Andrew Carnegie believed that the only irreplaceable capital an organization possesses is the knowledge and ability of its people, and that the productivity of that capital depends on how effectively people share their competence with those who can use it. If this was true a hundred years ago, it must be even truer today as organizations face an increasing pace of change and are becoming more knowledge-intense, relying on a core of highly collaborative and specialized knowledge workers who are geographically dispersed.
Today, the only feasible way for employees to share their competence efficiently with their colleagues is often to share it with digital means. This applies not only to competence but also ideas, experiences and any information we need to make the right decisions Although there are many ways to share information digitally in efficient and effective ways today, as is proved daily on the social web, many of the new technologies and practices have remained fairly unexploited. This suggests that many organizations are still ignorant about the importance of sharing and its impact on their performance.
When Sharing is Hard People Find Workarounds
When it is hard to share information, people are less likely to do so. Many ask themselves why they should make the extra effort required to share their information if they don't see a clear personal benefit. When it is hard to share information, people also tend to find workarounds that make the effort as low as possible when they really need to share something. That’s typically why people are sharing confidential information via email, USB sticks and external web services, or why they keep such information in places where it is easily accessible but not very secure.
A common reaction to this from IT departments is to do what they can to make people stop using these workarounds. Few take the opposite approach; trying to make secure sharing easy. This is rather strange, especially considering that sharing information is essentially about enabling better decision-making. When you have timely access to all the information you need, you also have the ammunition to make the right decisions at the right point in time. Sharing must of course be done in a secure way, but never so secure that sharing doesn’t take place or that people find themselves forced to revert to less secure ways of sharing. So why isn’t sharing made easier? Why aren’t our digital work environments more open and transparent than they are?
We Underestimate the Risks of Closed Systems
I believe the reason for this can be found in David Weinberger’s live blogging notes from a conference session in 2008 where he quotes James Boyle, chairman of Creative Commons and professor of law at Duke:
We have patterns of behavior that economic theory does not predict. We are risk averse. For example, it makes no sense to buy a warranty; we buy them out of an absurd sense that buying the warranty affects the device’s outcome. There is another kind of bias that we wouldn’t predict from economic theory: A systematic bias against openness. We don’t expect openness and collaboration to generate what they do. We overestimate the risks. We underestimate the risks of closed systems and overestimate closed systems’ benefits.
Yes, we are risk averse. The problem is that we fail to see or acknowledge the risks which are associated with not being open and sharing, such as bad decision making, sub-optimization, redundant work and low levels of reuse. Lack of openness and transparency inevitably also leads to trust failure, which means that people share and collaborate less. Organizations become less productive, less innovative and less capable to adapt to changing conditions.
Design Systems to Be Open by Default and Then Work with the Culture
When the information systems we use are designed based on the "need to know"-paradigm it is difficult to make people adopt a "need to share" mindset. That is why information systems should be designed to be open by default. Everything should be made accessible unless there is a very good reason not to. Although there need to be easy ways to restrict access if needed, openness should the normal and secrecy the exception. Protecting something, at least within the organization, should require a motivated decision and an active effort to set the proper protection. If something is worth protecting, it should also be worth the effort of actively protecting it.
When we have set up our systems to be open by default, then we can start working on changing our attitudes and behaviors and establish a culture of sharing. But we shouldn’t start with blaming people for not sharing until we have made sharing the default option in our information systems. If it isn’t, chances are people see it as optional and won’t do it unless they really need to and can see a clear “What’s in it for me”. If sharing is hard to do, they will be less inclined to share and when they really need to share they will often try to find more convenient but less secure ways to do so.
6 Steps to Secure Sharing
As many others I believe that security is fundamentally a people problem and that security is a problem that can be solved. This means that we need to increase our awareness and knowledge about how to manage and share information in secure ways, that we need to work with our attitudes and behaviors towards security, and that we need to improve on our practices. But we also need to design our systems in ways so they make it easy to do things in the right way; if we make it easy to share information in secure ways, most people will.
Here are 6 steps an organization can take to enabling more secure sharing:
- Ensure that the security policy is supported by systems and practices so employees can apply it in their daily work situations.
- Design systems to be open by default, requiring active actions to protect information.
- Make it easy to protect information that needs to be protected.
- Enlighten, educate and train people in how to manage and share information securely.
- Make sharing really easy.
- Provide a virtual, social and open space where people (anyone) can discuss security concerns and how to deal with them, educating each other in how to manage and share information securely.
Editor's Note: You may also be interested in reading: