IT heresy revisited: Let users manage their own PCs

Large companies such as BP and Google are rethinking the idea of IT controlling users' computers and sharing their lessons from the frontlines

Users should choose and manage their own PCs.

At first blush, that's a radical notion any right-thinking CTO would dismiss out of hand. But not so fast: IT shouldn't dictate what computers and handhelds users get -- and perhaps IT shouldn't manage them, either. That's the conclusion some IT organizations are reaching, or at least investigating.

Search giant Google practices what it calls "choice, not control," a policy under which users select their own hardware and applications based on options presented via an internal Google tool. The U.K. oil giant BP is testing out a similar notion and giving users technology budgets with which they pick and buy their own PCs and handhelds.

In this Web 2.0 self-service approach, IT knights employees with the responsibility for their own PC's life cycle. That's right: Workers select, configure, manage, and ultimately support their own systems, choosing the hardware and software they need to best perform their jobs.

BP and Google are not the only IT shops to see value in this model, either.

"I've felt this was the answer for a long time," says Glenn Angell, a systems team leader with the state of Maine's Office of Information Technology, though he noted the state hasn't ruled one way or the other on the idea. "I really don't care what an employee uses for an office suite or to build charts, graphs, or whatever -- just so long as I get the data in a format I can view it in."

All too often, IT groups write and code policies that restrict users, largely based on a misbegotten belief that workers cannot be trusted to handle corporate data securely, said Richard Resnick, vice president of management reporting at a large, regional bank that he asked not be identified. "It simply doesn't have to be this way," Resnick said. "Corporations could save both time and money by making their [professional] employees responsible for end-user data processing devices."

The benefits of user-managed PCs

Today's standard, one-size-fits-almost-every-employee approach ultimately pulls down PC-competent knowledge workers to the same level as the tech-leery. Meanwhile, IT shops are overburdened with supporting PCs, help desk budgets consume significant chunks of corporate resources, and with a slowing economy, many IT shops are under pressure to reduce operational expenses. Not to mention that in the eyes of many IT pros, holding down the help desk is low-level grunt work.

To IT, the glaringly obvious advantages of user-managed PCs are reduced support costs and far fewer pesky help desk calls. Tech departments, quite naturally, would no longer have to train users for PCs either, a process that often leaves both bitter, thanks in large part to common training mistakes.

What's more, many remote employees have become plenty adept at supporting themselves -- by and large because they have to. For problems beyond their abilities, there's not all that much difference from their perspective between calling a hardware or software vendor and ringing the corporate help desk. Many office workers have the basics down as well for getting online, installing applications, and setting up wireless networks and shared printers.

Resnick argued that empowering workers will not only make them more productive but help them contribute to the organization in other ways. "It sends a clear message that management views its knowledge workers as partners, not as adversaries or, at best, necessary evils," he said. "I believe that this would go far in motivating employees to work harder and to align their goals with those of their organizations. I think this would be huge."

Google CIO Douglas Merrill concurred. "Companies should allow workers to choose their own hardware," Merrill said. "Choice-not-control makes employees feel they're part of the solution, part of what needs to happen."

And the ability for users to self-manage their PCs is only getting easier as hardware vendors are working toward essentially standardized PCs, no matter whose label is on the box.

"Bottom line: The technology exists," Resnick said, "[But] IT has no interest in it because their management approach is skewed heavily toward mitigation of perceived risks rather than toward helping their organizations move forward."

DIY IT in the 21st century
Few companies have taken the radical step of letting users buy and manage their own PCs. But that may be changing. As noted, Google is already practicing it on a company-wide basis, and BP is piloting the idea.

At Google, workers can choose from about a dozen PCs available in its internal tool dubbed, appropriately enough, Stuff, which includes options running Windows, Mac OS, and Linux.

While 90 percent of hardware acquisitions are conducted through the tool, workers are not necessarily limited to the systems that Stuff presents. "We also have a mechanism for choosing some pretty strange" hardware and software configurations, Merrill said.

Although Google probably pays more per machine than if it went with, and leaned heavily on, a single supplier, Merrill noted that "there's no business downside, and there's the productivity upside ... we're clearly getting a higher productivity out of employees." Merrill also is "able to run a leaner IT shop."

In BP's case, one of its consultants projected that Digital Allowance, the name of the pilot program under which employees choose their own tools and rely on an external help desk service for provisioning support, could save the company up to $200 million a year in IT support costs, a spokesman said. Still, the Digital Allowance pilot program is skewed to a tech-savvy employee subset. These teams are "at the geekier end" of BP's 100,000-strong workforce, he added.

Analyst firm Gartner predicted in a recent report that "by 2010, end-user preferences will decide as much as half of all software, hardware and services acquisitions made by IT." The research firm cited "the ubiquity of the browser interface" as having made computing approachable enough so that "individuals are now making decisions about technology for personal and business use."

Point of fact: Users are already more involved than ever before. "I'm seeing it become more about the freedom to choose what device you want -- which laptop, maybe a Mac, what kind of handheld," said Allan Carey, an analyst at the Institute for Applied Network Security, a research firm. "It's part of the consumerization of IT," he added, and requires IT to focus on standards and policies that user choices must meet, rather than worrying about what model of PC is used.

What IT must still manage
Even when companies are willing to let employees manage their PCs, IT still has plenty to manage, including security and data.

"I would expect most companies to implement basic security protocols for employee PCs, including virus scanning, spam filters, and phishing filters," Maine's Angell said. "They might provide software tools or simply implement a system check to make sure that such items are running whenever the employee's laptop is connected to the company environment."

Furthermore, Angell said, "We need to recognize that the company's data belongs to the company. Thus, there are certain data systems that will either need to be controlled as Web applications or that get served up via a platform such as Citrix. Access to both can be controlled by the enterprise without having to touch the worker's PC." In this age of Web apps, that's easy to do, he added.

This Web-based application approach to data management and security is Google's model, Merrill noted. Its employees run Google Apps, no matter what PC they have, and that means that all company data is stored on Google's servers. He also argued that this approach protects Google from the single largest security threat: stolen laptops.

"End-point security never really, honestly works. The number of incidents keeps increasing. If it worked, that wouldn't happen," Merrill said. "So I don't happen to find that argument compelling." Still, Google has a lot of monitors in its infrastructure to notice weird occurrences, both related to security and compliance. It has no choice, Merrill said: The company is subject to heavy regulations including HIPAA, on account of doctors that work on its campus. "Security and regulatory controls run in the background," Merrill said, explaining that they are "hidden from the user in a good way."

Another technology that helps support the user-managed PC model is desktop virtualization, which lets IT provision a standard OS and application configuration while allowing users to run their own apps in a separate layer, preventing infection and corruption. "In this model, users would have access to nonregulation software, personal e-mail, etc., outside of the virtual environment," Resnick said, which is "a reasonable compromise between security requirements, innovation, and employee convenience."

For companies considering empowering their employees with hardware and software choices, Merrill has some advice. "There are three things to do: automate everything you can automate, push toward automation in the cloud, and put together a highly skilled support staff. My support function spends time on fun things, which means I can hire more talented people, so I can automate even more things."

There are, of course, skeptics
Not all corporate settings are suited for user-managed PCs. The environments that do try them tend to involve white-collar workers who own PCs at home and have some tech experience. By contrast, call-center PCs are not good candidates. Neither is any production area in which work is programmed, such as policy administration in an insurance company, a manufacturing environment, or a hospital.

"Clearly, situations where security, regulatory requirements, and high availability are necessities, self-provisioned tools aren't a fit," says Matt Brown, a principal analyst at Forrester Research.

As one might imagine, the concept has detractors who point to additional practical matters.

"In the long run, I suspect it would cost more and cause more problems than it solves. Notably, interoperability issues with network, printers, software, documents, viruses, and corporate intellectual property remaining on personal computers," says John Quillen, CTO of, a campaign-promotion site.

A creeping force IT can't ignore
Yet Quillen is practicing the user-managed PC scheme himself. "Ironically, I'm in a startup using my own [Apple] MacBook Pro while the rest of management uses Windows." And Forrester's Brown said that he has anecdotally found an increasing number of executives doing the same as Quillen and carrying non-company-standard computers, namely Apple notebooks, and asserting that the only corporate application they consistently use is e-mail.

More often than many people in IT care to admit, small factions of rebel users are supporting their own PCs, sanctioned or not. And the people now entering the workforce and those who will follow in their footsteps are already accustomed to supporting their own PCs, so the argument that users don't know enough to choose and manage their own PCs will be harder to make over time.

"The generation entering the workforce, namely the millennial generation, is much better equipped to evaluate, purchase, and manage the technology they use than previous generations," Brown said. "I am always amazed to see how quickly workers in this generation are able to assess, download, install, and get productive on the tools that are available on the Web."

Copyright © 2008 IDG Communications, Inc.