[networkguy]

I really do hate reading articles that praise rogue employees using cloud services.

It's wrong for an infinite string of Data Loss reasons, uncontrolled access to cloud services is no different than leaving a laptop filled with confidential information lying in the front seat of your car.

It doesn't matter how secure the user thinks it is, nobody in Security or Risk Management has qualified or quantified the risk.

To say that Executives would rather stifle productivity is false, they will get the appropriate tools for the job for their workers, that has never been the issue at any organization I've worked for directly, or consulted for.

The real reason nobody cracks down on this, is kind of ironic, although the executives know it's going on, and they will chastise or have you written up for breaking policy/procedure, the truth is that they don't really know what their security posture is and they don't want to know for liability reasons.

There's a lot of willful ignorance, because Security in IT truly is a giant black hole cost center to these people, and rather than seeing it as protective measure, they see it as something that stifles productivity and costs enormous amounts of money.

[parasubvert]

Security in IT can be a way to reduce cost (via risk mitigation), but all too often it's just a form of authoritarian power play by petty tyrants.

In my experience, executives will get "dust in their eyes" if you bend a few rules to get things done in a bureaucratic environment. Plausible deniability, effectively. They want productivity without having to pay for it.

Dropbox, for example, is mostly free (up front), but with a level of risk cost associated with it. An enterprise on-premise Dropbox alternative is not free (up front) and may or may not have less risk than Dropbox. What's the better one? It's hard to measure. What's the ROI of sharing files? Depends on if your management likes fancy numbers games or just approves projects based on personal preference with numbers to make it look like they're doing some due diligence.

[KThornton]

We're not trying to praise rogue employees for shunning corporate policies and opening up huge security holes.

The reality is that it's happening regardless. People are going to do what they feel they need to to get their job done.

Thus far, the general approach to dealing with this is to enforce more policy, block where possible, etc... which again, has done little to reduce employees from "going rogue".

We want to open the conversation on better ways to solve this problem since current methods simply aren't working.

As a network guy who gets that best understands the risks and consequences of unsecured, unsactioned clouds being used in a company - what would you suggest as potential solutions to give employees tools they need to get their job done, and the Company and IT the security it needs?

[peterlalonde]

Good points. There is a lot of willful ignorance. (Plausible deniability is one of my favorite excuses I hear!) I think its a bigger problem that really depends on the type of company or organization. Small and large commercial firms face less risk than Defense, Pharma, Financial and other highly regulated industries.

I don't think anyone is praising employees who go rogue, but I for one completely understand why they do, and sympathize. In many cases companies have made it way too hard to get things done. When systems get in the way of getting $#!t done, people find a way. Especially if their livelihood (sales, consultants...) depends on it.