IT really does believe it knows best: 75 percent of IT organizations don't let people use their own apps for work purposes, with a substantial subset saying such usage should be grounds for dismissal. Employees have in large numbers (38 percent) decided to ignore such edicts as, well, stupid. They're trying to get more and better work done, and they're using whatever tools they can to do so, including their own mobile apps, their own software on their PCs, and cloud services. Remember: These people are the ones who drive the business and tend to be in positions of authority, and are thus trusted. Yet many IT organizations would constrain their tool set and fire them for working outside the lines.
When nearly half of information workers are using smartphones and a quarter of information workers are buying their own technology to do (more) work, IT's "just say no" approach is irrelevant.
The underlying problem in IT is twofold. First, many IT pros think users are simply buying devices and software because they've been bamboozled by ads and fads, especially when they choose Apple or Google products. Second, IT views technology through the lens of risk, and because people are unpredictable and variable, many in IT seek to limit people's choices and behaviors. When users choose their own and, worse, bring their own, all these IT pros see is risk, and down come the iron gates.
Both viewpoints are grounded in distrust of the very people who run and essentially are the organization. That attitude can only lose.
Getting past the distrust divide
What IT should be doing is partnering with these users, says Weston Morris, an architecture lead at Unisys's Global Managed Services group. Although he says some of users' claims about self-empowerment are a bit overblown, he notes that they are spending their own money, not asking the company to do so. In other words, they're putting their money where their mouth is, and given that these employees tend to be the most effective in business, their judgment can't be dismissed as naive faddism.
Not only would IT learn what tools work best for users -- and often there'll be no single best tool, given the personal workstyles involved -- but it would be able to better assess risks around information flow and where support needs are. Such partnering also lets IT bring in the "mobile elite" as IT proxies, so other business users can get support from their business colleagues rather than always call IT. Other studies I've seen show that users prefer to learn from their colleagues anyhow.
As to the risk issue, Morris notes that many organizations are poorly defended already. For example, 80 percent use perimeter security to block outsider access but have no controls inside their firewalls or buildings. Worrying about whether an employee is using Apple Keynote or Google Quickoffice or Bytesquared Office2 to edit PowerPoints is, frankly, not the best use of IT's time when the entire internal network is wide open.
Morris recommends that IT first understand what it is trying to protect, then create policies regardless of device or app that target those information security needs. The chances are that many such existing policies have gotten too specific in terms of the implementation, leading to a narrow protection approach that doesn't evolve with new technologies.
For example, an information access policy that requires domain joining cuts out most mobile devices. An information policy that requires user validation to gain access is a better approach, as that would allow the use of domain join for devices that support it as well as alternative approaches, such as certificates for devices that support them, to accomplish the same goal.