Consumerization: The view from IT you may not like but need to hear

A CTO argues why IT's seemingly silly and overly strict rules are in fact necessary and good

An underlying tension in the movement for the consumerization of IT concerns the limits that IT often places on users. Many users believe them to be arbitrary, overly strict, and motivated by a need for control rather than legitimate business protection. For them, the triumph of the iPhone and the subsequent bring-your-own-device (BYOD) phenomenon is a chance to rub it in.

I don't believe it should be a case of IT versus user, though I understand the impulse. I've argued that IT needs to get a clue that users now have the means to use their own technology, and the old model of managing away the "toys" is no longer plausible. IT needs to rethink its relationship with the users, and users need to take responsibility for their actions as well -- not rely on IT to protect them, then penalize IT when it fails.

BYOD and Mobile Deep Dive
[ Subscribe to InfoWorld's Consumerization of IT newsletter today, then join the #CoIT discussion at InfoWorld's "Consumerization" LinkedIn group . | See Galen Gruman's presentation on the real force behind the consumerization of IT . | Get expert advice about planning and implementing your BYOD strategy with InfoWorld's 29-page "Mobile and BYOD Deep Dive" PDF special report . ]

But many in IT have lambasted me for egging on users who will in their view ultimately leak sensitive data or cause other major damage. For example, one guy ("preed," whose Twitter profile says he is a software engineer) tweeted, "Can't wait until @infoworld reporter @MobileGalen's identity gets stolen, due to his let-employees-do-whatever-they-want advice.'" I've never advocated that, but it's clear the nuances of my writing were obliterated in his mind by the very notion that users might need to be ceded some ownership.

Another IT guy who objects to my encouragement of the consumerization of IT is Sean P. Silverman, CTO of Bartlett Tech, a firm that builds and manages technology infrastructure for business clients. In a series of email exchanges, Silverman made it clear he believes consumerization on the whole is a bad thing because consumer devices lack the quality and consistency that IT needs -- and has been able to purchase, such as PCs available for more than just a few months and stable OSes. Plus, consumerization in his mind encourages "settling, not striving," as the fast pace of new devices means IT can rarely do an effective job of validating and supporting new technologies. The department either has to compromise the business operations or be labeled an impediment to the business's agility.

Unlike "preed," Silverman engaged in a constructive if passioned dialog, and I thought his points were worth considering. Even if you don't agree with them all, they show the pressures and perspectives common to many in IT -- who are after all as much a part of the consumerization-of-IT phenomenon as users are.

What follows is an edited version of Silverman's position, with his comments block-indented and mine aligned fully to the left.

You've written much for InfoWorld promoting the concept of consumerization of IT, especially around the BYOD phenomenon. You have acknowledged the need for security, standards, and policy-based management, but I believe it's not as simple as that. Let me explain how I see the issue from vantage point of being a system administrator.

This trend began largely with the iPhone, and it is most certainly a point of contention. However, a system administrator or CTO who refuses to embrace new tech would have to be one miserable soul. One of the best parts of my job is that I gain firsthand experience with all kinds of gadgets that I could not possibly afford to amass on my own.

Security is not to be brushed off

Silverman, like many IT pros, is tasked with maintaining security of computing and information assets. IT has created a monoculture of Windows and BlackBerry that lets it apply the same standards and results across the whole organizaton. I've argued that BYOD's inherent heterogeneity argues for a policy-based approach that abstracts security management away from specific endpoints. Silverman isn't convinced:

Before the iPhone, many companies issued and supported BlackBerrys exclusively. RIM, the manufacturer of BlackBerry, offered BlackBerry Enterprise Server (BES), an amazing tool that allows admins to easily provision, control, and wipe these devices remotely and in real time. In concert with RIM's exclusive encrypted worldwide network, it's easy to see why the devices fit perfectly into the corporate tech landscape.

Although clients lined up for my help the very day the iPhone was released five years ago, Apple didn't incorporate until summer 2010 any capabilities for enforcing passwords and being able to wipe an iPhone of sensitive company assets if stolen. Still, clients were undeterred by the lack of admin features. Only when managers experienced firsthand the early inability to wipe the device from a terminated employee or my inability to remotely configure their device did they stop to consider what is the bread-and-butter of my everyday existence: I make things work right for us, despite varying circumstances over time. Nearly everything works great out of the box; it is how things hold up over time (particularly during times of stress and challenge) that truly determines greatness.

Do users no longer expect IT to rush to their aid when they have a problem with their device that prevents them from doing their work on time? If they are not relieving IT of that obligation, how could they deny IT a fair opportunity to review and learn how to support a new device, never mind the time to evaluate and judge whether it can meet various core standards?

When the wealthy high-ups with access to so much critical data think they can get away with a weak four-digit numerical device password (the default option on an iPhone), they figure there's no reason to do more than that, nor to accept IT's demand for something better. Worse, they set a poor and dangerous example for the rest of the staff. Many users don't stop to consider what it takes to make device properly secured.

Breaches are real threats to even my smallest clients nowadays; it's not just theories and simple malware anymore. That's why IT has to set the policies and requirements, and have the capabilities, to deal with the data on devices as needed and to ensure proper passwords and other security measures are in place.

The rules that IT enforces exist for very good reason

Like many users, I question the degree of control that many IT policies place on users. Many seem to be overkill, piling on fix after fix in reaction to past incidents until they create an unworkable maze of restrictions. I also believe that many companies have used IT as a way to avoid human management -- they try to force their employees to behave in exact ways, as if they were robots, rather than penalize the bad and trust the (majority) good. Silverman says I'm naive about the necessity of most of these rules, and notes IT doesn't make them up on its own:

I'll be the first to admit: There are too many bad IT guys (like bad cops) who derive joy from exercising authority over other people. There are also many naive IT personnel who do not fully understand the rules they are charged with enforcing, much less possessing the knowledge necessary to adequately explain these often-complex rules.

Then there are those who have been made bitter by years of having to answer the same questions over and over about basic operational functions. A decision that takes me seconds to make could take hours and multiple whiteboards to properly explain.

Rarely does IT have the time to craft restrictions arbitrarily. Rules are usually in place because of an incident that happened somewhere in the past. Some faith and willingness to listen is needed on both sides!

When most people think of Sarbanes-Oxley regulations, they tend to think of accounting. Yes, Sarbanes-Oxley imposes much accounting burden on an organization. However, it also imposes much IT regulation. For example, when I had a typical lowly help desk position (provisioning equipment, managing printers, and so on) at a publicly traded corporation some years ago, few of my non-IT coworkers likely realized that my name and signature were included on an annual binding report to the federal government.

It is never the case that I'm being arbitrarily restrictive. However, simple requests for things like LogMeIn and password loosening, if granted, could have landed me in federal prison. Just how much jail time should an IT person be willing to do to accommodate the latest must-have tool to not be labeled as a "productivity killer"?

Aside from the harsh rules in effect for the IT departments of public corporations and their contractors and the IT departments of all medical facilities and their contractors by the government, every organization has rules that make it function. All back-end tech has rules and best practices that we follow if we desire to have the mail server do fancy things like function after a reboot.

Why should IT take on the penalty of failure?

I've also argued for a rebalancing of the IT-user relationship, suggesting that users need to take on more responsibility as the price for having more freedom and trust. Silverman says that may sound nice, but IT is nonetheless likely to get the blame -- and the axe. And he says that even well-meaning users simply don't know enough to know they're causing issues or what the implications are:

You've stated that IT requires excessive levels of testing, assurance, preparation, and control that simply is not possible, as users will simply work around us when do that level of diligence and make our efforts for naught. That illustrates the lack of understanding between clients and their IT colleagues

Like your everyday cop, we keep the peace and help establish balance. On one side are regulations that require all business to be conducted in locked-down clean rooms. On the other are employees trying to keep up with competition and modern-day life, who sometimes fail to think of the long-term consequences that their actions might bring. I don't see the logic in allowing an employee, eager for a good next revue, be the determining factor for how to secure and provision access to company assets.

When inevitable problems break out, sometimes you get the chance to learn from an incident. Other times, it is an immediate game-over, with no going back. Either way, the first people to be blamed or questioned are in IT. Unless the responsibility and blame is placed elsewhere (which I realize you do advocate), I don't think it unreasonable for IT to maintain controls that ensure safety. Anyone whose primary job is not managing information technology can always, rightfully or not, make the case that they didn't realize their folly and walk away with their reputation intact. IT doesn't get that pass. Sadly, few outside of IT who have not been through a bloody nightmare realize all that good safety entails.

Whenever people ask me what the most frustrating part of my job is, I always refer back to the toilet analogy. Like most modern adults, I long ago successfully completed training on the use and operation of a toilet. It is one small key to my success and mobility. I even know how to clean it and do minor fixes, such as replace the flapper. But if the time came to install a new toilet or if there were ever a serious issue with my toilet, I'd call in a plumber.

I believe most people are like me, they know they don't know too much about plumbing and would leave it up to a trained professional to practice their craft. So why is it that everyone who has ever successfully set up an AOL account or hooked up a DVD player believes that they are qualified to debate my every decision (the results of which I shall be held exclusively responsible for)?

Like every good IT professional, I have moral, ethical, technical, and often legal obligations to consider with every (seemingly) puny decision I make. No matter how customer-oriented an IT department or individual is, if they are doing their job properly, they are putting organizational health and safety first in every decision.

We are sorry if that leads to delays and the occasional no. I've personally sent many a long and passionate e-mail to my various IT overlords. I plead for policy exceptions and/or special consideration when such diversions were warranted, never hesitating to go to bat for one of my client's genuine needs. Good IT personnel hate "no" as much or more than you do.

Over time, we'll figure out the technical issues

Silverman argues for patience, saying that the issues that IT is rightfully concerned about can be addressed, but only with time and effort. Users need to be understand that and not demand immediate business support for whatever consumer technology has just arrived:

1 2 Page 1
Page 1 of 2