Canute and consumerisation

Back in the dim dark days of computing – around five years or so back – many IT departments were still trying to enforce company standards around what equipment users could be trusted with.  Depending on your job function and rank within the business, you would find yourself being graced with a specific type laptop and/or mobile phone; models that were often at least a year old as the IT department had spent so much time in testing these devices to ensure that they fitted with perceived corporate needs, capability to run the desired client applications for accessing corporate resources and so on.

At the business level, the arguments ran that the company was getting the best deals through the mass purchase of devices, that software licences were cheaper, and that support was easier across a homogeneous device base.

The trouble is, no-one told the users – and even where they did, the user paid scant attention.  The draw of having the latest, smartest laptop (for example, a Sony Vaio as opposed to the corporate imposed IBM/Lenovo ThinkPad) or the latest mobile phone (at the time, for example, a Motorola RAZR rather than a Nokia 6310) was combined with falling prices.  The individual wanting to make more of a personal style statement just bought the items anyway, either expensing them through the business or bearing the costs themselves.

Depending on rank within the business, the individual would either appear at IT’s door and demand that the device was made to work or they would try to make it work themselves, installing VPN clients and other software onto devices or finding backdoor approaches that gave them the level of accessibility and function that they deemed necessary.  The trouble with this was that such usage was usually beyond the control of IT. What Quocirca has seen is a growth in the use of remote storage systems (such as Microsoft LiveMesh or DropBox) to take files out from behind the corporate firewall so that the individual could still access these files when away, the use of “free” cloud based services such as Google Docs to avoid the cost of personal Microsoft Office licences and so on.

From what had been a controlled and homogeneous environment, many organisations found themselves falling into a chaotic mess of diverse devices, plus a mix of different means of accessing and using information. This also introduced many more security weak points than the IT department had envisaged – or could control.  As we fast forward to 2010 and beyond, the device wars are exploding; the speed of introduction of various tablet designs and the increasing sophistication of smartphones now means that any attempt to curtail personal choice of devices is pointless. 

So, what can be done to try and control the mass of unruly employees determined to exercise personal choice and buy their own devices?  Well, there is one direct benefit – they are paying for the devices, so the perceived benefit of homogeneity leading to lower hardware costs for the business becomes a non-argument.  As the device is their own, they are also far more likely to take a bit more care of it.  The next “good thing” is that the likes of Citrix and VMware have been ensuring that devices can use clients that are “virtualised”.  The main benefit here is that the access to the business side of things can be sandboxed from the device itself.  Therefore, it makes no difference how the individual has configured the device, they can still come through to a controlled, secure and clean environment through a virtual client. 

Vendors such as Centrix take things even further.  Information can be more easily secured, with cut and paste being disabled if necessary, corporate email clients being enforced with information not being able to be sent from the corporate to the device inbox, as well as information not being able to be printed to any printers connected to the device itself. 

Such centralisation of service provision has other benefits as well – information is stored away from the device safely within corporate data centres with full backup and availability strategies behind them.  With all data being held centrally, it is available for analysis and for business intelligence to be applied to it to aid decision making – islands of data held on personal devices are no longer a problem.  The loss of a specific device is no longer a case for the business to wonder whether this is a notifiable issue due to possible losses of identifiable information – the device itself has nothing stored on it other than the individual’s information.

Such an approach starts to put control back into the hands of the business itself, while still giving individuals the power of choice that they will exercise no matter what the business tries to enforce.  If a suitable means of access can be provided independent of device, individuals will use it.  Applications can then be provided that do fit in with corporate policy and security can be enforced around applications and data. 

As Canute tried to demonstrate to his people when he sat on the beach and commanded the tide to turn away, there are certain things that just cannot be done.  The continuing march of consumerisation and the pace of change within the types and capabilities of the devices themselves just cannot be stopped.  Far better to work to “abstract” the device away from what the business really wants these devices to be – a means of accessing the corporate systems in a monitorable, auditable, secure and effective manner that meets with the users’ needs as well as the business’.

Clive Longbottom, Service Director, Business Process Analysis, Quocirca