One of the collateral results of IT consumerization is that the expectations of our internal and external customers are being set by their best experiences with technology outside of the office. Sadly for us, it turns out that it is pretty easy for them to install their company email service on their new personal smartphone or tablet. All they have to do is enter their mailbox information and credentials and they are on their way -- no need to call the service desk to get permission or approval or anything.
These expectations for ease of use are sometimes in conflict with our need to secure the enterprise. Somehow, someway, we need to find the right balance between meeting and exceeding expectations and properly managing this extended enterprise.
As an example, we are in the midst of a major overhaul to our identity management (IDM) system. Our old system was old (and brittle and lacked functionality and was hard to work with and . . .). IDM is a big deal for us because we are an extended enterprise. We have tens of thousands of students -- every one of them remote -- who access our IT and data resources. In addition, we have thousands of staff members -- four out of five of them remote -- who access our IT and data resources.
We formed a cross-functional team to define what we needed in our new system. The tension between ease-of-use enthusiasts and security advocates was immediately apparent.
We are also extending our enterprise to our critical suppliers and service providers. In this widely connected world, we want to provide ease of use and security -- hence, our plan to overhaul our IDM system. Our looming IDM project needs to improve the security of our extended enterprise by managing the identity of our students, staff and trading partners. Using these identities, they can access, with the correct permissions, the wide range of services we provide. But, we cannot have this enhanced security at the cost of making it a nightmare to navigate those services.
Ease of use vs. security
We formed a cross-functional team to define what we needed in our new system. The tension between ease-of-use enthusiasts and security advocates was immediately apparent. Some members of the team pulled sharply toward ease of use; others toward security. When the resulting tug of war started to get a little ugly, we reminded ourselves that our student, staff and provider expectations were to have an easy but secure experience. These two seemingly competing goals became our primary decision filters for the new IDM system; we would only consider options that were both easy to use and secure. Our secondary decision criteria included cost, existing connectors and compatibility with other systems.
More advice from CIO Niel Nickolaisen
The right BI for a mobile-first world
A CIO's plan for managing endpoint security
This CIO is skeptical about the value of enterprise social networks
Our primary decision filters immediately eliminated some of our IDM candidates. Gone were those that did not offer self-service and self-provisioning, things that are now pretty well established as a minimum standard for easy to use. This analysis kept some systems that lacked the connectors we wanted. In managing the trade-offs, we decided that it would be easier for us or the provider to build the needed connectors than for us or them to design and build-in ease of use.
The combination of enhanced security and ease of use keeps us on track with what our customers expect in terms of self-service and self-provisioning. Once they identify themselves, we let them acquire the services that align with their needs and their permissions -- and that lets my IT staff do higher-value activities than manage user accounts.
About the author:
Niel Nickolaisen is CIO at Western Governors University in Salt Lake City. He is a frequent speaker, presenter and writer on IT's dual role of enabling strategy and delivering operational excellence. Write to him at firstname.lastname@example.org.
This was first published in September 2013