Your Categories
Information Infrastructure EII TCO/ROI Hardware Uncategorized Green IT Development
IT Support, Security, and Sustainability: Achieving the Equilateral Triangle

A recent blog post by Carol Baroudi heralds a sea change in the responsibilities of IT – or, if you prefer, a complication in IT’s balancing act. She notes that “bring your own device”, the name given to the strategy of letting employees use their own smartphones and laptops at work, rather than insisting on corporate ones, may have major negatives if the enterprise is serious about recycling devices. In effect, Carol is pointing out that allowing employee computing to cross corporate boundaries may have bad effects on corporate efforts to achieve sustainability, and IT needs to consider that.


In my experience, these considerations are very similar to those of a previous IT balancing act: IT’s responsibility to provide support to its users balanced against the enterprise’s need to maintain the security of internal computing and data – security whose breaches may threaten the health or even existence of the enterprise. Thus, IT’s past experiences may help guide it in balancing sustainability and the other needs of IT.


However, I would assert that adding sustainability to IT’s balancing act should also require a real rethinking of existing balances between all three elements for which IT will be responsible:  support, security, and sustainability. Moreover, I would argue that the result of this rethinking should be a process redesign, not an architectural one, that makes all three elements more equal to each other than they have been before – in balance as an equilateral triangle, not a random intersection of three wildly unequal lines. Finally, I would claim that a best-practices redesign will deliver far more benefits to the enterprise than “business as usual.”


Below, I will briefly sketch out how I believe each element should change, and first steps.


Redesigning IT Support


Support is an often-underestimated part of IT’s job. Many surveys in the past found it useful to distinguish between three IT jobs: keeping the business running, supporting users (internal and external), and helping the corporation achieve competitive advantage. Over the last 10 years, as software has become become critical to competitive advantage across a wider and wider range of industries, IT “innovation for competitive advantage” has begun to put its other two jobs in the shade. However, an enormous piece of IT’s part in achieving “innovation for competitive advantage” is to support the developers, corporate strategists, and managers who are the ones designing and creating the product and business-process software that delivers the actual advantage. In other words, the support that IT provides to end users is key to achieving two out of three of its jobs.


On the other hand, experience tells us that support of internal end users without control over the computing they are doing is extremely difficult and also dangerous. The difficulty comes from the fact that the average employee spends little time making sure the organization knows what his or her computing devices (including smartphones), Web usage, and software is – and so support is usually guesswork. Today’s danger now comes from the fact that unexpected computing threatens to cause downtime and security leaks. Sustainability will add “carbon leakage” – the tendency of employees to shift to unregulated devices and software that produce greater emissions when controls that slow them down are placed on the data center.


To a certain extent, IT can piggyback on today’s security software in dealing with the new sustainability demands – by adding monitoring of “carbon leakage”, for example, to existing asset management protections against property theft. But IT support processes must also be redesigned to incorporate sustainability considerations. IT Developers must bear their share of “going sustainable” by tilting their development form factors towards devices with lower emissions. Product designers must be encouraged or restricted in the direction of sustainability when designing new products. Corporate strategists should be made to factor IT sustainability into their strategic decisions such as rightsourcing. End users should be encouraged and restricted likewise, both in their use of IT resources and in their uses of personal computing resources for corporate purposes – Carol’s example.


Such a process redesign demands as a prerequisite some sort of overall sense of what internal end user carbon emissions are (or whatever other sustainability metrics are appropriate), and how they are changing. My sense is that organizations now understand that they need to draw a line between a particular resource or process and its emissions, and have some handle on all on corporate assets in the data center and corporate headquarters countries (including IT asset management and disposal). The biggest needs right now are to understand IT and employee computing resources outside the data center, and to get IT’s hands around the corporation’s capital across geographical boundaries – how computing and heating relate to emissions in the developing countries, for example.


Rethinking IT Security


“Scare stories” like theft of a company’s private data are constantly in the news, making the importance of IT security relatively easy for corporate to understand – even if they don’t necessarily want to spend on it. At the same time, when security is implemented, its philosophy of “better safe than sorry” carries its own dangers. My favorite quote in that regard is Princess Leia’s remark in the original Star Wars movie: “The more you tighten your grip, Tarkin, the more star systems will slip through your fingers.” That kind of dynamic plays out in several ways: the inability of companies to see what’s going on outside, because they are not constantly, unconsciously, exchanging information for information; the lowered productivity of employees, as they fail to bring to bear on today’s problems the new technologies that IT could not possibly anticipate supporting, and are therefore excluded by security; and the tendency of employees when too much control is exerted over one form of computing to flow to others that are easier to use but harder to keep track of – such as personal laptops instead of network computing.


When it comes to sustainability, security cuts both ways.  On the one hand, as noted above, sustainability needs the kind of visibility into and control of emissions that security provides for corporate data and computing. On the other hand, sustainability badly needs to emphasize the carrot instead of security’s stick, else cultural resistance will make “carbon leakage” endemic. And the converse is also true: “bring your own device”, even if it can be made to incorporating personal recycling reliably, makes security’s job harder.


To be fair, IT security has made enormous strides over the last 20 years in its ability to achieve fine-grained availability of apps and data to the outside while protecting proprietary information. Still, I believe that the new equilateral triangle requires not only adjustment of security and sustainability to each other’s needs, but also a shift in the balance between IT’s support tasks and its security efforts. Today’s reactive, controlling approach to security simply hinders too much the organization’s ability to be agile in an environment that is far more uncertain and fast-moving than ever before, as well as the organization’s ability to respond to what are likely to be greater and greater demands for more and more sustainable business practices.


The change in the security component, therefore, should be threefold. First, security software should be made much more “virtual.” By that I don’t mean that the applications it monitors should become more “virtual” – that’s happening already. Rather, I mean that the security itself should as far as possible be protecting logical, not physical, objects. In a sense, that’s what already happens, when you talk about security in a service-oriented architecture: you monitor a particular cluster of apps as a whole, no matter what platforms they are split across. So, slowly but surely, organizations have begun to do so – and they should speed it up. However, I also mean that IT should apply the same thing to things like land, buildings, and equipment. IT support needs this, in order to support efficiently across geographies. IT sustainability needs this, in order to efficiently link people, corporate resources, and emissions. Above all, when disaster strikes, the “virtual office” needs instant security as it moves to another location.


The second security rethinking should, I would say, take its lead from the Arab Spring. An interesting article in the MIT Technology Review showed how rebels maintained their security in the face of intensive assaults by switching media rapidly – moving from cell phones to Facebook to face-to-face and back. Underlying the concept is the idea of “rolling” or “disposable” security, in which the organization is constantly adding new things to be protected and leaving others behind as less important. Obviously, this can’t be carried too far, as some run-the-business apps can never be unprotected. However, it does give less of a feeling of being controlled to the employee, as some things become less controlled – as long as the shifts are done automatically, as new versions of the security software arriving with Continuous Delivery development processes, and without creating “bloatware.” I am not talking about constant security patches; I am talking about constant changes in what is being protected.


The third security rethink is to incorporate the idea that sometimes sustainability may mandate less (controlling) security instead of more. Employees are often ahead of management in their enthusiasm for sustainability – witness IBM incorporating a sustainability strategy as one of the top four only after employees told them they wanted it. Therefore, security to ensure corporate sustainability initiatives are being followed will just have to take second place to IT support for corporate and employee sustainability efforts. In other words, security levels will have to be carefully dialed down, where possible, where sustainability is involved.


Reimagining IT Sustainability


In many ways, the sustainability component of our equilateral triangle has the least design adjustment to make. Mostly, that’s because so much of IT’s sustainability component has yet to be implemented (and in some cases, defined). Emissions metrics are still in their early stages of incorporation into IT-available software; the proper relationship between the carbon-emissions focus and other anti-pollution efforts is not clear; and sustainability of a “carbon-neutral” organization’s business and IT model is still more a matter of theory than of real-world best practices.


Nevertheless, I would still recommend an exercise in reimagining what IT sustainability should be and how it should relate to IT support and IT security, because I believe that the organizations I talk to continue to underestimate the wrenching changes that lie ahead. Certainly, as late as a year ago, few corporations were talking about the effects of massive drought in Texas (anticipated by global warming models) to their data centers there. They do not yet appear to be considering the effects on employee hiring of loss of flood zone home insurance as insurance companies decrease their coverage in those areas in anticipation of further climate effects such as the ones that have driven up their disaster coverage costs sharply over the last 5-10 years. And this is not to mention similar once-in-100-years occurrences that have been taking place all over the rest of the globe in the last year and a half. Enterprises in general and IT in particular are wrapping their heads around what has happened so far; they do not yet appear to have wrapped their heads around the likelihood of a twofold or tenfold increase in these occurrences’ impact on the organization over the next 10 years.


IT needs to reimagine sustainability as if these effects are already baked in – as indeed they appear to be – but future effects beyond that are not. To put it in sustainability jargon, IT needs to add adaptation to the mix, but without compromising the movement toward mitigation in the slightest. Effectively, in the middle of a near-recession, IT needs to add additional costs to implement virtual software and the “virtual office”, while maintaining or increasing present plans to spend on decreasing carbon footprint. Decreasing carbon footprint has a clear ROI; adaptation well ahead of time to future disasters does not. Still, as the saying goes, pay me now, or pay me a lot more later.


What reimaging sustainability means, concretely, is that IT sustainability itself should incorporate IT efforts to support a more agile software-driven enterprise via more rapid implementation of “virtual software” – and should point that software squarely at physical assets that are difficult to move, like offices, inventory, and tools. Also, IT sustainability software should incorporate security (and vice versa) in terms of roles instead of people, resource types instead of physical plant and equipment. As an old saying put it, “in danger, the poor man looks after his few possessions first; the rich man looks after himself,” knowing that equivalent possessions can be bought later in another place as long as he survives. Likewise, for the corporation with massive resources, IT sustainability wisdom lies in agilely adapting when disaster strikes as well as seeking to prevent further disasters, not betting everything on riding out the storm with possessions intact where you are.


The Triangle’s IT Bottom Line


The key benefits of setting up an equilateral triangle of IT support, security, and sustainability should be apparent from my discussion above:


1.       Improved IT and business agility, with its attendant improvements in competitive advantage and long-term margins;

2.       Improved insurance against disaster and attack risks;

3.       Overall, reduced costs, as energy and efficiency savings more than counterbalance the added costs of adaptation.


So my recommendation to IT is that they run, not walk, to the nearest recycling center and Recycle their old IT support-security act; then Reuse it in a new equilateral-triangle strategy that balances support, security, and sustainability more equally; and use the new strategy to Reduce costs, risks, and inflexibility. Reduce, Reuse, Recycle: I bet that strategy will be sustainable. 

Post your Comment



Update security code

Wayne Kernochan