Here is my take on an extremely common event: Earlier this week I lost a USB stick while travelling to Germany.
Maybe I let it slip between the seats on the plane and it is now trying to make friends with the life vest. Maybe I dropped the stick when I paid for a sandwich at the airport. Or maybe a pickpocket specialising in near-obsolete IT equipment got hold of it. Either way, I was mildly annoyed but didn't worry about data falling into the wrong hands because it was encrypted using a simple file container (Truecrypt in this case). End of story.
Non-events like this are completely unremarkable - except that they have a seductive quality that leads to poor decision making in many corporations.
Look at the story this way: Once upon a time, there was a massive security risk - sensitive data being carried around on USB sticks that could easily be lost. Fortunately, the risk was recognised, and a simple, effective, and low-cost IT solution implemented in good time. Result! Problem solved.
Business leaders like to assume that other security issues can similarly be resolved through simple, effective, and ideally low-cost means. Moreover, they tend to assume that the solution is primarily an IT one. Security vendors have an interest in reinforcing those assumptions, and suddenly various IT projects are underway to "fix security".
An area where this approach is particularly inappropriate is the protection of intellectual property (IP). Companies have an understandable interest in preventing proprietary designs, algorithms, code, financial figures, engineering details or sales strategies from falling into the wrong hands. One of the major worries is that employees carelessly or maliciously leak company data, and hence time and effort are invested in IT "solutions" such as:
- locking down desktop machines to prevent the installation of spyware
- disabling DVD burning
- disabling USB ports
- monitoring user activity
None of these measures are inherently useless - but I am not the first to point out that businesses often close off the above "escape routes" for intellectual property while leaving other routes wide open. Employees might still e.g.:
- upload data to websites (and not just to the obvious ones such as Facebook, GMail, Flickr, ...)
- print data
- download via corporate webmail access while on the road
- fail to hand in their brains when leaving the building in the evening
Completely locking down those routes would bring any company to a standstill, and therefore they remain open (especially the last one). The resulting situation is clearly nonsensical - an approach to IP protection that is like forging a chain from alternating elements of high-grade steel and tissue paper.
Why is this? Why are the capabilities and constraints of IT measures so poorly understood amongst board-level decision makers (with the possible exception of the CTO)? - Two factors are at play here: Firstly, the culture gap between the IT area and the rest of an organisation.
Decision makers without solid IT background hear success stories like mine about losing an encrypted USB stick and thus feel justified in their belief that IT works as follows: For every problem there is a piece of software or a piece of hardware or a configuration change that solves this problem. At worst, the solution might be expensive, and suitable pressure might need to be applied to the relevant teams to find and implement it, but there is no doubt that a solution exists.
This belief is almost touchingly naive, and its seductive power lies not least in the implication that IP protection is a problem that can conveniently be delegated to the IT department. This puts IT leaders into a difficult position: In trying to correct the board-level belief that IP protection is an IT task they come across as defensive naysayers - unless they manage to bridge the culture gap from their side: IT leaders need to make the jump from arguing from an IT perspective ("these IT measures have such and such effect") to a whole-business perspective ("This is the role IT can play in an overall IP protection strategy").
It is not unusual that it falls to IT leaders to sketch the IP protection strategy for the whole organisation even though their own knowledge of IP-sensitive areas such as Research or Finance might only be superficial.
The second factor leading company boards to a poor understanding of the role of IT in protecting intellectual property is the choice of metaphor. IP protection is essentially seen as a battleground: there are front lines to be defended, escape routes to be closed off, supply lines to be protected, command-and-control structures to be put in place. Naturally, IT measures appear to be the weapons of choice on this battleground since almost all IP is stored or processed on IT systems at some point.
But the battleground metaphor does not really fit the challenge of protecting IP. Front lines are not clear lines but rather a web crisscrossing various parts of the organisation as well as outside parties (suppliers, auditors, etc.). Thinking in terms of closing off escape routes relies on the optimistic assumption that "inside" and "outside" can be cleanly distinguished and cordoned off. Protecting supply lines is impossible where creative ideas and inputs travel in myriad ways that cannot all be identified and structured.
And command-and-control thinking is a poor fit for collaborative and bottom-up work patterns that most organisations strive for at least to some extent.
So what metaphor should guide decision making about IP protection? I am curious to see readers' thoughts in response to this post. Here is a suggestion for your next team offsite or brainstorming session: Think of an organisation as a living organism, and think of IP as one of the nutrients that circulate in the blood stream (e.g. glucose).
How does the body ensure that nutrients are contained in certain areas but can also flow to where they are needed? How is the need for nutrients detected, and what rules determine the body's response? How does the body regulate the exchange of nutrients with the outside world? Etc. - This obviously will not translate into a ready-made textbook recipe for IP protection but should yield plenty of useful insights and ideas.
IT is capable of taking the lead in injecting a fresh perspective of IP protection into the organisation. And thus, maybe, it is not such a bad thing when the board of a company look to IT for rising up to the challenge of protecting IP.
By Sebastion Hallensleben
Sebastian Hallensleben works in the UK and Germany as an IT leadership consultant and strategy facilitator. This follows an in- house career of turning around, building, and managing IT teams in which he has worked with development, infrastructure, database, and support professionals in a variety of industries. He always welcomes contacts and connections and maintains the IT Leadership Forum on LinkedIn.