13 Sep Crack down or let live? Regaining corporate control over consumer technology
Milwaukee, Wis. – In a growing number of business environments, the information technology department is losing control of business technology to widespread adoption of consumer applications, a development that poses operational risks but one that does not automatically bring out the control freak in CIOs.
A new report from the Yankee Group, a Boston-based technology research firm, claims that nearly 50 percent of employees feel “more empowered than IT” to control their personal technology environment. As a result, they frequently download and use outside consumer technologies, even if they have not received the blessing of technology managers.
Organizations that lose control do gain something – a mix of secured and unsecured applications that threaten operations.
“There is no question that it’s a significant problem with most IT managers,” said Joshua Holbrook, a program manager with the Yankee Group. “Eight-six percent of the people have at least one consumer technology running in the workplace.”
But is cracking down on this practice necessarily the right move, especially if the CEO wants to use his iPhone in the office? What if get-tough policy runs the risk of alienating employees, especially information technology employees, as labor shortages intensify? Even if you don’t want to impose martial law, is it possible or even necessary to make business tools more useful and attractive than consumer tools?
It’s been a relatively long-standing practice for organizations to restrict personal use of corporate assets, which some employees view as a Big Brother approach, but there also are security issues (viruses and other attacks can enter the network in this manner) driving that stance.
Most larger organizations restrict personal devices in the corporate environment, especially after one incident convinces them to react. They restrict what employees can do with notebooks and other devises, and the more sophisticated IT organizations disable employee access to personal e-mail due to potential data leakage.
They might make an exception for cell phones that are used for business, even to the extent of reimbursing those calls, but due to security concerns they decline requests to use cell phones to access corporate e-mails. In limited cases, large organizations might allow access from a home PC through an employee extranet.
But allowing employees to use personal consumer devices on the job is inconsistent with these judgments. To glean what technology professionals think about the use of consumer technology in the business environment, WTN interviewed Holbrook and Wisconsin CIOs – and found approaches that are diametrically opposed.
Embrace it, with limits
In cases where employees are downloading unauthorized programs, IT departments have three options, according to Holbrook:
• Crack down, seek, and destroy. In cracking down, how do you avoid a crack up that impacts employee morale or alienates them, perhaps to the point where they leave?
In most organizations, it might be too late for that. “I think IT departments and end-users already have a hate-hate relationship,” Holbrook said, asserting that IT views end-users condescendingly as people who “muck things up,” and end-users view IT as dictatorial.
• Support and embrace it. Holbrook suggests developing online user communities, with some guidance from IT, where employees can socialize and share information on the latest consumer craze. This not only frees up the IT department’s time for operational and strategic issues, users can help one another with technical issues rather than seek shelter from IT.
“It allows end-users to use consumer technology and encourages them to support themselves via an online community, using tools like wikis and blogs, with some help from IT,” Holbrook said.
That limited help would include providing information on best practices, but essentially let end-users solve their own problems without running to IT.
• Acknowledge and ignore it, also known as the “do nothing” option, which puts the enterprise at greater risk.
Since alienation between IT and other business units sometimes is a fact of life, Holbrook says accommodating consumer technology can actually bridge the gap. The IT department has to play an active role in getting employees to use the collaboration technology, perhaps rewarding those who use these mechanisms.
IT still is the department that runs and deploys the site for internal use, and it still must be wary of devices that exceed security thresholds, but it must be willing to yield some control to the end-users, Holbrook said.
Command and control
Brian Hurdis, president of Metavante Image Solutions and the former CIO for Metavante Corp., isn’t necessarily in the “embrace it” camp. According to Hurdis, any technology the company is willing to support should be considered a corporate asset. Blackberries, for example, are managed as a corporate asset at Metavante, but despite their recent drop in price, iPhones have yet to attain that status.
Regarding iPhones, Hurdis has questions about security, but if those questions are addressed, he said Metavante would consider integrating them into the corporate environment.
The company has people on the road, so there is a mobility demand, and the use of mobile devices has been increasing.
“We’re finding that our road warriors are able to work off Blackberries,” Hurdis said. “They key is that they are a corporate tool, and that’s what they are meant for.”
The company also supports Trio devices, Hurdis said, “because we can control the e-mail going across them.”
Hurdis isn’t worried about saying no to workers, particularly because part of the job of a CIO is to mitigate risk.
“If an employee walks because of an iPhone, good luck,” he said matter of factly. “That’s not a practical way of looking at it. We can’t support every device out there. There is an expense as well as a risk.”
One Wisconsin CIO who did not want to be identified said the risk of alienating employees can be mitigated by how the decision to control consumer devices is explained. In particular, if a CIO explains the business problem that he or she is trying to fix (or prevent), employees are more accepting of it.
For example, if a CIO explains vulnerabilities associated with the use of portable data storage devices like UBS ports, thumb drives, or iPods, he said reasonable people will not object – even though there are legitimate business uses for them.
This advice goes for just about any technology change, he noted, but “if you lay out the problem that use of personal devices creates, most employees will understand that.”
• Making deals with evolving technologies in mind
• Paul Gibler: Social computing in the Web 2.0 era
• UW Medical School to build Health Sciences Learning Center
• Chris Shipley: The Changing Face of Work (and Play)