Embracing Manjoo’s Madness

by Dennis Kuntz

There was a little bit of a buzz recently regarding an article on Slate called, “Unchain the Office Computers! Why corporate IT should let us browse any way we want”. It’s basically a litany of complaints about how the IT department, “that class of interoffice Brahmans,” decides “ridiculously and capriciously, how people should work”. Very clearly it wasn’t going to win a bunch of fans from the Security Twits lurking around on Twitter’s infosec community.

The author’s rants run the gamut from legitimate beefs to notions that would make the most incompetent infosec employee cough up a hairball. He also seems to be completely unaware of the myriad legal, HR, and compliance bogeymen that serve as drivers of so many security policy restrictions. All of that coupled that with what seems to be a disrespect (or at the very least a disregard) for the skills, responsibilities, and intentions of your friendly IT worker would certainly make him a difficult customer.Who wants to deal with that?

A lot of the reactions to the author’s opinion were expected and understandable. If I recall correctly, “clueless” and “dangerous” were at least two of the words used to describe it. I don’t necessarily disagree with this either. The point of this post is more about what comes next: Do we, as those “interoffice Brahmans” simply thumb our noses at a very rash and simplistic view of the whys and hows of security-and-policy-minded restrictions, and tell the author to get the USB key that he found in the parking lot out of his PC and get back to work so that we can get back to saving the world from the l33t h4×0rs whilst doing the Dew? While not everyone would take that tack, let me suggest a different approach anyway.

The author, Farhad Manjoo, represents reality. He’s a real person who uses real technology in the real world. And he’s frustrated. He also represents a pretty wide view. In a Cisco-commissioned study on leakage prevention (get the papers here, and a decent summary here), it was discovered that:

“The majority of employees in eight of the 10 countries surveyed indicated that they believed their company’s security policy was unfair or impeded their ability to do their job. Employees with more access to collaborative Web 2.0 applications and social networking sites, video and mobile devices, expressed that they increasingly used these technologies in the workplace but were frustrated with rigid or outdated IT security policies that limited their use. “

With that, we need to accept that he and people like him are our customers. Rather than slough off Mr. Manjoo’s opinion as just being one of the uneducated masses, I contend that it’s our job to listen to his opinion and address it appropriately:

• If the reasons for a particular policy are draconian or reactionary, they should at least be reviewed, if not changed/updated or eliminated.
• If the reasons are justified (“justified” here does not mean “because we, the Brahmans, said so”; it means a very real, pragmatic justification for which there is not a reasonable alternative in order to protect the data/assets), then they need at the very least to be explained. Education and continued relationship- and awareness-building would be even better.
• If the policies really cause them to not be able to do their jobs (which does indeed happen), our job – and one of the aspects of it that makes what we do so cool, challenging, and fun – is to think creatively of how to allow them to do their jobs while keeping the data/assets safe.

I say let’s bump things up a notch: Make it a point to seek our your own personal Mr. Manjoos, embrace them, and convert them. Difficult customers, once converted, can become some of your greatest supporters. They might even spring for the Dew.