Security is not to be brushed off
Silverman, like many IT pros, is tasked with maintaining security of computing and information assets. IT has created a monoculture of Windows and BlackBerry that lets it apply the same standards and results across the whole organizaton. I've argued that BYOD's inherent heterogeneity argues for a policy-based approach that abstracts security management away from specific endpoints. Silverman isn't convinced:
Before the iPhone, many companies issued and supported BlackBerrys exclusively. RIM, the manufacturer of BlackBerry, offered BlackBerry Enterprise Server (BES), an amazing tool that allows admins to easily provision, control, and wipe these devices remotely and in real time. In concert with RIM's exclusive encrypted worldwide network, it's easy to see why the devices fit perfectly into the corporate tech landscape.
Although clients lined up for my help the very day the iPhone was released five years ago, Apple didn't incorporate until summer 2010 any capabilities for enforcing passwords and being able to wipe an iPhone of sensitive company assets if stolen. Still, clients were undeterred by the lack of admin features. Only when managers experienced firsthand the early inability to wipe the device from a terminated employee or my inability to remotely configure their device did they stop to consider what is the bread-and-butter of my everyday existence: I make things work right for us, despite varying circumstances over time. Nearly everything works great out of the box; it is how things hold up over time (particularly during times of stress and challenge) that truly determines greatness.
Do users no longer expect IT to rush to their aid when they have a problem with their device that prevents them from doing their work on time? If they are not relieving IT of that obligation, how could they deny IT a fair opportunity to review and learn how to support a new device, never mind the time to evaluate and judge whether it can meet various core standards?
When the wealthy high-ups with access to so much critical data think they can get away with a weak four-digit numerical device password (the default option on an iPhone), they figure there's no reason to do more than that, nor to accept IT's demand for something better. Worse, they set a poor and dangerous example for the rest of the staff. Many users don't stop to consider what it takes to make device properly secured.
Breaches are real threats to even my smallest clients nowadays; it's not just theories and simple malware anymore. That's why IT has to set the policies and requirements, and have the capabilities, to deal with the data on devices as needed and to ensure proper passwords and other security measures are in place.
The rules that IT enforces exist for very good reason
Like many users, I question the degree of control that many IT policies place on users. Many seem to be overkill, piling on fix after fix in reaction to past incidents until they create an unworkable maze of restrictions. I also believe that many companies have used IT as a way to avoid human management -- they try to force their employees to behave in exact ways, as if they were robots, rather than penalize the bad and trust the (majority) good. Silverman says I'm naive about the necessity of most of these rules, and notes IT doesn't make them up on its own:
I'll be the first to admit: There are too many bad IT guys (like bad cops) who derive joy from exercising authority over other people. There are also many naive IT personnel who do not fully understand the rules they are charged with enforcing, much less possessing the knowledge necessary to adequately explain these often-complex rules.