Slashdot Mirror
Sorry, IT: These 5 Technologies Belong To Users
GMGruman writes "The BYOD (bring your own device) phenomenon hasn't been easy on IT, which has seen its control slip. But for these five technologies — mobile devices, cloud computing services, social technology, exploratory analytics, and specialty apps — it has already slipped, and Forrester and others argue IT needs to let go of them. That also means not investing time and money in all the management apps that vendors are happy to sell to IT shops afraid of BYOD — as this post shows, many just won't deliver what IT hopes."
Typical user conceit "This is MY dingly dangly, it lights up and makes my balls feel warm! Oh SHIT, I BROKE the DINGLY! IT FIX IT FIX IT FIX IT."
Rinse, Lather, Repeat.
Ok...I didn't read the article. But the problem with mobile devices, cloud services, etc, isn't IT's lack of control. It's not the stability of the network. It's the security of the data itself. It's a little tricky to safeguard your patent research documents if they're sitting in your iPhone email. Even more difficult if they are up in Dropbox, unencrypted, where "mistakes happen" and other people can gain access to your account by an oops by the service provider or a sharing oops by yourself.
Believe me, I'd really rather not be responsible for managing data access. No matter how dumb people are, it's IT that gets blamed for lack of security.
This is the 3rd post from info world about BYOD in the last few days can we give it a rest.
Speaking as a customer of BigCorp X, where there's a battle between the big, bad meanies of IT and the hip, 20-somethings with their fashionable iWhatever du jour which they can't live without, and the 30, 40, and 50-somethings who are trying to mimic them:
I'd rather your corp have a locked-down corporate environment in which data security is respected and my credit card and other personal information (including purchase history) is safe. Or, as a vendor/partner, the confidential information I had shared with you.
I'll take the risk that some hipster isn't going to come up with an earth-shattering revelation about which color of gradient fill should be used on the company website because he was shackled to his desk instead of breathing free as a bird sprawled out on the office roof with his iPad.
Most breakins occur through the weakest link in security, which is exactly what uncontrolled used of these gadgets represent.
I'm not a lawyer, but I play one on the Internet. Blog
Is to allow users the flexibility to maximize their productivity in ways that they understand...
and to get fired for negligence when those users, who could not be expected to understand the ramifications of all their actions, cause major damage to the corporation.
We just beat this guy up a few days ago and maybe he should have to do a year long stint as a sysadmin for a large corporation full of people taking his current point of view before writing again, or maybe he is being controversial on purpose to drive readership.
That said, he does have some merit in the idea of using your own apps for presentations and such with no requirement on the back end, in this one narrow area I support his thinking as (IMO) it leads away from the standard Microsoft model of Windows + Office and that's a good thing, get weened off the M$ teet.
An example of this was a project I was given at a local college to replace slide projectors with a photo archive + scanning, My solution was a Linux based platform running Gallery 2 photo software, the opposing solution was a $40k Windows package and that was without the support included.
So my solution = hardware cost with no licensing charges or other soft cost and a tidy support package that was affordable, the solution that won was of course the $40k package.
The reasoning? The dean of IT felt that we were teaching people real world skills and that meant using Windows, IT's complaint was "We don't know Linux".
"If any question why we died, Tell them because our fathers lied."
Where do I pay money to stop this Infoworld astroturfing?
2) They want to print - they demand to print
3) Find some AirPrint windows driver some guy wrote in his garage and load unknown code into your Windows server
4) Works well until iOS 5 comes out
5) Users update to iOS 5 on their own and they can't print and scream at IT.
That's just one scenario....
1) User gets great idea of hooking up an Apple TV to a presentation display so they can send their iPAD crap output to it
2) Scream bloody murder when someone "unauthorized" sends their screen to the display instead.
Or.....
1) Buy a bunch of iPADs, spend about 15 minutes unboxing them and turning them on.
2) Quickly realize what a hassle it is to manually install apps and settings on all of them and they have better things to do
3) Run to IT to install all the apps instead.
Or....
1) Buy a bunch of iPads for a classroom, set up an Apple ID, associate a credit card with it, buy needed apps for it, save password because it's a hassle to keep re-entering it
2) Scream bloody murder when one of the students decides to go to the app store and buy a few games to play using the instructor's account during class instead of doing classwork.
The way it should have worked was...
1) Identify a need (want tablets in a classroom setting that can do x,y,z)
2) Ask IT to identify a product that meets those needs securely and effectively
3) Wait for IT to figure out how to manage and deploy said devices (and if that takes too long, work with our management to identify appropriate priorities for us -- i.e., what doesn't get done in meantime
Bottom line, I understand IT is a service organization ... but I also understand we are overhead to the bottom line and understandably management wants to minimize the expense spent on IT as well as expect us to keep data secure. So we have to do horrible corporate things like try to control costs, and justify expenses towards the goal of improving productivity. I love my iPad. I think it's cool. But it's a personal, entertainment device. Repurposing it for business or educational use takes effort and time to figure out.
This article is written by the same braindead PHB who wrote the "high priests of IT" article. He's trolling Slashdot for cash (page hits). I say the editors should be at least considering blacklisting his submissions at this point. He's one of the biggest submission trolls on Slashdot right now, and the only one doing it for money.
"When information is power, privacy is freedom" - Jah-Wren Ryel
He's going on about the same bullshit. But he doesn't interview anyone in IT at any company that is actually IMPLEMENTING his claims.
This guy cannot even tell the difference between a "device" that is "owned" by an employee of Company X and a service provided to Company X by Company Y.
No. There's a HUGE difference between using a outside company to provide a service and allowing people to bring their own laptops into the company to connect to the company's private data.
And you STILL don't see the difference.
Why is /. linking to his articles?
mobile devices
cloud computing services
social technology
exploratory analytics
specialty apps
And STILL not a single interview with an IT VP from any health care company allowing user-owned devices to connect to private data.
Why is /. still linking to his articles?
think about the HIPPA law. companies that deal with HIPPA actually do take precautions. why? because the HIPPA law says they can get sued for a ton of money.
there is no HIPPA for credit cards or your purchase history. why? financial companies own congress. they literally own congressmen.
That's not exactly true. While there's no law governing credit cards, the credit card industry themselves have organized a PCI council that sets security standards that all companies that accept credit cards have to follow to protect the credit card data. Fines can be levied by issuing banks for merchants that fail to achieve and maintain compliance.
He's posting on InfoWorld (not known for insight) and then sending the link to /. because no one reads InfoWorld's website.
If his articles were so amazing then people would be going to the original source, wouldn't they?
Instead, he's sending his links to /.
This is like the fifth article this year talking about how users bringing their own devices into a corporate network are inevitable, yadda yadda, and here are some flashy new programs and services to keep it all under control that we happen to have developed and want to sell to you!
Well you know what wins, pundits? PCI and/or HIPPA.
We're PCI compliant at my job, and we're damn sure going to stay that way. That means that yes, you can bring in your iWhatever, and oh look, an open guest wireless network! But you know where that guest network goes? The internet. That's it. You can check your corporate E-mail through the public web interface if you'd like. Don't ask us to help you connect it to the corporate network, because we're going to tell you to go pound sand. And you know what? We're perfectly OK with you being pissed off at us because _you're not the one who's ass is in a sling if credit card information leaks out._ We provide you with all the tools you need to get your job done. You get a nice shiny corporate laptop that you can take anywhere with you (because it will help you VPN in and run your virtual desktop back at the office) and you get a rather impressive smartphone so your E-mail and contacts are never out of reach. You can't sit here and tell me you need MORE than that to do your job effectively.
It's a fluff piece about something the author overheard and assumed was trendy, but there is a real problem with BYOD (only then in the inverted sense of the article): people don't mind to be separated from their workstations when they leave work, and they willingly let them be administrated by someone else. But they will scream bloody murder when they are separated from their smartphones or pads, and they will certainly not allow anyone else to administer them.
Which has led to, for example, soldiers bringing their iPhones on missions, and running where-are-your-buddies software on them, and using that instead of their own blue-force-tracking systems. Obviously, armies are none too content with this, and try to forbid this (won't work), propose alternatives (badly supported/supportable - Apple, Google and Samsung just aren't very big on allowing you try pry into their systems and implement crypto on them, and they bring out new versions every half year), or they just bury their heads in the sand (which is what really happens).
Religion is what happens when nature strikes and groupthink goes wrong.
User perspective - does this thingie work for me?
IT perspective - does this thingie work for 1,000 users?
Does this thingie have a license we can support?
Does this thingie fit our security model?
Does this thingie fit our backup/retention model?
Does this thingie cause any problems with the other systems?
Does this thingie have a road map for the next 3-5 years?
Almost any user can handle a single workstation. Maybe even two workstations.
It requires a different perspective when you move to 1,000 workstations for 1,000 users running 250 different apps in 10 different segments across 3 continents and 5 languages.
The niche that the company is operating in might not be the same niche that the user sees himself in. Just as there are markets for mass produced goods/services, so is there a market for customized/personalized items.
I think Gruman is advocating the customized/personalized market niche (everyone at the company uses whatever they want to use / how they want to use it / where they want to use it / etc) when the experience of most of the Slashdot readers is the opposite (thousands of workstations and users with hundreds of apps and downtime that is measured in millions of dollars).
Car analogy - your motorcycle might have better acceleration, higher top speed and be more maneuverable than the 18-wheeler but they aren't serving the same market. Nor does the motorcycle scale to the 18-wheeler level at anything near the same price point.
What is this "tech-savvy user" you speak of?
There is a recurring discussion on Slashdot about the wisdom of putting critical infrastructure systems on the 'Web where any "terrorist" living anywhere in the world can attack it at any time.
That is the key to this discussion.
The IT department is tasked with keeping the private company data private. One of the reasons for that is so the company does not get sued for "losing" that information (or lose an advantage to a competitor).
Once the "tech-savvy user" connects his/her "personal IT" to the Internet it can be attacked by anyone, anywhere in the world, at any time. And losing your credit card info just means a problem for you. If the company loses the credit card info of their clients / customers / partners / etc, that's a problem for a LOT of people.
My problem with cloud services is that the departments that use them don't want to manage them and don't even know what "manage" means.
When Accounting buys a cloud based purchasing system, they didn't ask for IT input because they couldn't wait for IT to fit it into our schedule (which is pretty much determined by our budget). So now they implement a cloud based company wide purchasing system that everyone is required to use.
They, however, forgot that someone needs to handle password resets. They don't want to give the Helpdesk administrative access because there's no way in the to let them reset passwords without also letting them alter approval levels and see all purchase orders. So every request for a password reset goes to an accounting clerk... who is always too busy to handle them.
People complain that they have to remember a separate password for the system - Accounting didn't even take into account our request to use a system that can federate with our AD servers to let everyone use their AD password to sign on.
HR asks IT why ex-employee XXX still has access to the system after leaving the company - we say "Accounting automatically gets CC'ed on termination notices, they apparently aren't acting on them".
The CFO asks us how we can feed purchasing data into the BI system, we tell them "Who knows, we've asked for a data API 6 months ago and are still waiting for the beta release"
The purchasing system goes down for unscheduled maintenance during an financial audit, Finance asks us why we don't have a back up of the purchase data so we can run reports. What, they ask, would happen if that company went out of business!? We say "Hey, you sit across from Accounting, they chose the system and ignored our request to have data extracts stored here"
The CFO says "Hey, this system isn't quite working out - we want to move the data to a new service. Figure it out".
So while departments *want* cloud hosted solutions, they really don't want to manage them - they want something that just "works", but they don't often have a clear idea of "works" means. There's a reason why IT does a requirements analysis, RFP, and vendor evaluation before making a purchase instead of buying a system just because "When I worked at Company XYZ, we used this product and it worked pretty well".
The purpose of corporate IT is to ...
allow company approved people to
access company data
using company approved apps
on company approved hardware
at company approved locations
with company mandated security methods
on the company approved IT budget and staffing level
to keep the company in business and out of court.
If you want different apps - build a business case for them.
If you want different hardware - build a business case for it.
If you want different access - build a business case for it.
If you want different X - build a business case for X.
I don't know how many times I have heard: "We know it is not our policy to make you support/fix this. However, your boss is requiring you to make an exception this time, since we have some important time-sensitive thing going on."
Mutually-agreed-upon responsibility limits don't work when upper management lacks the discipline to keep up their end of the agreement.
As a wise man once said, with great power comes great responsibility.
If we want the power to say "No" to users who are doing unsecure things, we have the corresponding responsibility to provide an easy-to-use substitute in a reasonable time frame.
Once everyone else starts seeing IT as "the department of no," or as unapproachable "high priests" (as a previous article said), the clock is ticking. Other employees now perceive IT as the enemy and will try to work around us by whatever means they can. And if these enemies include upper management, the outsourcing of the IT department won't be far behind.
I work as a Database/Web Administrator in a small (6-person) IT department in a public library system. Until about 6 months ago, I was doing general IT support, and still do from time to time; we're not hung up on formal job descriptions too much with a department this small. Do we sometimes advise people not to do things for security reasons? Yes. We've had to prohibit a handful of specific bad practices (generic logins) because of PCI compliance. But this is not the primary focus of our work. The primary focus of our work is helping other people to do their work more effectively. And this means providing solutions, not withholding them. It means if someone wants to do something insecure, we try to find out WHY they want to do it, and come up with a way to make things as convenient for them as possible. I have personally written multiple scripts to make peoples' jobs easier. (Example: on one occasion, I noticed that staff were manually running circulation totals from self-check units each morning. So I offered to automate this process, which saves them 5-10 minutes a day.) Because everyone knows us, and knows we will do what we can to help them, we have the credibility to draw the line where it matters. Many IT departments have forfeited this credibility, or never had it in the first place. IT should be an important part of the business, a strategic partner with a voice at the table - not a bunch of antisocial BOFHs in the back room.
I have worked for, or consulted for, many tech companies. The best had IT departments that saw themselves as ISPs. They made the assumption that the individuals were going to bring in viruses, dud devices, etc and built their network much like the cable company built theirs bulletproof. Connections to internal services were made in the same way as over the Internet secure as possible. Most workers were handed a workstation assembled by IT and it just worked. But if people had special needs or devices either they obtained their own bits or got help from IT obtaining special bits. At the time things like Macs didn't get much support as the IT would claim that they knew little about them. It worked well. Interestingly enough the head of IT usually had some bastard collection of old bits as his personal machine.
.zip files.
The worst had a convoluted proxy system, a wonky DMZ setup, Novell shared drives that nobody used, and the oddest selection of software that was mandatory on all machines; machines that they picked largely for their compatibility to Novell. Needless to say the head of this IT department had the best damn desktop machine in the company. Plus the best laptop that money could buy. Where programmers had trouble getting machines that could barely run the software they were building let alone a modern IDE.
The best company didn't trust their employees at all and designed their system around this. The worst company pretended that they could design a system where they could pretend to trust their employees.
The layers of stupid in the bad company were many. One good example was the dedicated email machine had a raid with a few terabytes of space. Yet in a 100 person company employees were limited to 3meg attachments (two floppies) and 10meg email account total. Plus many attachment extensions were banned such as
I am willing to bet that the bad IT company cost 3 or more times as much to run.
If the company doesn't support your device, if the IT folks have no experience with it, why would they know how to fix it? Like take iPhones. None of us IT types at work have one. We all have either Android phones, or regular ole' dumb phones. I personally have no experience with an iPhone past having briefly played with one that a friend owns.
So, why should I help you make yours work? If you ask me to do that, what you are saying is "I want you to take the time and do the research I am too lazy to do to figure out how to operate this, and then teach me." Why is that my job? How about you do it yourself.
The answer "But then you know how to support it in the future," isn't valid either. Ok that's true for your toy, but not for the next person's different toy.
What it comes down to is there are way too many things out there for a person to be good with every one. All IT groups will have a set list of operating systems, programs, devices, etc that they support. They'll be responsible for knowing how to do that. You can't then ask them to just turn that in to an unlimited set of anything that comes out, and expect it not to impact productivity.
One user brought in a couple of different models of two way radios (if they are still called that) from home and expected me to set both models up on some sort of private channel with zero documentation to look at. I haven't even touched anything similar since 1987.
The idea seems to be if it has some sort of electronics the IT guy will know what to do and if they don't they have the entire day to work on it even if it's got nothing to do with the workplace.
The tough thing is if you don't play along and at least attempt to solve their personal electronic problems they will be reluctant to come to you with something that is really work related and may cost jobs if it isn't addressed. In IT people are in the role where they can be sacked because a user didn't inform them of a major problem in time for them to fix it while the user gets to keep their job. If they hate you for cutting their net access communication gets a lot harder and nasty surprises increase.
We have everything posted for e-mail, VPN, all that shit, and we'll happily show people to it. Some people are happy with that. Others want us to hold their hand through every little thing. Still others don't want us to touch their stuff, until they fuck it up, and then they want us to fix it, but then back to no access.
Our problem is not with people wanting to use their own devices, it is with them wanting us to support them. They don't seem to understand if you want to own and administer the device, that means you are responsible for it. That means you deal with it. You don't get to do things your way but demand IT bail you out when you fuck up or get out of your league.
The "12 year old" comment shows the problem well. You simultaneously claim something is really simple, yet are petulant that someone won't do it for you. That is rather stupid.
As I said where I work, the servers are public info. We'll tell you what all the servers are and how to get at them. However if you want to bring in your own toy, it is your job to make it work. So I'll tell you what servers you can SSH to, if you need SSH (actually I'll show you the site that lists them). What I won't do is find you an SSH app, configure your iTunes account, download it for you, configure it, and hold your hand as you figure out how SSH from your iPad.
I'd be willing to provide that level of support, if the department was willing to hire sufficient staff to allow for that. However so long as I have tons of shit to do with the equipment we do own, I am not going to spend time on your stuff.