Loosening Security Controls to Boost Innovation

At many businesses today, there’s a fight between workers and their information technology (IT) departments. Employees want to use instant-messaging programs to communicate or export documents to Google Docs, while company security officers get heartburn at the idea of so much company data being scattered around.

At the keynote address this morning at the Black Hat computer-security conference in Las Vegas, Douglas Merrill, who recently left EMI Music’s digital group and was formerly chief information officer and vice president of engineering at Google, said that companies should reconsider this adversarial relationship.

According to Merrill, studies show that employees can increase company returns when they have the freedom to innovate by trying new software and new workflows. However, those returns disappear when employees are made to feel that their activities are illicit.

As an example of how companies can give workers freedom without compromising security, Merrill described his experience at Google. “Google’s engineering culture was all about working the way you want to work,” he said. Employees could use any operating system and work from any convenient location–the office, home, a coffee shop, or wherever. As a result, it was impractical to rely on traditional security solutions, such as installing antivirus software on each device employees used.

Instead, Merrill said, Google addressed security by building up its infrastructure. For example, the company put antivirus protection on its mail server, which is the main source of viruses that infect the network. They also watched their network traffic patterns for any unusual spikes.

Merrill said that companies need to find new ways to accommodate employees while also securing their systems. Trying to change behavior, like asking employees to stop using instant messaging, only stands to stifle innovation.