintentional "inside job" is different.
The story at the beginning illustrated why removing administrative rights from employee computers was ineffective. The IT department couldn't handle the volume of requests to download new software or get access to potentially harmful websites. It had to trust the employees to be vigilant enough. However, without proper education, those employees, unintentionally, could still put the company's IT infrastructure at risk. One of the major roles of the IT department is to educate employees on how to protect the company's IT infrastructure themselves. Make them aware of the possible dangers and risks, and give them tools to protect themselves and the company. But then trust them as the company's first line of defense. After all, the company trusts those employees with very big decisions. Sometimes companies lose track of those. In one of the companies I worked for I had no administrative rights to my laptop, and my expense budget was limited to $5,000. However, I had the authority to order production tools that cost more than $1 million.
3. Enable and lead
Finally, IT departments should be proactive and not reactive. Many IT people I spoke with, whether they truly believed this or were told by their bosses, saw their job as fixing problems. However, the IT department can serve as the one in front of every technology that can help the company's employees be more productive, effective, and creative. They should research new tools and make recommendations. They should hold in-house seminars to show employees how they can perform their jobs better, faster, and smarter. They should be continuously collecting data and analyzing it to identify not only where problems exist now, but where they might occur in the future. They should solve problems not after they occur, but before it.