Users Have Different Expectations From System Administrators. How To Close The Gap - Richard Henson

Um, for those who don't like these psychological terms, that means covering people as well as technology, but probably with a bias towards people. First of all, a bit about me. As you can see, I've been around a bit. What doesn't actually say there is I started out as a chemist. So, I became a teacher. I became a researcher. I worked in psychology. I've worked as a network manager, so I can certainly uh empathize with some of the things that have been said previously by Adrian. Um, and I've also been an academic researcher, particularly related to cyber security standards. Um so I spent quite a lot of time when I was an academic working with small

businesses and not really appreciating the problems of small businesses. Now I'm running a small business and I know exactly what the problems are. So what's all this about? trying to create a bridge between not between security folk and organizations necessarily but within organizations a potential conflict within organizations which I've experienced just about every organization I've been part of and that's the one between well on the one hand you got senior management on the other hand you've got the IT or in the middle you got the IT manager and on the other end you've got the IT users. I've been a network manager. That was right at the end of the 1990s. It's maybe it's changed, but I think as Adrian was was

uh hinting at before, it's a difficult role because you're trying to keep everybody satisfied and people are coming from completely different viewpoints. So, what's the problem? Maybe you're not all familiar with the term. The problem is something called shadow IT.

And the problem is that IT managers are trying to keep the organization safe and secure and do all the things they're supposed to do with keeping all the applications updated, all the operating systems updated, everybody following the IT policy and so on. If there is an IT policy, not always in a small organization. So, so if if that's the case, they get employees saying, "I want to use this. Oh, this was much better." Oh, come on. Who are you kidding? Use Excel? You joking? Um, didn't have that problem when I was an IT manager because that was the late 1990s. I remember going on an airplane somewhere nice and sunny and picking up a book at the bookshop as you do cuz

you're bored and you're waiting for the plane and it's called hacking work and it was about what's going to happen. This was about 2012 sort of time. What's going to happen in the near future? And all these people coming through as IT literate as using mobile apps were coming through into the world of work and again they were seeing the apps available to them in the organization and they knew a better way. They've been using better ways since they were in school in university and now they're in their perhaps f first promoted job in the organization and they're being told to use Excel or whatever. I mean, nothing wrong with Excel. I use it all

the time, but um you know what I mean? There's basic apps that they think are old hat, you know, got all this super stuff on the mobile. Why should they do that? And of course, the IT policy says you must use the organization obligations. And hey, they've got mobile phones. We've all got mobile phones now. So, what might a creative or perhaps devious or maybe sneaky individual do? But what do we all do at school when we wanted to do something we didn't want teacher to see? You do something under the desk. Mobiles are great for using metaphorically under the desk. So this problem all through the 2010s built up. I thought it had gone to be

honest. I remember reading about shadow IT in probably about 20 2008 29 before mobile phones really sort of changed the world and it seemed that IT managers had things under control by then. Little did I know so because there's so much software available because uh employees are basically driven to achieve results achieve their objectives um they keep the bosses happy if they're achieving their objectives quickly smoothly um more effectively overall. And so why should they use this very limited range of software that's on offer? So a big dilemma. It's been there, but it's been getting bigger. It's been getting bigger because younger people are coming into the workforce and have different expectations from their older older people who are are just

happy to use the software. So what do they do? As I say, under the desk, break the rules. Who's going to know? There's a quite I I I can't remember now where I actually got that little cartoon from, but um you you I mean you probably can't read it too well. Um but basically all the computers in our network are ISO271 compliant. But of course, and that was actually that was even more true during the times of co um no one's actually behind their desk. Everybody's possibly working at home on their laptops and goodness knows what apps they've loaded into their laptops at home or they're using mobiles. Now there was this I think awful now

term that was brought in called B Y OD bring your own device. So it's basically saying it was probably a marketing term actually initially they usually are. Um yeah bring your own device into work. Yeah it makes you more productive. It makes you happier. What what's not to like about it? The IT manager, isn't that the person who's sort of let out of the dark and sort of, you know, like like the thing in IT crowd, the stereotype? He's always managed or he she's always managed in the past. Why shouldn't they continue to manage it now? But they'll have to, won't they? And so the IT manager is told about BYOD. probably we talk about sort of nervous

breakdowns in IT staff. I'm sure there would have been a few when suddenly employees had mobiles and they were actually sanctioned by senior management. That must have been impossible. So h how do they get around it? How do they get around it? I mean organizations still function. organizations actually on the whole don't get hacked. So something must have happened to enable that sort of situation to work. So BYOD didn't become total BYOD. common sense actually to some extent prevailed because there there was a st survey done by Samsung who found that actually sales of mobiles by organizations were starting to go down. This was around about 2018 and they thought hey what's going on here is is BYOD not as popular as it was

and of course organizations had realized finally to some extent and some organizations that it was not a good idea because cyber security is kind of important and that was probably accelerated by huge problems. You may remember again, we've had ransomware spoken of here before. Then the huge ransomware attacks of 2017 that virtually closed parts of the NHS. And that was shown to be mostly caused by machines that hadn't been patched. So badly not patched that some were still running Windows XP. You may remember, I don't know to what extent that gone to the national news. Anyway, ISO271, if you're not familiar with that, and you can be forgiven for not having heard of it. Um, that is the gold standard.

So, this organization, this IT manager is so proud he got everything up to ISO271, the gold standard for security. But look what's going on. And probably that organization got hacked would have been the next cartoon strips. And of course, everybody wonders why they got ISO271. But there's more to it than that, isn't there? There's the people component. It's not just about technical. It's about the people. People in organizations. So, is it an impossible dilemma? Will a lot of organizations still say it manager you figure it we want to keep the employees happy you know particularly if they've got um a management a senior management now that includes people who think Excel's old hat you know for

example I've got nothing against Excel honest so here we are the pros of shadow IT. It's great for employees. It's great for productivity, keeps everybody happy, keeps everybody on their toes. It also means through BYOD, etc., that the organization can have the employees working outside normal hours, so they actually get more hours a week out of them and they can contact them out of hours and so on. So, as far as the organization's concerned, it's all pretty good. As far as the organization's security is concerned, it's we all know it's a nightmare because if you've got this that and the other app that the IT manager, the IT department doesn't know about, they can't patch them and they're just open

to every hacker under the sun. So, the way to do it, of course, as ever, is to talk So there needs to be but there needs to be a rationale behind um getting people to talk. How could that be done? This is where organizational psychology comes in because there's a model that you may be familiar with. I've been had some interesting conversations on LinkedIn recently about this. Um and actually I worked in a business school so I did have business colleagues who will wear a models like this that can show that no matter what organization you take then somewhere it'll fit in that little model. They could be just take two examples uh two extreme examples if you

like. You've got the ultimate hierarchy perhaps a government organization or local government organization where everything is nailed down and that uh everything all control is from above and employees essentially um have a set of rules and they're better stick by them. The other type may be some of the newer IT companies like Apple. um it's more of a sort of do what you like as long as you get results sort of culture. Now both of those um pose problems for shadow IT in different ways. There are two other ways though. There's um a market culture which actually looks outside and realizes that there's a world outside there and there's lots of nasty evil hackers out there and you do

need to look after security and there's also uh the friendly sort of organization that gets people to work together and maybe those two sorts of cultures would be the sort of thing that might be encouraged to reduce shadow it. How we doing for time? >> Uh we have about four minutes. >> Oh, okay. Okay. All right. Okay. So um I I've I've put together a working paper on this and it's uh available um for anybody who's interested say that this is a bit of blue sky thinking because although everybody talks about shadow IT being a problem um it keeps going away and keeps coming back um but while employees are using their own apps then

there are organizations are going to be hacked that It's as simple as that. There's no way around it. And until this somehow gets ironed out and gets sorted out by organizations, then then it's going to be a problem way on into the future. So the guys who put this together from uh University of Michigan, uh it's been going for 40 years now. That's the most recent edition of the model. It's a well, it's a mature system of organizing organizational behavior and culture and it works. But does it work in this context? Getting employees together, getting people with maybe a different perspective because everybody everybody wants to do well for the organization. Everybody wants the organization not to get

hacked. Everybody wants high productivity. Everybody wants to be happy in that organization. So tweak it is is a simple way. And this model would provide organizations with a methodology for not we're not talking about revolution here. who just talking about small changes or nudges in an organization that would say oh yes I'm being a bit unreasonable here I don't want to risk the cyber security of this organization on the one hand and on the other hand or maybe we could be a bit more flexible with our choice of software maybe if there's an IT user group that meets monthly uh and actually sort of comes forward with concrete suggestions we can take to senior management. Maybe everybody could

get the app that they want in work and controlled by work controlled by the organization. So in summary then it's a dilemma. It's caused by employees and IT managers basically the way organizations have evolved over the years. it can be solved. There are tools to solve it. Much much much more research is needed. Um but there's no doubt that the outcome would be what we all want better cyber security. So that's me. Um a bit more about the paper that's um in progress at the moment. So I've will will this be available to people if they want afterwards? Uh I am not very sure but I think it's for you. >> Okay. Because yeah it's it's quite a

long URL. That's what I was thinking but um so that's what we're about. Yeah. What I do at the moment in my organization is assess small businesses mostly small businesses for cyber essentials. So I do see quite a lot of what's going on. Okay. Thank you very much.

And any questions? >> We actually have to >> Oh, no. No. This one quick. >> What do you perceive is the biggest threat? Shadow it or shadow AI? >> Wow. That's yeah potentially shadow AI would be a nightmare certainly but for the moment then perhaps tackle shadow IT and then >> then with with all the lessons learned from tackling shadow IT go on to shadow AI but a great question thanks okay

>> okay well thank you all thanks Thanks for listening.