The real shocker to me was the fact that a free-for-all environment is safer and cheaper than a rigidly controlled one. But it made sense after Aberdeen researcher Andrew Borg explained it: If employees aren't actively fighting IT, they're less likely to cause issues. And of course the safest, cheapest approach is the "wise parent" approach: Use a mix of policies, incentives, and education to help your teen become a self-sufficient adult. The incentive is the right to use a device of their own choosing; the policies channel that use in safe ways, and education helps both reduce resistance to some burdensome but truly necessary policies and increase self-vigilance by the employee -- the overwhelmingly vast majority of whom want to do the right thing for them and their company, after all.
How IT can adjust to the new reality, without endangering the business
So how does IT function in this new world? PwC came up with the framework shown in this slide, which I think is right (both because I contributed to it and because it's enjoyed a good reaction when I've made this presentation to various IT audiences). The full PwC report laying out this framework is available as a free download.
It's a different way for many in IT to think, as it starts with "soft" values and requires IT to share ownership of risk management and technology decision making with employees and their business departments. (It requires the same of the legal, executive, and HR teams.) But as the consumerization trend is fueled by "soft" human issues, it only makes sense that the management response to it be grounded in human approaches.
On the technology side, the framework favors policies, not rigid barriers, to steer employees to the right outcomes while allowing appropriate freedom and creativity. It says the IT monoculture at the endpoint level is a dead direction, so IT instead should think of technology as an onion with multiple layers. The outer, employee-oriented layers should be flexible and individualizable, while core systems should be standardized and safeguarded as much as possible. A simple illustration: Allow any mobile device that conforms to your routine information access policies, but add layers of authentication and security measures such as encryption for those information resources that are truly sensitive within the network. Even if you let an employee access their workgroup share drive from an iPad doesn't mean that same employee can open your HR database.
The bad news is that not all the technology is available to manage this onion skin -- the notion of information rights management is rarely implemented in typical enterprise data objects or systems, and rarely in user apps and devices. The good news is that by shifting risk from an IT- or CSO-only job to a shared one, you incentivize the business to reduce that risk through other means.
The other good news is that consumerization is not new. The first IBM PC or Apple IIe owned by an employee or department started this journey. The Internet pushed it to a whole new level, as information became unbounded, not just computing capability. Yet organizations have not only survived, they've thrived with that new power. Think back to the notion that Internet access had to be strictly controlled; it once seemed necessary and scary, but ended up not being so bad. Then you adapted as it became clear you had to, finding many positives to exploit along the way. Now apply that thinking to this newest set of waves: mobile, cloud, and social media.
Also at InfoWorld.com:
- Read InfoWorld's "Smart User" blog to understand the consumerization phenomenon from the perspectives of both IT and users
- 10 hard truths IT must learn to accept
- BYOD and Mobile Deep Dive PDF special report
- How the iPad will change IT forever
- Mobile BYOD strategy reveals if your CIO is good or bad