Consumerization of IT brings with it a host of new considerations for IT- some good, and some not so good. I think it is fair to say that balance is the key word in moving forward.
There is a growing sentiment among consultants, experts, and pundits that there is a new paradigm- reasonable risk. For the record, I am not one of them. But first, the disclaimer....
The opinions expressed on this blog are mine and do not represent those of my employer.
Conusmierization of IT to me represents IT providing more flexibility, agility and the like to the end users. As I have stated on previous blog postings, consumerization is not the same as BYOC/BYOD.
One of the key factors in consumerization is - risk. We in IT have always had risk and risk avoidance as one of our primary pillars of the support that we provide. Consumerization should not compromise our commitment to security and mitigation.
2011 by all accounts was the most risk oriented year for IT and consumers in history. Can we connect the dots and conclude that this is the result of not being fully prepared for consumerization? I think that the answer at least in part is - yes.
This suggests that while consumerization needs to and will occur, it should be tempered by the business's readiness to embrace.
There is a host of industry consultants who would have us believe that there is such as thing as "reasonable risk" that can be taken in consumerization of IT. I believe this is a '"code phrase" to suggest that the more conservative of us should ignore our instincts and step ahead of a trend. I simply cannot buy into that at this time.
Below is a summary of my opinions regarding "reasonable risk" and why it has become a catch phrase today (again packaging in my own opinions, and by the way, I am aware that many will not agree with me on these points):
1- "Risk is always reasonable if I am not the one who is accountable for the outcome".
If I am expert and suggest that YOU take the risk, I am covered since all of the potentially negative results are your responsibility.
2- "Risk is not real until it happens".
I pointed this out as one of my findings in the Risk Cycle research and webcast some time ago. Risk is not reasonable until it occurs, then it becomes unreasonable.
3- "Why didn't you (IT) protect me from myself"?
This reasonable risk scenario suggests that those would want to take a risk, want IT to say " no" but not empower IT to enforce governance to bring about security. This is the Catch 22- protect me from myself. These would be the same individuals, business units or organizations who desire consumerization with all of the positives and none of the downside.
4- "Other businesses are doing it"
When the onion skin is pulled base there are two clear scenarios which become clear. The first is that high tech companies who can be consumerized since the end user communities are technically experts, not as consumers but as a part of our job. You should expect us to lead.
The second scenario are those businesses that have invested in third party software to sandbox, virtualization technology, cloud computing so that consumerization can be provided securely. In other words, these businesses are building a consumized back office. They are mitigiating risk in a traditional IT manner.
5- "Consultant X said it is the trend."
No real comment other than to say, look for the follow on consulting engagement.
6- "If you don't move ahead, you (IT) are an inhibitor."
This is the ultimate emotional arument. Let's do something that we are not ready, because it is trendy. Not a solid security strategy.
The ultimate approach is what I have somewhat pronounced before- these are not IT decisions. These are security, HR, legal, and compliance decisions. We in IT represent the execution arm of the strategy, not the detemrining factor. Of course we can do this.
These will be the same organizations that will come back to IT and ask why we did not
A) ask their opinion and
B) did not recognize that it was not our decision.
I would like to hear your opinion.
My strong opinion is that there is no such thing as reasonable risk, it is either secure, or it is not.