by Sarah Stephens, Marcoms Programmes Manager
The CISO of one of the world’s largest airlines recently stated that just a few months ago the number of personal devices in the business was a handful. It had since become an irreversible tide. Like many others in his position he was looking for ways to manage this phenomenon before it got out of control. His statement was proof that consumerisation is very real and cannot be dismissed as the stuff of theoretical white papers anymore. If it is happening at a major airline, CISOs can be sure it is happening in their own backyards.
Many CISOs are following an adaptation path which begins with denial and the refusal to accept consumerisation in the workplace. The rapidity with which it is happening means that denial and refusal are no longer viable responses.
This document outlines some suggested key steps towards managing consumerisation.
1 Accept that it's happening
A head in the sand approach won’t cut it. You have to accept that this is happening even if you don’t yet see significant numbers of devices in the workplace. Consumerisation isn’t just about iPads and smart phones. It’s also the use of social networks, personal cloud applications and a new attitude found in certain employees who are using consumer technologies to change the way they work and live. Forrester has dubbed these employees as Highly Empowered and Resourceful Operatives (HERO). The temptation to dub these people as rogue employees is a mistake (see Step 5).
2 Plan for adaptation
This is crucial to successful adaptation of consumerisation. You need to work with other parts of the business if this is going to be successful. This will include other C-Suite members especially the CIO and HR Director. Consumerisation is a board room issue and your plans need top level consultation and approval from the start. This may be easier than you think - the boardroom is likely already the home of HERO employees. Use this to your advantage. You need to think too about the impact on partners and customers.
3 Put policies in place -- decide who gets what, when and how
You need to rewrite the security and IT policies to accommodate consumerisation. This means developing a set of policies that define those devices, applications and working practices which will remain within existing corporate controls and those which can come under the new consumerisation policies and status.
How these policies play out depends on your industry sector, employee roles and locations. There can also be hardware definitions that delineate whether a consumer device is fully supported by IT, shared ownership or employee supported with total user liability.
It’s essential that whatever and however these policies are defined and introduced that the core policy remains the security of enterprise data held on any consumer device, in transit or processed on an external application.
4 Adapt the technology you already have
Consumerisation is largely a shift in technology ownership and processes. But at is heart is the still the need to protect data at rest and in transit. Treat all consumer devices and applications as simply mobile devices and you will discover that much of your existing MDM and Access Management tools can be adapted to meet the advance of consumerisation. Audit and consult with CIO and IT managers and look towards your key suppliers and partners who should be preparing for consumerisation also. New management solutions will come on stream. Find trusted partners who can adapt and learn with you.
5 Watch and learn from your “rogue” employees
There is a tendency to label those displaying consumer tendencies as “rogue” employees. Forget that. Instead see them as role models that you and the business can learn from. Study and learn from their usage patterns. What do they do with these devices? When do they use them? What applications do they connect them to? Turn your rogue employees into technology champions. Accept that they have adopted applications like Skype, DropBox and Google Apps because they work for them and they trust them.
And they use them - in part - to perform their job functions and make life easier. The fact that they also use them to drive personal activity is all part of the consumerisation that you are accepting - right? Don’t try and fight social trends - the merging of personal and work functions and the interruptive pattern of work is here to stay and is a global trend. You are likely already doing it yourself. Be open to new ideas, new technologies and applications.
6 Work with the company conservatives
There will always be those among the company hierarchy who will look to stop or at least severely curtail consumerisation in the enterprise. They may be wrong but if the corporate culture is strongly entrenched it’s best to work around it and not fight it head on. Instead focus on individual and incremental change through the working climate - create consumerised micro-climates as test beds and engage in the lessons of Step 5 above. Be ready for the time when the corporate climate changes to embrace. Your learnings will then be ready to be adapted across the company.
7 Know your sector and costs
Your industry sector greatly affects the speed and acceptance of consumerisation. As does job type and role. Factor this in when planning for consumerisation. Some analysts talk of significant capital cost savings that can be had with the onset of consumerisation - i.e. reduced support costs. But this is disputed by others so you need to careful about selling such savings. Consumerisation is really about device management and the shift in technology usage. Cost savings are great if you can get them but remain focused on security and efficiency -- and business usage. Get back to those infosec basics such as data management, compliance, policy and risk management. A consumer device or application is only a risk if it is not regulated and managed.
Feel free to add to this list by submitting your comments.