Maintain security without compromising flexibility and innovation

Dropbox helps teams spend less time on logistics and more time doing the things they love. Find out how David Takeyama, IT Director at Oceanit, uses it to stay organized and work efficiently. 

Security is a pressing concern for IT professionals, and staying on top of cyber threats is a full-time job. Securing your organization’s infrastructure and protecting data often require compromises. You may have to limit or eliminate access to tools and online platforms that pose a security risk. But doing so can deprive people of the vital resources they need to collaborate and create.

Too often, companies take an all-or-nothing approach to security and lock down everything and everyone. But you have to be flexible in order to compete. Some users work on sensitive projects and need more protection, while others can be secure with fewer constraints. Rarely does it make sense to restrict your entire workforce to the same tools and permissions.

Our island values transcend any distance

We are a multidisciplinary science, technology, and engineering firm with more than 160 scientists and engineers in Hawaii (our headquarters), California, Texas, and Washington, D.C. As a Hawaiian business, we live the island values of Ohana (family), curiosity, and community. It's great to live here, but there can be some doubt about our business acumen because of our tropical location away from the mainland. It turns out that our distance, diversity, and laid back attitude are our strengths. The growing prevalence of remote work has proven that you can still contribute to the greater good while working far from others and from anywhere in the world. This has been our modus operandi for decades.

In the 25 years that I’ve been at Oceanit, we've grown from a run-of-the-mill engineering consultancy to an international entity with clients ranging in sectors as diverse as energy, biomedical, aerospace, and petrochemicals. We now bring solutions to market through partnerships, licensing, and direct manufacturing. Our “mind-to-market” approach transforms our clients’ scientific research into products, often in record time.

A way to balance innovation with security

If there’s one thing we don’t want to do at Oceanit, it’s stifle innovation. Innovation is required to find disruptive solutions to problems so difficult that they can seem impossible. We’re tackling such challenges as climate change, sustainable energy, and rising healthcare costs.

One of our most recent products is Assure-19, a rapid-response COVID-19 spit test that is currently undergoing FDA approval. We couldn’t have worked on it without adhering to strict security protocols or without allowing our employees to do what they do best: research, create, and collaborate.

At Oceanit, security is a given, but it does not dictate how we do business. We have an internal workflow process for evaluating alternative tools. While this process is more complex, it is our job to be flexible, creative, and smart with the alternatives we allow. When you ask your teams to push the envelope every day, you need to let your employees choose the tools that best suit their needs.

We give our employees the tools they need to innovate as well as provide the framework for using those tools safely.

We deploy Office 365 suite as our standard enterprise tool set. However, because our end users, customers, and clients may choose other platforms, Dropbox enables us to store, share, and collaborate with them as well as among our internal teams. Oceanit employees have been using Dropbox to collaborate for years, and IT never managed or monitored its use.

This isn’t out of the ordinary for us. We have always tried to balance enforcing security against stifling innovation. So we don’t always keep track of the ways employees, subcontractors, and customers use cloud-based platforms. Thus far, it’s worked well, but as the company has grown, we have taken on more sensitive work, including Department of Defense (DoD) contracts. 

Compliance doesn’t need to slow progress

To continue working with the DoD, we must now submit a Cybersecurity Maturity Model Certification (CMMC) self-assessment to the government. The easiest way to comply is to shut down all collaborative tools except those that adhere to CMMC and NIST specifications. Dropbox falls between as it is NIST but not CMMC compliant.

Shortly after the CMMC announcement, our CEO pulled me aside and told me not to stifle innovation. He stressed that regulation and compliance shouldn’t drive the way we do business. Instead, our priorities should be to bolster security while also ensuring our people continue to have access to the tools they need to innovate.

Not everyone works on government contracts or deals with sensitive government information. Rather than eliminate tools across the board, he wanted me to ensure that employees who don’t need to comply with additional IT security requirements won’t have to jump through hoops to do their work. 

Separate lanes for different team needs

Dropbox has a loyal following at Oceanit. This is especially true among employees who share large files, such as aerial photographs, high-definition video, CAD drawings, and 3D renderings. We knew our employees liked Dropbox, although initially we didn’t realize just how much they liked it. 

At one point, I pushed pretty hard to get users to migrate users to Microsoft Teams. They resisted and asked me to try working with it myself. They were right. Teams and SharePoint were extremely slow to bring up large documents for sharing. The sharing issues intensified when our security requirements increased and we moved to the government version of Office 365, GCC High, which does not allow external users to upload documents to a shared folder. We also encountered compatibility issues.

Not everyone in the company needs these strict data standards. Instead of forcing people to deal with these pain points, we acknowledged that we already had a great tool in use. It was better for all involved to keep using Dropbox. 

IT professionals should consider a flexible approach that gives their teams the tools they want while ensuring customers get the security they need.

We set about creating a two-tiered approach to security: First we eliminated personal accounts and enrolled 10 users in a Dropbox Enterprise pilot. This team plan allows us to track the types of files they share and compile usage statistics. This way, Dropbox is available to all employees who wish to use it and aren’t subject to CMMC compliance. We’ll be inviting more employees to use Dropbox Enterprise as we tier our security.

We also installed tools and adopted mechanisms that allow us to monitor our CMMC-compliant processes and our less secure systems. In this way, we can make sure there is no spillage between the two and protected data isn’t shared with unauthorized persons or entities. We limited access to our most sensitive data to a subset of users while enabling everyone else to quickly and easily share files using Dropbox. It’s the best of both worlds.

Sacrificing speed and innovation for security would have been the easy fix. For some businesses, that may be fine, but this approach can bring growth to a halt.

It takes a little more effort to carve the right solution, but the results are worth it. Because we took these measures, our teams can continue to use Dropbox to share, collaborate, and create some of the most ground-breaking products around.