Establishing a consumerization culture with 6 critical capabilties
In part one of this two-part post, I described how the compliance and cost concerns of a bring-your-own device model and its deeper implications require us to recognise a looming problem. Here in part two, I describe some of the concrete steps I believe you should take to avoid a consumerization backlash by taking a balanced approach designed to mimimises consternation while encouraging innovation.
“You can’t always get what you want, but if you try some time you might find, you get what you need.” Mick Jagger
So how does the CIO determine what an end user really needs without having to sanction every decision themselves? In my blog on the IT service broker I recommended establishing and publishing a service catalog that includes both internal and external services. The central idea here is that most shadow IT occurs when users are not even aware that a similar service is available internally (often as a sunk cost and therefore free when compared to a cloud service).
The same catalog is also useful for basic BYOD deployments. By helping users choose the right device for their needs, IT maintains its trusted advisor status and is a huge value add for the less technically inclined. How can you get started?
1). CONSOLIDATE demand. Before you can establish a service catalog, you’ll need to add both your own and third-party services. I find that by allowing your Program Management Office and/or your enterprise architects to capture and classify all existing and requested services into one place and establish a plan for qualifying them. Heads up--you should consider declaring an amnesty for the userrs of unapproved services; however, check with your legal counsel before doing so, especially highly regulated industriess.
2). CLARIFY the rationale behind the rules. The “Hacking Work” authors have a point; the dumb rules that don’t add value or protect you from real material risk cry out to be broken. The problem for your users is they don’t always understand the difference between corporate craziness and compulsory compliance. Equally, I’ve known overly zealous risk and security managers that would gleefully place the business in a hermetically sealed Faraday cage purely out of the well-intentioned desire to minimse risk. However that cure is often more debilitating than the disease. I recommend educating your team on a business oriented risk management methodology (Gartner analyst Paul Proctor’s RVM is but one example, your mileage may vary) in order to better understand the the consequences of small actions in the context of the big picture.
3). SIMPLIFY your catalog. If it looks like something that only airline check-in staff would be able to use (if you’ve ever peeked behind the desk to look at their screens you’ll know what I mean), then you’re making it too hard and they’ll go somewhere else. Think Amazon store and you’re getting closer.
4). MONITOR the actual risks against your model. In a consumerised IT environment, your risk team’s job changes to gathering sufficient intelligence to identify potential patterns. The ability to identify that a large number of low grade risks has suddenly added up to a large scale residual risk for the business is a reason why we built a solution like HP Enterprise View.
5). PUBLISH the actual and subjective experience. The number of people who’ve reached out to me saying they bought a trendy device based on the buzz only to find it’s buggier and harder to use than their corporate supplied PC is staggering. That means continuously assessing and publishing not just costs but also quality and risk. Consider establishing monitoring and log management to gather data on the failure rate of devices, unexpected crashes and service outages that reveal the actual experience of users.
6). LISTEN to your users. If they’re unhappy with the functionality (or cost, quality and performance) of the service, then they’re almost certainly going to stray into the open market. Ignoring them isn’t going to make the problem go away, however your end users might start ignoring corporate IT. Get proactive and use social enabled management software to become a listening organisation.
The alternative? Placing a blanket ban on Bring Your Own anything? In my optinion, that's a step not far removed from turning off the lights as far as innovation is concerned.
I believe that the IT consumerisation trend is here to stay. Enterprise IT’s collective challenge is to refresh outdated policies, accelerate usability initiatives for “on premises” services and finally to educate end-users in the practical risks they introduce if and when they cross the streams of home and office.
What about your experience with IT consumerization? Nightmare or nirvana? I’d like to hear from you.