Yesterday I wrote about control and service.  Increased control can reduce risk.  However to really move forward and provide better service we need to embrace risk: “Nothing ventured, nothing gained”

All ventures are risky.  An organization has to embrace the taking of risks by its employees and reward them for taking “reasonable” risks.  Few organization encourage risk takers because they are afraid that risk takers will eventually commit blunders. The definition of what a “reasonable” risk is will vary widely.

Most organizations are risk averse.  Universities are especially risk averse as most of their value is in their reputation. A reputation built over centuries by a University can be destroyed by one stupid mistake.  Tenure and permanent appointments at Universities are a small way to overcome this attitude at a University but the time involved and the process of earning that status makes most employees sclerotic and very risk averse.   A probationary employee is too scared to take risks to begin with and seven years of training in not taking risks embeds that attitude “permanently”..

This loss of enterprise  is specially significant as organizations and people get older (you can call me ageist) because they have more invested and have more to loose. This tendency has to be countered by a risk embracing organizational culture or it invites stagnation and decay.

In my post yesterday I had written about security and efficiency.  Closely related to that topic is service and control.

I like to tell my staff that IT is in the service business and we are not in the control business.  IT staff has to exercise control but the goal of that control should always be to provide better service. The goal should never be “I will control because I can”.  Certain areas of IT tend to attract control freaks and I have to confess that the power that control gives can be quite alluring.

IT employees also like control because it makes their life easier.  It is easier to say “go away” than to provide service by actually listening to what the user needs and take on the inherent risks in implementing anything.

Organizations delegate a lot of control to IT for many reasons including security and cost containment but that control usually gets in the way of the rest of organization from getting their job done as efficiently as they would like.  The solution to that is openness and communication.  If the rest of the organization knows why IT is required to say “no” to their latest idea, hopefully it will lead to a friendly joint exploration of alternative solutions that would be better for the organization as a whole.

Security and Efficiency are closely tied.  When I use the word “efficiency”, it includes terms like productivity, work done, profitability, performance or any other term that indicates results that an organization wants.

Qualitatively the relationship between efficiency and security can be described by the following graph:

Where efficiency is the vertical axis and security is the horizontal axis.

When you have no security, no work gets done and efficiency is zero.  When there is no security, all your work is stolen or compromised.  When security is very high, no work gets done and efficiency is also zero.  A powered down computer system is very secure and is immune to hacking.

The trick is to find the level of security that maximizes efficiency.  This will vary with the organization, the individual, with the kind of security and the kind of work being done.

Traditional security personnel invariably tend to be on the right hand side of the curve.  Users, developers and traditional user support tend to be invariably on the left hand side of the curve.

The goal of an organization should be to be at the top of the curve.  Not too much security, not too little security but the right amount to maximize productivity across the organization.