Most of the organizations I have worked with for the past 40 years had rules about what technology could be used at work. They spent a good deal of time and money creating or acquiring standard technologies that were supposed to be easy to secure and manage because they were:
- standardized; and
Some places even went so far as to "lock down" user technologies, preventing or overwriting changes made by users.With all the well-known challenges related to combating viruses and other malware--as well as the need to secure business data and make sure that business technology wasn't being diverted to unauthorized personal use--all this effort seemed to make sense.
Occasionally, you would come across someone who didn't want all the procurement and asset management hassle. These IT renegades would hand out cash to staff to "go and buy what you want." But they remained in the minority, and generally still had rules about what could connect to the network and what software could run on user endpoints.
Talk to infrastructure managers (and even some security managers) and they'll tell you that keeping track of all this has become a real pain. Users don't like it, and with some justification: No single configuration can be optimized for everyone. Asset managers don't like it. Even vendors don't like it -- especially in single-vendor environments in which procurement is a winner-takes-all event over a period of years. Now, three forces are colliding that will make the "Bring Your Own Technology" workplace a reality.
The first is mobility. Innovation today is focused around mobile devices, and it's becoming hard to have, or even enforce, standards. When a phone costs as much as a laptop and only lasts about half as long, businesses aren't going to want to give everyone their own. Also, you can't, yet, lock down a phone, the way you can a laptop, because it has to be able to connect to open public networks. There are things that a business can do to secure and manage mobile devices, but these are, at best, stopgaps.
The second force is virtualization. Once you have separated the user's software environment from the underlying hardware, it's less important what that hardware is or who owns it. User technology becomes an access point to a virtualized information and application space. I still have to be able to identify and authenticate the user, but I'm now much less concerned about the device.
The final force is the rising use of contract and outsourced resources -- and of multi-business collaborative networks. It may not be economically, or even legally, possible to dictate which technology contractors use, especially if they're not working for you full time. Contractors won't want to have different devices for different customers. And if they are working for an outsourcer in a different geography, you are unlikely to have much control over what technology they use.
It's time to get over the control paradigm we've all gotten used to and start thinking outside the box. What would it take to allow any device to connect safely and securely to our corporate networks? How can we assure ourselves that nothing bad will happen when a new device shows up? How can we ensure that when information leaves on one of these devices, it will remain secure?
Answer these questions -- and workable answers do exist -- and you can get out of the user-technology provisioning business, simplify asset management and let your users have the technology they really want.
John Parkinson is the head of the Global Program Management Office at AXIS Capital. He has been a technology executive, strategist, consultant and author for 25 years. Send your comments to firstname.lastname@example.org.