How do ensure good security when it's the employee that is primarily purchasing their basic IT equipment like laptops, smart phones and so on?
MH: I think there are some companies that are very aggressive on it, because of they don't have to buy the system, their employees are happier and so on. I think you've got others who honestly have their head in the sand and say, "It's not going to happen here." Maybe culturally in that company or organization that will be acceptable for a time, but there are others in the middle of all that who are kidding themselves, who go, "We don't allow personal devices." But I would bet you most of their employees have a personal device in their pocket, a smart phone, that may cradle on and off their corporate desktop, and they're exchanging information that way. They just don't recognize the fact they've already got consumerization occurring. Some block a lot of the external application. At Intel, we allow for reasonable personal use. Unless it's something known to be malicious or in the category of porn or something like that, we allow for the freedoms to the Web sites, download the applications and so on. Does it create some support challenges sometimes if someone downloads an application and it starts creating some idiosyncrasies on the system? Yeah, but we feel we get a lot of broader benefits in innovation and use of systems that benefit the company. Things will probably be polarized for a while, but we will continue to see more consumer devices and consumer applications in the enterprise.
I'd read somewhere that you've done some interesting work on integrating social media into your security strategy. Can you tell us a little more about that?
MH: Yeah, I think a lot of people are afraid of social media. But I have a view that with some things you've got to run the risk to shape the risk. And I had a discussion earlier this year with a peer of mine about social media in a setting of about 40 people, and he said, "Our philosophy is, 'In God we trust, everything else we block.'" Literally their view was, we'll block this off, and we'll block it forever. And I was like, you know, you're being blind to the fact it's still occurring. It can occur off-network. Maybe your organization has issued handhelds; you might have blocked it on your corporate network, but on those handhelds they can go to Facebook, Twitter, Yammer, you name it. Or, when if you block it there, they'll do it from their home system, and they'll do it anonymously. It will happen, because it's just the way in which the world is going. Much like years ago when people were worried about the transition to e-mail from snail mail. Letting a browser on a client and connecting to the Internet -- I think at any point of major connectivity and commnuciation means that have evolved, people have been afraid of it. And I think the people who have put their head in the sand to try and stop it, have made it a great risk for themselves, because it's happening in a way they can't shape it. A lot of these things involve people and behaviours. How do you shape people and behaviours, other than through training and awareness and adoption and learning through the mistakes? You're better off doing those things in the early stages, rather than keep your fingers in the dyke as it's leaking through and having it burst. We focused a lot on training and awareness, and a lot on enabling it internally. By having a social computing platform within the company, I have a lot less risk than someone feeling a need to blast something out to share confidential information or a negative opinion of something on an internal forum? Because we allow for the reasonable use of that internally, people will sometimes share relatively negative, pointed views on stuff. Better to do that internally, within the family, than outside where it gets picked up by the press and twisted in some forum or creating more negative churn? Internally, we can go, "Maybe that's person's right," and have a constructive dialogue internally.
Sign up for MIS Asia eNewsletters.