The thing that makes life in IT so interesting is also the thing that makes it daunting -- everything can, and...
likely will, change and change quickly. Social is now embedded into most of what we do. Mobile networks get faster and mobile devices get smarter. Advanced analytics are just a data scientist away. And, the breadth and reliability of cloud services just keep increasing. For good measure, let me throw in one more change that accompanies all of these -- IT is no longer in control of what applications we run or where they run.
Until a few years ago, I fought hard to maintain control over my environments, applications and users. If I caught someone downloading an expense reimbursement application that was not part of our enterprise portfolio, I figured out ways to crush their application. If someone purchased an unauthorized device, I would stymie their attempts to connect the device to enterprise services.
As a result, I earned a reputation for being the barrier to enterprise progress. People cursed me and my policies. I was burned in effigy. People hid their faces from me when I walked by. Well, not really, but it soon became obvious that I was out of step with nimble, forward-thinking IT. With this realization, I surrendered and adopted a "bring your own anything"" (BYOx) approach to life. What surprised me was how much freedom and credibility I gained when I stopped trying to be in control.
There are some great things that come with BYOx -- the perception that IT "gets it," potential direct and indirect costs savings and the pressure on IT to improve our processes so that we can support any and all types of devices, applications and users. In becoming a champion of BYOx, I can honestly say that the benefits far outweigh the potential downsides.
But, there are some questions to consider:
- Who owns the data and how do we manage and secure the data?
- Who is responsible for paying for and supporting the application or device? The last thing I want is for someone calling the service desk to get help updating or fixing some application they purchased online.
- What standards, if any, should and do apply to the application, device or service?
These are not easy questions to answer and some BYOx initiatives collapse under the weight of such questions.
Four governance and risk tips for turning BYOx into ROI
Having transitioned to a life without control, here are some things I have learned:
1. Find out what "rogue" applications, devices and services your customers are using. At a minimum, the inventory points out gaps in your current portfolio.
2. Gather a group of IT and non-IT people together and brainstorm some lightweight guidelines that become your BYOx governance model. I like to include the non-IT people just so that we understand their lives and needs and so that they understand some of my concerns. Together, we work out a starting point on governance that we can iterate as we implement BYOx.
3. Do a risk assessment that considers both the likelihood and impact of a data loss. The best place to start is with the impact. What type of data is being used? What would be the impact on the organization if that data were lost or not fully secure? If the impact is high enough (and, for this, be honest with yourselves, as we typically overstate the impact), consider ways to reduce the impact (by forbidding certain activities) or likelihood (by using some mobile data management tools or device security standards or application standards).
4. Define the support model with the IT/non-IT group. In my case, I push for no IT support for BYOx and I confirm that by making sure no one in IT (at least as far as anyone else knows) knows anything about the BYOx applications or devices. Besides, it is highly likely that the non-IT people are adept at supporting all kinds of technology on their own -- their home life is immersed in technology.
I have found that a collaborative, reasonable approach to BYOx improves the relationship between IT and the rest of our world. I encourage you to give up control, build a BYOx governance model and sit back and enjoy the ride.
About the author:
Niel Nickolaisen is CTO at O.C. Tanner Co., a Salt Lake City-based human resources consulting company that designs and implements employee recognition programs. A frequent writer and speaker on transforming IT and IT leadership, Niel holds an M.S. degree in engineering from MIT, as well as an MBA degree and a B.S. degree in physics from Utah State University. You can contact Niel at email@example.com.