Feeds

BYOD: A bigger headache for IT bosses than Windows Metro?

Your survival guide to giving users what they want

Using blade systems to cut costs and sharpen efficiencies

Be honest: Who is in control of your workplace IT? You or the user?

The severity of these risks varies with the business and the laws governing the jurisdictions in which they operate. Most clandestine IT deployments are - at their heart - an effort by employees to bypass company policies and procedures they feel are too restrictive. In some cases (I'd argue in most cases) it is simply a desire on the workers' part to feel that they have a sense of control. This can too easily get mixed up with a feeling that IT policies exist only so that some management types can justify their existence.

For others, it is the belief - accurate or not - that the ability to use their preferred service, software or device will make their job easier. As soon as this happens, corporate information moves beyond corporate control. The lost employee iPhone could contain millions of credit card numbers; the lost Surface tablet, an entire province's medical records.

Vulnerability to malware or even physical access attacks are greatly increased with a personal device over corporately controlled units. The effectiveness of centralized antivirus and mandated unlock passwords evaporate if users start walking around with unmanaged endpoints.

Beyond the obvious headline-grabbing security and privacy risks lurk far more mundane threats. Document retention legislation could result in serious fines if critical business communication begins occurring outside of corporate retention mechanisms. Regulations such as Sarbanes-Oxley and certifications including PCI compliance require certain levels of corporate security be applied to various bits of corporate information.

Industrial espionage is a lot harder to prove if information access occurs outside audited systems. Gaffes and mistakes can present an unprofessional corporate image. Is your salesman communicating with clients from his personal Gmail account? Is such communication purposeful, or did he mean to select the corporate account in his mail client but forgot?

Four ways to grab the reins

There are three basic approaches to dealing with the consumerisation of IT. The first (and often the instinctual) response is the Fortress IT approach: introducing or reinforcing policies forbidding the use of non-approved devices, software, or services. This is typically followed by a vicious crackdown, "education" of users and firings. The odd legal action against an employee for emphasis is periodically employed.

Digital natives don't seem to take particularly kindly to this approach. Unless there is an exceptionally good reason to be working at your company, Fortress IT will result in nothing except the assurance that you will not attract tomorrow's best and brightest.

The second approach, diametrically opposed to the first, is embracing the chaos. Far more popular among small businesses than large, this approach relies on training and trust in employees to treat corporate data with respect. It is typically enacted with fixed allowances for devices and paired with complete freedom for the employee to choose what they wish to use. If the user wants a better device than the corporate allowance, they must stump up the extra. Issues of who owns the device if the employee leaves before three years are common.

While companies using this approach are generally less carpe diem regarding software and services, they have far more open policies than other approaches. The focus of companies embracing the chaos is giving employees the tools they need to do their job. This comes with an implicit acknowledgement that the subject matter experts - the employees - are in a better position to determine what those tools are than management or IT.

Embracing the chaos requires understanding and clearly communicating the risks data loss pose to the company. Above all it requires honesty and trust by both the employer and the employee.

The third approach to coping with the consumerisation of IT is "Deploy Desired Devices" (DDD). The DDD approach relies on accepting that in any instance where we are dealing with employees who are not completely interchangeable, the "least cost" approach to IT has been a failure.

Instead of deploying rickety $400 Acer specials whose performance hasn't changed since the line was introduced six years ago, the DDD approach would require deploying hardware, software and services that people actually want to use. Instead of forcing a Blackberry or a Windows Phone on an employee, options are expanded to include desirable devices such as Android phones or iPads.

The DDD approach requires that companies talk to their staff, find out what people want to use, and why. It requires moving from supporting the smallest possible range of devices, software, and services to embracing "the new" even if that includes Apple in the enterprise.

There is also an implicit fourth approach: pretend that the consumerisation of IT isn't happening. Doing nothing is its own approach. It is even potentially valid if clandestine IT has not yet started it's inevitable infiltration. In the long run the "doing nothing" approach will ultimately fail.

Each approach will bear a cost. Clamping down on your staff will result in either high turnover or in having to provide alternative incentives for staff retention (pension plans, etc). Embracing the chaos requires true jack-of-all-trades systems administrators with a wide range of experience. And those are expensive.

DDD can be accomplished with existing support staff, but requires a corporate attitude of not skimping on the digital tools of the trade. Doing nothing is a gamble that will lead inevitably to data loss and possibly expensive legal concerns.

Still, it's not as bad as all that

Controlling a heterogeneous environment or doing testing on new software or services has traditionally been difficult and expensive. Vendors are aware of this. As demand for new technology has increased so too has the ease of meeting those demands.

Mobile device management software has come a long way. Popular enterprise endpoint management software now regularly supports Apple and even Linux. Virtualization allows the creation and destruction of test environments with ease. RDS, VDI, and ThinApp-style technologies allow the delivery of corporate applications or entire managed environments to unmanaged devices. Cloud aware inventory software is increasingly capable of tracking and monitoring clandestine IT.

The tools and resources necessary to support a broader range of devices, software, and services are becoming commonplace, even if the manageability of some devices lags behind.

Excepting in exceptional circumstances, "it's too hard" is no longer a valid excuse for failing to set policy regarding the consumerisation of IT. We have the technologies required to deal with this issue. What remains is choosing whether or not to acknowledge the reality of it, and what approach your business will take. ®

The Essential Guide to IT Transformation

More from The Register

next story
BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
Auntie tight-lipped as major outage rolls on
iPad? More like iFAD: We reveal why Apple fell into IBM's arms
But never fear fanbois, you're still lapping up iPhones, Macs
White? Male? You work in tech? Let us guess ... Twitter? We KNEW it!
Grim diversity numbers dumped alongside Facebook earnings
HP, Microsoft prove it again: Big Business doesn't create jobs
SMEs get lip service - what they need is dinner at the Club
Bose says today is F*** With Dre Day: Beats sued in patent battle
Music gear giant seeks some of that sweet, sweet Apple pie
Amazon Reveals One Weird Trick: A Loss On Almost $20bn In Sales
Investors really hate it: Share price plunge as growth SLOWS in key AWS division
Dude, you're getting a Dell – with BITCOIN: IT giant slurps cryptocash
1. Buy PC with Bitcoin. 2. Mine more coins. 3. Goto step 1
There's NOTHING on TV in Europe – American video DOMINATES
Even France's mega subsidies don't stop US content onslaught
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.