The organization made the discovery when a check of their VPN logs showed that the individual was simultaneously logged in to the VPN from China and sitting at his desk. At first, this paradox was assumed to be the result of a successful attack by hackers in China. A deeper analysis revealed the truth: their employee had hired an unknown individual in a foreign country to do the employee’s job while he surfed the Internet.
You probably don’t need to be a security expert to recognize that an unvetted programmer in China with access to internal servers will be considered a pretty major security problem in most circles. Fortunately for the companies involved, there didn’t appear to be any maleficence or attempts at hacking from the Chinese programmer(s). The primary moral of this story is clear: review your logs or you may miss gaping holes in your defenses. But there is another way to look at this story that relates to innovation managed by employees and illustrates some of my biggest concerns with the BYOD craze.
Personal Risk Tolerance vs. Institutional Risk Tolerance
At its heart, this is a story about innovation and cutting costs. Here is an employee who found an innovative way to complete his job over the Internet for much less than what he was being paid. Not only that, he was employing this strategy with multiple organizations in the area and reportedly netting himself several hundred thousand dollars. He was essentially running a one-man outsourcing business (except none of the employers using his service were aware of who was actually doing the work). The story also points out that the quality of work was very high with no major issues or problems from the outsourced code, indicating he was running a quality operation in some respects.
The fact that the work was done just as well at a fraction of the cost raises an obvious question. Why haven't any of these companies simply outsourced the work themselves? One quick and obvious answer is an innovation deficit. Most organizations lack the time or resources to stay abreast of all the emerging resources now available over the Internet. New technologies, business models, and start-ups pop up every day, each offering new and innovative ways to use and develop software. IT managers are often so overloaded trying to deliver today’s projects that they have little time to fully explore emerging technologies. As a result, organizations that fail to foster innovation may miss opportunities to cut costs and improve efficiency every day. In this case, an employee found an innovative approach to improve efficiency and chose to leverage that innovation for his own personal benefit.
Of course there is another valid and very important concern that may have prevented these companies from blazing the cost-cutting trail followed by their innovative outsourcing employee, and that is security risk. Many organizations choose to limit the countries they do business with either out of general security concerns or specific regulatory or contractual obligations. Law firms themselves may be required to impose restrictions on foreign nationals due to ITAR or other regulatory obligations. It is necessary to strike a balance between the impulse to innovate and the desire for absolute security, and the individual employee may not always choose wisely for the entire organization.
While I don’t think that many lawyers or firm staff are likely to outsource their jobs to China, they may introduce similar risks through the use of consumer-grade services or unvetted software applications. This behavior is not only likely, but actually encouraged due to the BYOD phenomenon of recent years. Proponents point to the advantage that can result by allowing employees to use the latest cutting-edge technologies, usually paid for by the employees themselves. Owning the mobile device used for work purposes gives a lawyer the unfettered ability to innovate by finding new tools and applications that will improve efficiency and billable hours (without needing help from the overloaded IT department). But what happens if those applications are hosted in China or contain privacy policies which may conflict with a lawyer’s professional responsibilities? The benefits of innovation from using these tools may come at the cost of significant risk to both themselves and the firm.
The Need For Balance
It has traditionally been the responsibility of executive management to set the risk tolerance for an organization. This is because the management of risk is highly strategic and can have a radical impact (positive or negative) on the core business of an organization and its ability to maintain operations. As this outsourcing story evidences, when management of risk associated with innovation falls to individual employees, those individuals may introduce unacceptable levels of risks borne by the entire organization.
However, the traditional executive-driven risk management approach may itself be risky. For years now law firms have been hearing of the need to “Innovate or Die.” As Ron Friedman, Toby Brown, Ryan McClead, and numerous other legal commentators have discussed, the biggest risk facing a law firm could well be a lack of effective innovation. Rigid change management procedures with extended approval processes for new technologies may inhibit the ability of lawyers to find new and interesting ways to service clients. Law firms that are unable to leverage new technologies to reduce costs and improve efficiency may find themselves lagging in an increasingly competitive and innovative market.
The pressure to stay competitive may leave some firms feeling as if they have to choose between well-governed risk management and unfettered freedom for lawyers to innovate using whatever technologies they choose. But this false dichotomy can lead to potentially catastrophic consequences along either path. Instead, firms should seek sensible ways to harness the creativity and innovation of lawyers while maintaining awareness and involvement in the risk management decisions associated with emerging technologies.
Like most things this is easier said than done and requires involvement from firm management, firm lawyers, and IT; three groups chronically short on time. However, when the alternative is choosing between higher operational costs than competitors or accepting potentially catastrophic risks, firms may find that forming something like a Technology Innovation Committee may be worth the time investment.