When it comes to “cloud PLM”, the discussion about “security” is almost inevitable. This is one of the top concerns of people and, at the same way, top argument of IT and other people arguing against use of public (and other variations of) cloud PLM systems. I’m reading about security topic and the cloud in many blogs these days. The topic comes in different variations and aspects. Few days ago, I came across the article in ReadWriteWeb Enterprise blog – Why “Good Enough” Security Really Is Good Enough for Most Companies. Spend some time and have a read. This article resonated with some of my comments I’ve made previously about cloud, PLM and security. At the end it comes to the risk. The following passage I especially liked:
It may sound cynical, but avoiding legal liability for security negligence is an excellent goal. Not only does it protect your business, but it generally requires your organization to take advantage of the best practices and policies that are widely agreed upon. Security quality standards and independent auditors are the best protection against being found negligent, and they put businesses at the same starting line as everyone else.
Another thing about security rules I see as a very important is related to how organization can make security rules reasonable. Here is the situation I’ve seen many times. A company made very strict rules on how to share documents outside of organization with a portal and set of very complicated rules. At the same time, you can see how people are sharing files using Gmail and Google Drive / Docs. Another passage from ReadWriteWeb speaks exactly about that:
Make realistic rules. If you’re not realistic, employees will tune you out. If you say “don’t ever do X,” but someone turns out to have a good reason to do X, they will take the rules less seriously. It’s far better to explain why an employee shouldn’t do X, list some alternatives, and give mitigating advice for the times when X is unavoidable. For example, when extremely complex password requirements result in passwords no one can memorize, they end up on post-its near the desk. Such a complex password policy should be accompanied by advice on how to manage an unmemorable password. (For example, “Keep it in your wallet, not on the wall.”)
So, what is my conclusion? To set up realistic rules and goal for “good enough” is a way to go. I can see companies that will keep their gates closed. However, low cost barrier and good compromise will drive many companies to adopt cloud PLM sooner than later. Just my thoughts.