It’s probably fair to say – in the nicest possible way – that many people working in IT are control freaks.
Not that they are hatching plans for world domination from the server room, or even that they want everyone running round at their beck and call. Not at all, but people in IT naturally have a strong need to be in control of things that fall within their sphere of influence. They need to know that if they run script X then the result will be Y, every time.
Christine Sexton, director of corporate information and computing services for the University of Sheffield, poked fun at these controlling tendencies during a panel debate at Computing’s recent Enterprise Mobility Summit 2014.
“My network is wonderful, if only people would stop using it,” she joked, describing an abortive attempt by the university IT department to block Skype a few years ago. Skype happened to be the primary channel for students to communicate with lecturers and to phone relatives (increasing numbers of students are foreign nationals), but these considerations came a distant second to the loss of control it represented.
Eventually it became apparent that trying to defend the status quo, in this case legacy infrastructure that was not designed for prevailing data flows, was a hiding to nothing, only delaying the inevitable and alienating students and colleagues in the process.
Enterprise mobility presents a particular dilemma for controlling technicians. First they love that smartphone in their pocket and all that it can do. They love how fast the technology is developing, getting thinner and lighter and more powerful with every passing month. They love the apps that let them do pretty much anything at the swipe of a screen. But at the same time they fear the consequences now that everyone can do the same thing.
And not without reason, because the issue goes beyond who buys what. No one blames the guy who ordered the stationery when someone runs with scissors, trips and does himself a mischief.
But if someone does something daft on their smartphone and puts customers’ data or the company’s reputation on the line then it’s the IT department that can expect a sharp rap on the door.
Therefore, while others may excited about expanding the company’s reach with new apps and flexible working, the IT professional can be forgiven for thinking it is all going a bit too fast.
The centre cannot hold
But as with the Skype case a degree of pragmatism is needed. From the internet to virtualisation to cloud to distributed computing, slowly but surely IT is becoming more decentralised and the old moated castle models of enterprise architecture can no longer apply.
During a major research programme Computing asked 325 IT decision makers about their policy towards mobile devices, where they lie on the spectrum between “hold on” at one extreme and “let go” at the other.
The results are enough to make a control freak weep. While three years ago 80 per cent would have put themselves in the hold on camp, that number has dropped to 70 per cent today with the expectation that in three years’ time only a half will describe their mobile policy in terms of holding on (figure 1).
And there’s nowhere to hide. Across all sectors, even in the most regulated like finance and the public sector, CIOs everywhere are bowing to the inevitable (figure 2).
However, this does not mean that security issues have gone away. Far from it. Rather, responsibility for security of the devices is being devolved from IT to other departments and individuals (the survey showed BYOD to be the strategy most likely to be in place in three years’ time).
“The business is now controlling a lot more of what goes on,” said a mobility and access architect, in the banking sector.
However, others warned against going too far too fast.
“The heightened security issues and risk issues that have hit the press in the last 12 months have definitely moved the needle more towards IT holding on,” said a mobility manager at a pharmaceuticals firm.
So the slow decentralisation of control of mobile devices proceeds as a two-steps-forward-one-step-back kind of process. While most CIOs acknowledge its inevitability, they are determined not just to let go before they can be sure sensitive corporate data is protected.
Holding on while letting go
Policy is moving away from protecting the device and on to the data and applications stored on it, and CIOs are looking to software such as MDM and MAM (mobile device/application management), encryption, authentication and data governance techniques to ensure data does not fall into the wrong hands even if a device goes missing.
But the MDM and MAM markets are still immature (with the exception of BlackBerry’s BES) and many CIOs will be reluctant to make stake their company’s (and their own) reputation on an unsuitable solution.
“Small vendors do one or two of these [MDM services],” said BlueCat Networks CTO Andrew Wertkin at the Summit. “But nobody does end to end. I think that shows that there’s something fundamentally wrong with the market definition of MDM”.
An alternative to remotely controlling the device (MDM) or the applications (MAM) is the thin client/virtual desktop approach where sensitive data is not stored on the device at all.
The head of IT at a gaming firm was not prepared to take a gamble with MDM or MAM when liability for any loss will still fall on his department.
“You’ve got these alternatives: one, you use an MDM or MAM solution; or two, you provide applications that give access to the data. We’ve taken the second route because we’re saying I don’t give a monkey’s what is on their device and if it’s their device, and if I’ve got no visibility of it, I’ve got no liability for it…We have a sandboxed app and we put the Citrix client on, so it’s just a thin client end point…”
Others saw an opportunity to build out on what was already in place.
“We have had thin access for many years. Once people got used to it was very well received. For us it was for security but also to allow access to large amounts of users,” said the mobility and access architect of a bank.
“The MDM and MAM piece seems to be quite an isolated offering, more for quite specific tasks. You don’t roll out MDM to everybody – you would have too much control of their devices,” he added, indicating that there is such a thing as too much control.
Thirty five per cent of the respondents said they have thin client/desktop virtualisation in place, with a further 16 per cent planning a roll out in the next 12 months. Interestingly for a technology that is generally associated with large organisations, the size profile was no different from the sample average. VDI may have a significant future in the BYOD world we are entering now.
Further research from the Enterprise Mobility Summit 2014 will be published in Computing over the coming days and weeks.