Done right, a top-down IT consumerization strategy can maximize business value for an organization and provide it with a formidable competitive advantage.
Redefine IT management priorities. When Bristol-Myers Squibb decided to adopt a single instance of SAP globally in early 2000, like many large IT projects, there was significant organization inertia. (Disclosure: One of the authors, Jack Cooper, was the global CIO of Bristol-Myers Squibb and a member of the executive team overseeing the implementation at the time.) In many cases, Bristol-Myers Squibb managers strongly resisted any changes in the structure as well as in business processes. One of the factors leading to the success of the SAP implementation, which produced more than $3 billion in productivity gains, was that the change was lead from the top down. The project was mandated by the Bristol-Myers Squibb executive team and all throughout the project, senior executives from different areas of the company emphasized the importance of seeing the project to a successful completion.
In the past, almost all large implementations of systems that would have a major effect on work required a careful and structured change management process that had to be coordinated across many different organizational units. In these projects, the IT department played a key role in change management and setting standards. In cases when the adoption of new technology conflicted with corporate standards, the IT department had to take a firm stand and say no to ad-hoc adoptions.
IT consumerization has changed this equation. We no longer have an environment where every piece of technology is purchased and deployed by the IT department. In this new environment, IT management must be an enabler, not a blocker. It has to allow managers of individual departments to set adoption priorities and to leverage end user knowledge and productivity. As access devices move away from the purview of the IT department, there will be a natural shrinkage of corporate IT budgets and, perhaps, a corresponding decline in internal political power. IT managers must learn to deal with this new reality. Adoption of new and innovative IT consumerization apps will still require funds from corporate budgets, and some of the app funding may mean reduced funding for legacy systems maintenance and support of in-house IT infrastructure and systems development.
Manage the new security risks. Using IT consumerization apps in an organization increases security risks since traditional IT security perimeter defenses cannot protect data when BYOD exists in the workplace. Using a data-centric approach and encryption technology can mitigate the risk of data breaches. Other steps that can reduce security risks include the validation and testing of BYOD apps for possible security risks; a formal companywide decommissioning procedure for smart devices when their use is discontinued; and training programs for smartphone users on data security and awareness of privacy issues. As a part of an IT consumerization strategy, a companywide procedure that can quickly and easily evaluate the security risk, business value and life-cycle costs of IT consumerization apps needs to be established. To be effective, the management and control of this procedure needs to be established at a high level in an organization.
Codify a global IT consumerization policy. Guiding principles for an IT consumerization policy should include that “ownership” of the device does not matter. Regardless of the location where the work is being conducted, and the devices used to perform such work, all employees must conduct themselves in a manner consistent with all company policies and practices. When a conflict exists between company-mandated policies and any local and national laws, a company’s definition of "appropriate use" may be more limiting than the legal definition. Also, a company may at any time or place compel an employee to examine the device (and in case of a company-owned device, surrender the device) to determine the appropriateness of the data stored on the device and to determine the usage in work-related activities.