While the consumerization of IT marches on, in its footsteps lurks the specter of unknown risk. We live in a world of zero-sum games of litigation where suffocating regulations are the norm, and failure to comply can draw millions in fines and lawsuits. Technology diversity multiplies the challenge of maintaining compliance — it’s no wonder so many IT shops take a one-size-fits-all approach to workforce computing and forbid bring-your-own-device (BYOD). But it doesn't have to be this way. It’s possible to craft an approach that brilliantly achieves the conflicting goals of embracing BYOD and consumerization while slashing the risks and costs at the same time. Our recent research on the topic comes from working with lawyers and auditors who specialize in technology law and compliance reveals that it can indeed be done.
You Still Have to Act But the Cure is Often Worse Than the Disease
The technology attorneys we interviewed for this research agree — once you learn that BYOD is happening in your organization, you have a legal obligation to do something about it, whether you have established industry guidance to draw on or not. The answer is seemingly simple: Take action to stamp out the risk. However, the answer isn't that straightforward because:
The more restrictions you put in place, the more incentive people will have to work around them and the more sophisticated and clandestine their efforts will be.
There is no data leak prevention tool for the human brain, so arguably the most valuable and sensitive information walks around on two legs and leaves the building every night. Accepting this is important for keeping a healthy perspective about information risk on employee-owned devices.
It’s (long past) time to put the era of One Size Fits All enterprise computing behind us. Providing workers with Standard Issue™ devices and software represents an antiquated paradigm. Instead, segmenting your workforce into different classes of workers – honoring the needs of each type of worker – can help you:
Save money. Overinvesting in computing power by giving a worker “too much machine” and over-investing in software licenses for applications that won’t be used are common implications of One Size Fits All enterprise computing. You can save money by provisioning appropriate hardware and software to various classes of workers.
Preempt BYO. While IT departments are coming around to the virtues and values of BYO, managing excessively diverse BYO comes with management costs. You can preempt some types of BYO by providing the right tool to the right worker at the right time… obviating the need for them to bring their own.
Drive worker productivity and innovation. Innovations like tablets and Chromebooks can empower certain classes of workers to achieve new levels of productivity. Providing the right worker – for example, a traveling salesperson – with a tablet can enable new scenarios and create tangible returns.
Regardless of what our minds conjure up when we think of airline travel, one thing we can readily observe is that while the weather, the experience of the flight crew, the mechanical condition of the aircraft, and the destination of the flight are all variables, the system of getting an aircraft from one place to another, in one piece, is extraordinarily reliable. Herb Kelleher of Southwest Airlines once joked that the airline business is the only place where the capital assets travel at 500 miles per hour.
Every commercial flight starts with a flight plan, a flight crew, an aircraft, and a destination. The dispatcher creates the plan based on the expected conditions for the flight, the limitations of the pilot and passengers, and the capabilities of the aircraft. Time is built into the plan to climb to cruise altitude and to descend again to reach the destination safely. How much fuel will be required is built into the plan and pumped into the tanks. Every activity is done to achieve a singular purpose: getting the aircraft and its passengers safely to the destination, and everyone involved knows where the destination is. Aviation is a study in viable systems design.
How strange it seems then, that thousands of IT projects begin every day, but more than one-third of them crash enroute. Why? I would argue that it's because there is seldom a clear destination in mind, a rational plan to get there, or a viable system approach in place to execute the plan. Most of the time, the destination and the means to get there are only vague estimates, and the elements of the strategy are rooted in hope.
At Forrester, each of us as analysts keep in regular contact with our clients and the industry through a process known as Inquiry. For workforce computing, this includes Benjamin Gray, Christian Kane, Michele Pelino, Onica King, and Chris Voce. Any Forrester client with Inquiry access can arrange for 1:1 time with an analyst to ask questions and seek advice, or simply ask for a response by e-mail. Most analysts also take advantage of the opportunity to ask a few well-considered questions of our own. Taken together with data, briefings from vendors, ongoing research and client advisory, the inquiry process helps us keep our eyes and ears focused on what matters to I&O professionals, and provides critical insights into their pain and needs. In this blog, I'll share my unvarnished responses to a client inquiry I received just last week:
1. What do you see as the most important trends in End User Computing for the next 3-4 years?
2. What will be the role of each type of device in an organization such as ours (financial services)?
3. What's the best way to find out what our employees need? What do other firms offer different types of workers?
4. Do you have any economic numbers about those devices (i.e. TCO per year)?
5. Do you have any data or examples from other firms like ours?
Demand for mobility is rising dramatically, but IT support is not keeping up. Over the next 12-18 months, we expect a majority of Asia Pacific (AP) organizations to begin to feel the pain of poor mobility strategies. Now is the time to define and manage mobility as part of a broader end-user computing strategy – this must include desktop virtualization initiatives, including (but not limited to) virtual desktop infrastructure (VDI). But while server virtualization is now accepted as a fundamental design principle and part of any data center implementation or refresh, that doesn’t mean desktop virtualization will follow suit. Long touted as a means to simplify desktop provisioning and management – and hence improve the efficiency and effectiveness of an organizations’ end-user computing strategy – over the past decade desktop virtualization has been driven primarily by CIO’s desire to lower hardware costs – by delaying or skipping PC refresh cycles – simplify application provisioning, and increase compliance and control of desktop infrastructure in areas like data security and patch management. Desktop virtualization doesn’t adequately address all end-user computing requirements since it’s essentially focused on eliminating the client device from the equation. This is particularly true for VDI. Thin (e.g. ‘dumb’) clients won’t work in a world where a growing percentage of users – not just information workers – are mobile and expect access to key resources but also expect those resources to be optimized for the particular device they’re using. With the explosion in device usage and changes in end-user expectations, IT is being forced to expand its focus around end-user computing from ‘control’ to ‘engagement’. Desktop virtualization will remain a key component of many organizatons’ end-user computing strategies, but its role will remain
If you're an I&O professional, what comes to mind when you say "end user"? If you're like most of us, your mind has a conjured-up impression of a cosmically clueless person who actually gave you a hard time once, and the picture is now your mind's own avatar for everyone you support. It's not usually a positive image, is it? I used to picture a middle-aged, BMW-driving executive with his hair parted on one side wearing an LL Bean sweater, probably an Ivy-league grad, who couldn't be bothered to actually take responsibility for his own personal computing destiny…he always had servants to take care of trivialities…and hence he was ruining my day with his incompetence. Let's call him Ascot Rothschild III.
An image like that is a powerful thing, and the painful memory of this individual's willful, arrogant ignorance then pervades our future thinking about what we're up against when we set IT policy like BYOC. Ascot becomes the poster child - in our minds anyway - for every garden-variety corporate doofus that we'll have to deal with if we give people any more rope than we already do. They also give us plenty of reasons to take more rope away. In my case, I used to sit on a helpdesk for Remedy customers, and my team had a collection of "special" customers we wondered how they managed to get dressed and find their car keys in the morning. As I later designed Remedy and Peregrine applications, I did so with these "edge cases" in mind.