Hacked off at the Wall Street Journal

As I noted a few days ago, the Wall Street Journal published an article on how to get around your IT Department's security restrictions. As I think I made clear, I didn't think it was a particularly well-thought out article.

The WSJ finally published one letter yesterday questioning it that was written by Dr. William Hery from the Department of Computer and Information Science & Department of Management, Polytechnic University in Brooklyn. I thought I would reproduce it here, since I think it is spot on:

Your article "Ten Things Your IT Department Won't Tell You" (The Journal Report on Technology, July 30) is irresponsible. The article encourages and abets the circumvention of security controls developed by corporate information-technology departments. These controls are typically carefully thought out and based on a corporate-level risk analysis, with confidential corporate information, private employee information, corporate reputation and even the ability of the corporation to conduct business all at risk. It is unlikely that all employees who use the methods you suggest, even those who "play it safe," as described in your article, are knowledgeable enough to provide the level of protection the corporation needs.

The article also left out, except indirectly in one comment, a critical risk to the employee: Even though they are circumventing the technology, they are still bound by the policies that led to the controls. The resources the employees are using belong to the corporation for appropriate business use. By actively circumventing the policy, the employees are admitting that they know the policies. By violating the policies, they are subject to any penalties defined in the policies, including reprimand, poor performance appraisal and potential dismissal.

I also wrote a critical letter to the WSJ, but it didn't get published. It was probably because I asked why the journalist didn't ask whether the Journal's own IT Department thought that it was okay to ignore departmental security policies, or maybe it was because I encouraged the WSJ employees to throw off their shackles and ignore them as well, since the article seemed that its was an acceptable thing to do.

Now publishing Dr. Hery's letter as well as outlining mine is probably against Journal policy, but in the spirit of the advice given in the article to ignore policy, what the hey.


There was a response to Dr. Hery's letter in the 17th August edition of the WSJ.

IT and security groups need to come out of their ivory towers once a decade or so and learn what the rest of us already know: Computers are meant to be used, and when access to legitimate activities is blocked, we poor, dumb users will find a way to thwart them so we can get the job done. Unfortunately, that approach allows those with nefarious intentions a path to do damage.

Ah, the voice of the people. Legit here seems to me to mean whatever I want to do, the organization's interest be damned.

Is security too tight sometimes? Yes. But I would love to make users who complain about it be put in charge of trying to determine the "right amount"?


Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Robert Charette
Spotsylvania, Va.
Willie D. Jones
New York City