Enterprise IT should take a stand on consumer technology
Employees gadgets can be risky propositions
By Bart Perkins | Computerworld US | Published: 08:30, 01 April 2010
Ten years ago, most people used more advanced technology when they went to work than they did at home. Today, that has been turned on its head. Many employees have newer technology at home than at work, and they expect IT support for many of their favorite devices.
Such expectations aren't new. Conflict over enterprise support for consumer electronics emerged with PDAs and then flared when the first iPhone arrived. Now, new consumer electronics such as e-readers, netbooks and tablet PCs are beginning to infiltrate the corporate environment.
How should IT deal with that? Man the barricades and try to keep consumer devices off the corporate network? Embrace the proliferation? Or ignore the whole thing? All three approaches are being pursued in IT organisations across the land, and each has its own advantages and drawbacks.
Related Articles on Techworld
Some organisations, including the Pentagon, some financial services firms and extremely low-margin businesses, have opted for locking down their infrastructure and prohibiting employees from introducing their own technology. They have decided that they can't afford the security risks that accompany more wide-open policies or that they just can't afford the cost of all that additional support.
For most corporations, however, taking such a hard line would probably lead to dissent in the ranks, if not outright revolt. Unless security and cost concerns are truly compelling, as the former is for the Department of Defense and the latter is for a struggling business, employees are not likely to understand IT's reluctance to support commonplace consumer electronics. Policies prohibiting employee technology are viewed as unsympathetic to employee needs, and explanations that security, interoperability and reliability are concerns are often interpreted as excuses for laziness. In the worst case, IT can come to be perceived as the "technology police" and a roadblock to productivity. Once that happens, IT risks losing peer support for its initiatives.
The head-in-the-sand approach tolerates but does not encourage unauthorised technology, either through having no explicit policy or by ignoring violations. By sidestepping the fray, IT relinquishes any control over which technologies can be introduced and has no ability to coordinate support for new devices or versions. Laissez-faire organisations face a big security risk, as was demonstrated when the first, security-challenged iPhone was introduced. With no limits to consumer technology enforced, IT had a hard time addressing that situation. And there are other hazards; for example, some users create their own wireless networks, exposing the corporate network through undocumented and unsecured Internet access points.
The ostrich option can also lead employees to believe that IT does not enforce any standards, which can open the door for all sorts of other policy violations. And even if corporate policy states that IT will not support specific consumer technologies, employees often push IT for assistance on the grounds that they are using them for corporate purposes.
Burying your head in the sand can seem like a good way to avoid any big effect on expenses and infrastructure. Soon enough, though, you'll find that you're racking up enormous support costs and significant infrastructure complexity.
Some IT organisations publish a list of approved technologies and agree to provide limited support for listed items. This is an excellent approach for organisations whose constituents purchase their own technology (such as students, franchisees, consultants, or closely integrated suppliers). Typically, permitted applications and hardware devices adhere to open communications standards. Application support is generally browser-based. Consumer hardware such as iPads and smartphones is more difficult. Each device must be evaluated to determine standards adherence, support requirements and infrastructure impact before defining appropriate support levels.
This approach enhances IT's reputation for being flexible and responsive and allows for the coordinated introduction of new devices or applications. But it has its costs. Employees may take advantage of IT's flexibility and expect support for unapproved technology. In addition, because consumer technology changes so quickly, IT needs a process to monitor the market and evaluate requests quickly. Finally, infrastructure costs can be enormous. IT must support a wide variety of (often redundant) devices and software. This demands an extremely secure, highly flexible and very expensive infrastructure.
None of these options is perfect. But IT cannot afford to turn away from this increasingly important issue. Moreover, avoiding a decision implicitly creates an ostrich strategy, which is clearly the most problematic. It's better to agree on a corporate policy, publicise it and start budgeting for the projected impact. Do nothing and you risk having your corporation appear in The Wall Street Journal as the latest entity to have its security breached, its data compromised and its CIO replaced.