Sorry, IT: These 5 Technologies Belong To Users

GMGruman writes "The BYOD (bring your own device) phenomenon hasn't been easy on IT, which has seen its control slip. But for these five technologies — mobile devices, cloud computing services, social technology, exploratory analytics, and specialty apps — it has already slipped, and Forrester and others argue IT needs to let go of them. That also means not investing time and money in all the management apps that vendors are happy to sell to IT shops afraid of BYOD — as this post shows, many just won't deliver what IT hopes."

Sigh

Typical user conceit "This is MY dingly dangly, it lights up and makes my balls feel warm! Oh SHIT, I BROKE the DINGLY! IT FIX IT FIX IT FIX IT."

Rinse, Lather, Repeat.

Re:Sigh

[dwillden]

Better than, I'm supposed to use this dingly dangly to do work, but the tools I'm allowed to use don't quite do what I need. If I could just use this app I could increase productivity, but IT has the system so locked down that to even think about using a different app is grounds for termination.

Face it, IT's job is to facilitate the rest of the company's performance of the real purposes of the company. IT doesn't make money for the company it enables the money making areas to make the money. A wise IT dept allows users to add additional tools, but with the caveat that the only fix available is a system wipe and restore to original configuration. The Users are responsible for keeping their data backed up.

As to the Gadget aspect, if the company didn't buy it, the company isn't responsible to fix it. If the company did, the company should have an extra stockpile, and any broken gadget is simply replaced with a baseline new one, again leaving it up to the employee to restore the apps and data they want. And it's the employee's job if their failure to maintain a backup causes critical data to be lost.

Okay, everybody tell me how wrong I am.

Re:Sigh

[Cheerio+Boy]

Better than, I'm supposed to use this dingly dangly to do work, but the tools I'm allowed to use don't quite do what I need. If I could just use this app I could increase productivity, but IT has the system so locked down that to even think about using a different app is grounds for termination. Face it, IT's job is to facilitate the rest of the company's performance of the real purposes of the company. IT doesn't make money for the company it enables the money making areas to make the money. A wise IT dept allows users to add additional tools, but with the caveat that the only fix available is a system wipe and restore to original configuration. The Users are responsible for keeping their data backed up. As to the Gadget aspect, if the company didn't buy it, the company isn't responsible to fix it. If the company did, the company should have an extra stockpile, and any broken gadget is simply replaced with a baseline new one, again leaving it up to the employee to restore the apps and data they want. And it's the employee's job if their failure to maintain a backup causes critical data to be lost. Okay, everybody tell me how wrong I am.

You're not wrong. But neither is the parent. And this is all known by anyone that's been in the I/T field for any serious length of time. It's all a balancing act. And since you have to balance security with efficiency your friend through all the pitfalls (besides common sense) is documentation. Make the end user sign a piece of paper saying the device is his and will only be supported for X purpose and only to Y point.

When the user breaks something you told them is unsupported past a certain point that documentation will help point the user in the right direction and keep both yourself and the company safe from rampant I broke my $device while doing company work on it! Fix it or get me a new one!

Re:Sigh

[billcopc]

Face it, IT's job is to facilitate the rest of the company's performance of the real purposes of the company. IT doesn't make money for the company it enables the money making areas to make the money.

That's only half the job. The other half is protecting the company from nasty lawsuits by ensuring license adherence, data security, compliance with various tech-related laws, and proper access control.

Deploying servers and workstations is only week 1. Weeks 2 to 52 are all about keeping the boat afloat.

Re:Sigh

[Xugumad]

> Okay, everybody tell me how wrong I am.

I will say, users are terrible for taking responsibility for their own mistakes. So we either are the bad guys for not allowing shiny untested tech, or for not fixing problems users bring upon themselves with the shiny tech.

The effect of risks in aggregate are also very opaque; you may never see problems with random untested approaches or poorly considered actions, but IT deal with this routinely. What do you want us to say when we're told too much time is spent on support queries already?

Re:Sigh

[isopropanol]

One company I've worked with does it this way:

Want to use our device? Good, here it is all set up. You can use it to access internal resources.

Want to use your own? the pptp server is blah, and the exchange server is blah. Have fun, remember to lock your device, and no, we won't tell you how to set it up. You can't get anything confidential unless it's emailed. Emailing anything confidential is grounds for disceplinary action. When you lose your device, call 1-800-xxx-xxxx ASAP.

Re:Sigh

[rickb928]

Exactly. Signing off or not, where I work there are substantial legal and fiscal penalties for data loss, up to and including dissolution of the company or forfieture of profits, financial penalties in excess of revenue, and loss of business as in no longer permitted to participate in that business despite a 105-year history.

Or more simply, risk of losing the entire business.

Your assessment of risk is not the same as your employer's assessment of risk, and likely not very well aligned with reality.

Re:Sigh

[Xeno+man]

Face it, IT's job is to facilitate the rest of the company's performance of the real purposes of the company. IT doesn't make money for the company it enables the money making areas to make the money. Okay, everybody tell me how wrong I am.

Gladly. It's not IT's job to facilitate and serve the rest of the company. IT doesn't bring in the money but IT manages the expenses that allow the company to make money. Why does everyone forget that it cost money to make money? A contractor needs to buy a hammer to do his job so he buys a hammer. He needs it to do his job. What he doesn't do is buy a hammer every week or every time a new type of hammer is released. Otherwise he would be buying more hammers than making money.
Lets also say this contractor is so big and busy he hires a hammer department to handle buying and distribution of hammers. Now workers look at the hammer department and an expense and bitch when they don't get a new hammer when ever they demand one, even though the hammer department will free up more time for the workers to make more money and keep expenses down by not facilitating every whim of the workers.

You're all part of the same team, you all need to work together to get what you need, not just what you want.

Re:Sigh

[flappinbooger]

I like your hammer analogy and would like to subscribe to your newsletter

Re:Sigh

Tech savvy user? You're the type that install a facebook sniffing app on your phone for personal enjoyment, and you're the type that we catch on your phone using Facebook when you should be working.

If you allow us to lock down your device and face dismissal and confiscation of your device if you are caught using it illegally, sure, go nuts.

I've seen too many people abuse the right to use personal devices on a corporate network. If ANY company is serious about security, they either:

A. Don't let personal devices on the network, and provide a proper device.
B. Let people use their own device, but place it on its own DMZ WLAN and use Citrix.

Re:Sigh

[Alex+Belits]

Citrix

Fuck you!

Re:Sigh

[SchroedingersCat]

Look, "tech-savvy" user usually has no clue about corporate IT. The fact of the matter is that the work done on the company time is subject to licensing, permits, regulations, insurance, bonds, etc. That also covers tools that are used to perform the work. You must use approved tools and technologies. That includes software and computers. Tech-savvy user can use his personal software for the company business while his personal software license explicitly prohibits commercial use. Tech-savvy user can put confidential data on his personal box then it ends up in his personal backup, his personal backup system gets upgraded and the old one is sold on eBay and happy eBay buyer recovers confidential files because media destruction procedures have not been followed. I can give you dozen more scenarios that "tech-savvy" user simply does not think or care about because its is the job of corporate IT.

Security

[lymond01]

Ok...I didn't read the article. But the problem with mobile devices, cloud services, etc, isn't IT's lack of control. It's not the stability of the network. It's the security of the data itself. It's a little tricky to safeguard your patent research documents if they're sitting in your iPhone email. Even more difficult if they are up in Dropbox, unencrypted, where "mistakes happen" and other people can gain access to your account by an oops by the service provider or a sharing oops by yourself.

Believe me, I'd really rather not be responsible for managing data access. No matter how dumb people are, it's IT that gets blamed for lack of security.

Re:Security

[PolygamousRanchKid+]

The biggest security threat from a BYOD . . . is the user. Many have been nurtured with an attitude of, "Hey, it's great! I can share with everybody! The more I share, the better!"

This unfortunately leads to stuff like open calender entries of confidential meetings, etc. And don't even mention them being lost, stolen, left in bars.

My work SchtinkPad is so locked down, and monitored by our IT folks, that if I lose it, no one short of the NSA is going to get anything out of it, without a court order.

IT folks just can't know if their employees are security aware.

Re:Security

[MadFarmAnimalz]

Ok...I didn't read the article. But

Around here, that's good for +5 insightful. Modded accordingly.

Speaking as a customer

[Compaqt]

Speaking as a customer of BigCorp X, where there's a battle between the big, bad meanies of IT and the hip, 20-somethings with their fashionable iWhatever du jour which they can't live without, and the 30, 40, and 50-somethings who are trying to mimic them:

I'd rather your corp have a locked-down corporate environment in which data security is respected and my credit card and other personal information (including purchase history) is safe. Or, as a vendor/partner, the confidential information I had shared with you.

I'll take the risk that some hipster isn't going to come up with an earth-shattering revelation about which color of gradient fill should be used on the company website because he was shackled to his desk instead of breathing free as a bird sprawled out on the office roof with his iPad.

Most breakins occur through the weakest link in security, which is exactly what uncontrolled used of these gadgets represent.

Re:Speaking as a customer

[jsrogers]

We actually had an incident during the fall but it was not a 20-something hipsters. A few of our mobile users left their work laptops in a company vehicle in a bag in plain sight on the back seat. The bags are purchased by the individuals or their departments and they purchased very obvious computer bags. The car was stolen in a sketchy part of town along with all three bags. It turns out one of them left a car key inside their coat pocket inside the car.. Fortunately for us, all the laptops fully encrypted AES256 with preboot authentication. The laptops were later recovered from the suspect's home along with the vehicle. One of the laptops did log about a dozen unsuccessful log in attempts but nothing further than that.

Our organization does allow remote access from personally owned computers, but only through Citrix to minimize data loss because nothing is stored locally and all the computing takes place at the Citrix farm in a controlled environment. I think the last I heard, there is Citrix applications available for Apple Ipad.

The purpose of IT...

[west]

Is to allow users the flexibility to maximize their productivity in ways that they understand...

and to get fired for negligence when those users, who could not be expected to understand the ramifications of all their actions, cause major damage to the corporation.

BYOD? Then BYOS(upport) too

[weave]

1) Everyone has iPhones and iPads
2) They want to print - they demand to print
3) Find some AirPrint windows driver some guy wrote in his garage and load unknown code into your Windows server
4) Works well until iOS 5 comes out
5) Users update to iOS 5 on their own and they can't print and scream at IT.

That's just one scenario....

1) User gets great idea of hooking up an Apple TV to a presentation display so they can send their iPAD crap output to it
2) Scream bloody murder when someone "unauthorized" sends their screen to the display instead.

Or.....
1) Buy a bunch of iPADs, spend about 15 minutes unboxing them and turning them on.
2) Quickly realize what a hassle it is to manually install apps and settings on all of them and they have better things to do
3) Run to IT to install all the apps instead.

Or....

1) Buy a bunch of iPads for a classroom, set up an Apple ID, associate a credit card with it, buy needed apps for it, save password because it's a hassle to keep re-entering it
2) Scream bloody murder when one of the students decides to go to the app store and buy a few games to play using the instructor's account during class instead of doing classwork.

The way it should have worked was...

1) Identify a need (want tablets in a classroom setting that can do x,y,z)
2) Ask IT to identify a product that meets those needs securely and effectively
3) Wait for IT to figure out how to manage and deploy said devices (and if that takes too long, work with our management to identify appropriate priorities for us -- i.e., what doesn't get done in meantime

Bottom line, I understand IT is a service organization ... but I also understand we are overhead to the bottom line and understandably management wants to minimize the expense spent on IT as well as expect us to keep data secure. So we have to do horrible corporate things like try to control costs, and justify expenses towards the goal of improving productivity. I love my iPad. I think it's cool. But it's a personal, entertainment device. Repurposing it for business or educational use takes effort and time to figure out.

Fucking GMGruman

[GameboyRMH]

This article is written by the same braindead PHB who wrote the "high priests of IT" article. He's trolling Slashdot for cash (page hits). I say the editors should be at least considering blacklisting his submissions at this point. He's one of the biggest submission trolls on Slashdot right now, and the only one doing it for money.

Why are you linking to his articles?

[khasim]

He's going on about the same bullshit. But he doesn't interview anyone in IT at any company that is actually IMPLEMENTING his claims.

I'd argue that Salesforce.com was the first big consumerization push into business, as the SaaS provider actively targeted business users and avoided IT in trying to get its technology adopted.

This guy cannot even tell the difference between a "device" that is "owned" by an employee of Company X and a service provided to Company X by Company Y.

Regardless of which innovation was the first to empower individual users technologically, it's clear that consumerization of IT is about user-driven technology of all sorts.

No. There's a HUGE difference between using a outside company to provide a service and allowing people to bring their own laptops into the company to connect to the company's private data.

BYOD has the distinction of being so visible and inexorable that it finally forced the consumerization trend into the open, with CIOs and IT publicly confronting an issue that many had been dealing with quietly for a while: Some technologies are truly user-centric and should be left as such.

And you STILL don't see the difference.

Why is /. linking to his articles?

There are five: mobile devices, cloud computing services, social technology, exploratory analytics, and specialty apps (that is, apps for the user's specific job, from presentation software to engineering calculators).

mobile devices
cloud computing services
social technology
exploratory analytics
specialty apps

And STILL not a single interview with an IT VP from any health care company allowing user-owned devices to connect to private data.

Why is /. still linking to his articles?

Seconded!

[khasim]

He's posting on InfoWorld (not known for insight) and then sending the link to /. because no one reads InfoWorld's website.

If his articles were so amazing then people would be going to the original source, wouldn't they?

Instead, he's sending his links to /.

It's a difference in perspective.

[khasim]

User perspective - does this thingie work for me?

IT perspective - does this thingie work for 1,000 users?
Does this thingie have a license we can support?
Does this thingie fit our security model?
Does this thingie fit our backup/retention model?
Does this thingie cause any problems with the other systems?
Does this thingie have a road map for the next 3-5 years?

Almost any user can handle a single workstation. Maybe even two workstations.

It requires a different perspective when you move to 1,000 workstations for 1,000 users running 250 different apps in 10 different segments across 3 continents and 5 languages.

The niche that the company is operating in might not be the same niche that the user sees himself in. Just as there are markets for mass produced goods/services, so is there a market for customized/personalized items.

I think Gruman is advocating the customized/personalized market niche (everyone at the company uses whatever they want to use / how they want to use it / where they want to use it / etc) when the experience of most of the Slashdot readers is the opposite (thousands of workstations and users with hundreds of apps and downtime that is measured in millions of dollars).

Car analogy - your motorcycle might have better acceleration, higher top speed and be more maneuverable than the 18-wheeler but they aren't serving the same market. Nor does the motorcycle scale to the 18-wheeler level at anything near the same price point.

Hardly.

[khasim]

So, in essence, our litigious society and the risk-averse enterprise culture that litigation and regulation foster are the reason why enterprise IT is, in many organizations, in the Dark Ages compared to what a tech-savvy user can do with their personal IT.

What is this "tech-savvy user" you speak of?

There is a recurring discussion on Slashdot about the wisdom of putting critical infrastructure systems on the 'Web where any "terrorist" living anywhere in the world can attack it at any time.

That is the key to this discussion.

The IT department is tasked with keeping the private company data private. One of the reasons for that is so the company does not get sued for "losing" that information (or lose an advantage to a competitor).

Once the "tech-savvy user" connects his/her "personal IT" to the Internet it can be attacked by anyone, anywhere in the world, at any time. And losing your credit card info just means a problem for you. If the company loses the credit card info of their clients / customers / partners / etc, that's a problem for a LOT of people.

But users don't want to "manage" cloud services

[hawguy]

My problem with cloud services is that the departments that use them don't want to manage them and don't even know what "manage" means.

When Accounting buys a cloud based purchasing system, they didn't ask for IT input because they couldn't wait for IT to fit it into our schedule (which is pretty much determined by our budget). So now they implement a cloud based company wide purchasing system that everyone is required to use.

They, however, forgot that someone needs to handle password resets. They don't want to give the Helpdesk administrative access because there's no way in the to let them reset passwords without also letting them alter approval levels and see all purchase orders. So every request for a password reset goes to an accounting clerk... who is always too busy to handle them.

People complain that they have to remember a separate password for the system - Accounting didn't even take into account our request to use a system that can federate with our AD servers to let everyone use their AD password to sign on.

HR asks IT why ex-employee XXX still has access to the system after leaving the company - we say "Accounting automatically gets CC'ed on termination notices, they apparently aren't acting on them".

The CFO asks us how we can feed purchasing data into the BI system, we tell them "Who knows, we've asked for a data API 6 months ago and are still waiting for the beta release"

The purchasing system goes down for unscheduled maintenance during an financial audit, Finance asks us why we don't have a back up of the purchase data so we can run reports. What, they ask, would happen if that company went out of business!? We say "Hey, you sit across from Accounting, they chose the system and ignored our request to have data extracts stored here"

The CFO says "Hey, this system isn't quite working out - we want to move the data to a new service. Figure it out".

So while departments *want* cloud hosted solutions, they really don't want to manage them - they want something that just "works", but they don't often have a clear idea of "works" means. There's a reason why IT does a requirements analysis, RFP, and vendor evaluation before making a purchase instead of buying a system just because "When I worked at Company XYZ, we used this product and it worked pretty well".

Slightly different phrasing.

[khasim]

The purpose of corporate IT is to ...
allow company approved people to
access company data
using company approved apps
on company approved hardware
at company approved locations
with company mandated security methods
on the company approved IT budget and staffing level
to keep the company in business and out of court.

If you want different apps - build a business case for them.
If you want different hardware - build a business case for it.
If you want different access - build a business case for it.
If you want different X - build a business case for X.

nice in theory

I don't know how many times I have heard: "We know it is not our policy to make you support/fix this. However, your boss is requiring you to make an exception this time, since we have some important time-sensitive thing going on."

Mutually-agreed-upon responsibility limits don't work when upper management lacks the discipline to keep up their end of the agreement.

IT as ISP

[EmperorOfCanada]

I have worked for, or consulted for, many tech companies. The best had IT departments that saw themselves as ISPs. They made the assumption that the individuals were going to bring in viruses, dud devices, etc and built their network much like the cable company built theirs bulletproof. Connections to internal services were made in the same way as over the Internet secure as possible. Most workers were handed a workstation assembled by IT and it just worked. But if people had special needs or devices either they obtained their own bits or got help from IT obtaining special bits. At the time things like Macs didn't get much support as the IT would claim that they knew little about them. It worked well. Interestingly enough the head of IT usually had some bastard collection of old bits as his personal machine.

The worst had a convoluted proxy system, a wonky DMZ setup, Novell shared drives that nobody used, and the oddest selection of software that was mandatory on all machines; machines that they picked largely for their compatibility to Novell. Needless to say the head of this IT department had the best damn desktop machine in the company. Plus the best laptop that money could buy. Where programmers had trouble getting machines that could barely run the software they were building let alone a modern IDE.

The best company didn't trust their employees at all and designed their system around this. The worst company pretended that they could design a system where they could pretend to trust their employees.

The layers of stupid in the bad company were many. One good example was the dedicated email machine had a raid with a few terabytes of space. Yet in a 100 person company employees were limited to 3meg attachments (two floppies) and 10meg email account total. Plus many attachment extensions were banned such as .zip files.

I am willing to bet that the bad IT company cost 3 or more times as much to run.