The ongoing friction between users and IT security was the topic of a keynote address at the Black Hat computer-security conference in Las Vegas. Douglas Merrill, who recently left EMI Music's digital group and was formerly chief information officer and vice president of engineering at Google, said companies should reconsider this adversarial relationship, according to this account of his speech, written by Erica Naone for MIT's Technology Review.

Network Security"Employees want to use instant-messaging programs to communicate or export documents to Google Docs," wrote Naone, "while company security officers get heartburn at the idea of so much company data being scattered around."

Merrill discussed how they resolved a similar tug-of-war at Google, during his talk.


According to Merrill, studies show that employees can increase company returns when they have the freedom to innovate by trying new software and new workflows. However, those returns disappear when employees are made to feel that their activities are illicit.

As an example of how companies can give workers freedom without compromising security, Merrill described his experience at Google. "Google's engineering culture was all about working the way you want to work," he said. Employees could use any operating system and work from any convenient location--the office, home, a coffee shop, or wherever. As a result, it was impractical to rely on traditional security solutions, such as installing antivirus software on each device employees used.

Instead, Merrill said, Google addressed security by building up its infrastructure. For example, the company put antivirus protection on its mail server, which is the main source of viruses that infect the network. They also watched their network traffic patterns for any unusual spikes.

Weigh in: What techniques have you employed to balance the need for security with innovation? Post a comment below.

-- Leslie Stevens-Huffman