Companies often interview/hire employees who are resistant to IT control over the devices they use for work and collaboration. What’s your sense on just how much of a challenge this is today?
Brad Anderson: I don’t think it is necessarily that the employees are resistant to control, but rather there have been some cultural shifts in how people work –we refer to this as the work-life “blur”. There is also now a set of people in the work force who have grown up interacting with Internet technology. Consumer and social network technologies are a major part of their daily lives. So when they get to work, they naturally want to continue to leverage these capabilities to get things done. The challenge companies need to address is making sure that these employees have appropriate access to the resources they need to get their jobs done, in a way that accommodates these new work styles. This won’t always apply to every role within a company – but for many this is already the reality.
How does a CIO assure a skittish CSO or CISO that allowing new employees to use their own devices is the right thing to do?
Brad Anderson: The bottom line is that to be competitive, a business needs to be innovative and productive. If you are putting limits on how your employees can work, that is going to be seen as putting constraints on your organization’s ability to perform. These new devices and technologies are really a “force-of-nature” at this point. They are already in the hands of every jobseeker – not to mention the one billion or so mobile workers already in the global workforce. What CIOs need to focus on is establishing appropriate governance on how corporate information and assets are used. There needs to be a clear path forward as to how IT is going to keep corporate and personal data discrete and protected regardless of what device it is accessed from.
Are the productivity advantages really worth the security/control trade-offs?
Brad Anderson: Yes. Given what I’ve already said, I think it is an inevitability that IT will need to enable users to embrace these new technologies. Certainly the traditional “IT control” model is not going to work for personal devices – the user is not going to let you control how he should be interacting with his own personal information. In most cases, the security of the device itself is left up to the manufacturer or carrier. IT will move to a model where you establish clear policies on how corporate information can be accessed and shared – and then you put into place the tools you need to enable and/or enforce those policies. So while there is a trade-off, and definitely a change in the expectations on the part of IT, the total impact can be minimized using appropriate planning and tools.
Supporting end-user devices is something of a moving target. How can a CIO account for the rapid evolution of consumer tech in terms of management, security, and control?
Brad Anderson: I think the first thing you have to do is think in terms of the user – not the device. The devices coming into the network are going to be incredibly diverse. But at the end of the day, what the user really cares about is can they get access to the tools they need to get their job done. This is going to change the way we think about the tasks we do as IT pros. Instead of focusing on maintaining and updating a PC, the task is now to securely deliver applications to a user regardless of what or how many devices they have. There are tools out there – System Center, application and desktop virtualization, or cloud services such as Windows InTune– that provide multiple approaches to help you deliver the resources you need while maintaining security.
Data in the cloud is a frightening proposition to some. How do you assure CIOs that data moved into the cloud by end users will be properly protected?
Brad Anderson: There are a couple ways to think about this. One is that a user wants to copy a corporate file onto a SkyDrive or other “cloud information store”, and I want to make sure that file can’t be shared with someone who doesn’t have rights to view it. In that case, you want to have a way to encrypt the data in that file so only approved users can view it – which is something you can do with Information Rights Protection, for example. The other way to think about it is that mobile users want secure access to critical work applications on diverse devices. In that case, you can use a cloud service like Office 365 that they can access from whatever device they happen to own. Both of these scenarios offer data security– and at least in the Microsoft versions of these technologies, we work closely with industry and government regulation bodies to make sure we are delivering the level of security customers need. Companies are incorporating cloud-based services into their existing IT strategy in a gradual way, so I think most corporations – excluding a few tightly regulated industries – will start looking at these as a way to empower users on these new devices coming into the enterprise.
What’s the biggest mistake a CIO can make when it comes to coping with this new “consumerization of IT” reality?
Brad Anderson: The number one mistake? Ignoring it or hoping it will go away. This is a great opportunity for CIOs to really think about how these new devices and tools can work for the business. By resisting it, you would be missing out on a way to turn it into a positive for your IT department and all the employees you enable.