It’s war! BYOD exposes IT’s deep distrust of users

Users: Yes, IT really does think you’re stupid and/or naive, and therefore not to be trusted. IT: Yes, users really do think you’re clueless about their needs and so have decided to act on their own.

That in a nutshell is what Unisys’s new survey (conducted by Forrester Research) of IT and users around the topic of consumerization of IT has shown. The survey released today is significant because it’s the third annual such survey Unisys has conducted, not only shows the current state, but lets us see what, if anything has changed, over the last several years after the bring-your-own notion’s dramatic rise in 2010.

[ Galen Gruman’s 3 rules for doing BYOD right. | Subscribe to InfoWorld’s Consumerization of IT newsletter today. | Get expert advice about planning and implementing your BYOD strategy with InfoWorld’s in-depth “Mobile and BYOD Deep Dive” PDF special report. ]

The good news is that IT is getting better about BYOD technologies (which are typically mobile ones, such as smartphones and iPads, but also include social networking, cloud computing, use of OS X, and computing at home). The bad news is that users are getting smarter faster than IT is, so although IT is making progress in understanding and working with the BYO concept, and the underlying issue of user involvement in the technologies they use, the gap between IT and users is still increasing. And not to IT’s advantage.

The distrust divide: The elite information workers versus “we know best” IT Consider the data: About 44 percent of information workers use a smartphone for work, and about 16 percent use a tablet. Of all information workers, 23 percent — about half of those who use mobile devices for work — are what Unisys classifies as “elite mobile users.” These employees are the most likely to work with customers and business partners, so they have huge influence and power in their organizations. They are also the most likely of all workers to be involved in process improvement efforts. In other words, these are the people driving the business and making money.

These “elite mobile users” are also embracing mobile technology and personally procuring mobile and online technologies to get work done. Note the “personally procuring” — they believe so strongly that these tools will help them do better in their work that they are spending their own time and money to get them. They’re not waiting on IT.

What is IT doing? Well, the good news is that IT has finally figured out that mobile technology is worth supporting. The Unisys survey shows that 61 percent of IT organizations now provide support for company-owned mobile devices (smartphones and tablets), up from just 27 percent a year ago.

But the bad news is that IT is still largely is ignoring the BYOD reality. Only 17 percent support personal devices (even though several other surveys show the majority of companies now allow their use for at least email access). You could argue, as I often do, that people who bring their own devices should be self-supporting, and IT should focus on the employees who use whatever they’re given. So maybe that stat is not so bad.

But this one is: 72 percent of IT executives surveyed say that employees are using unsupported devices or apps because of personal preference, not because they need to do critical work. I’m sorry, but IT doesn’t know how to do most jobs in the organization, so what makes IT pros think only they know what tools a salesperson or HR manager or partner relationship manager really needs? Especially when another survey earlier this year showed that IT was more likely to block Angry Birds than to provide secured alternatives to public cloud storage services.

IT really does believe it knows best: 75 percent of IT organizations don’t let people use their own apps for work purposes, with a substantial subset saying such usage should be grounds for dismissal. Employees have in large numbers (38 percent) decided to ignore such edicts as, well, stupid. They’re trying to get more and better work done, and they’re using whatever tools they can to do so, including their own mobile apps, their own software on their PCs, and cloud services. Remember: These people are the ones who drive the business and tend to be in positions of authority, and are thus trusted. Yet many IT organizations would constrain their tool set and fire them for working outside the lines.

When nearly half of information workers are using smartphones and a quarter of information workers are buying their own technology to do (more) work, IT’s “just say no” approach is irrelevant.

The underlying problem in IT is twofold. First, many IT pros think users are simply buying devices and software because they’ve been bamboozled by ads and fads, especially when they choose Apple or Google products. Second, IT views technology through the lens of risk, and because people are unpredictable and variable, many in IT seek to limit people’s choices and behaviors. When users choose their own and, worse, bring their own, all these IT pros see is risk, and down come the iron gates.

Both viewpoints are grounded in distrust of the very people who run and essentially are the organization. That attitude can only lose.

Getting past the distrust divide What IT should be doing is partnering with these users, says Weston Morris, an architecture lead at Unisys’s Global Managed Services group. Although he says some of users’ claims about self-empowerment are a bit overblown, he notes that they are spending their own money, not asking the company to do so. In other words, they’re putting their money where their mouth is, and given that these employees tend to be the most effective in business, their judgment can’t be dismissed as naive faddism.

Not only would IT learn what tools work best for users — and often there’ll be no single best tool, given the personal workstyles involved — but it would be able to better assess risks around information flow and where support needs are. Such partnering also lets IT bring in the “mobile elite” as IT proxies, so other business users can get support from their business colleagues rather than always call IT. Other studies I’ve seen show that users prefer to learn from their colleagues anyhow.

As to the risk issue, Morris notes that many organizations are poorly defended already. For example, 80 percent use perimeter security to block outsider access but have no controls inside their firewalls or buildings. Worrying about whether an employee is using Apple Keynote or Google Quickoffice or Bytesquared Office2 to edit PowerPoints is, frankly, not the best use of IT’s time when the entire internal network is wide open.

Morris recommends that IT first understand what it is trying to protect, then create policies regardless of device or app that target those information security needs. The chances are that many such existing policies have gotten too specific in terms of the implementation, leading to a narrow protection approach that doesn’t evolve with new technologies.

For example, an information access policy that requires domain joining cuts out most mobile devices. An information policy that requires user validation to gain access is a better approach, as that would allow the use of domain join for devices that support it as well as alternative approaches, such as certificates for devices that support them, to accomplish the same goal.

Morris also notes that by focusing on the device level, IT security efforts can get fragmented, creating an inconsistent, piecemeal approach that increases risk through the gaps between methods and through annoying users to the point where they do more workarounds. He recommends that organizations start with their laptop security policies, given how much critical information they store and have access to, then see if they have or can get tools to apply the same policy goals on other devices.

In other words, policies should be about security goals based on a risk/cost assessment for what you’re trying to protect, and the low-level requirements should be derived only after the policies, and not confused with the policies themselves. “You need to separate the detailed execution instructions from the functions they execute,” Morris says. You want to protect information, not blindly apply technology.

It sounds simple, doesn’t it? IT should partner with the business it supports. We’ve heard that “IT/business alignment” mantra in IT publications and consultant recommendations for more than a decade. But the reality is that many IT organizations have done the opposite: They’ve set them apart from the users, stereotyping them as drooling idiots. In their minds, these IT pros have divorced users from the organizations, and set themselves up as the high priesthood of how to do business.

Both business and IT need to be active partners, learning to trust each other and focus on the goals of running a successful business with risks managed appropriate to getting that success. That’s easier said than done, but if things keep going the way they are, IT can only lose. After all, not only does “the business” far outnumber the IT group, but “the business” ultimately controls the money and the policies. Not IT.

This article, “Does this mean war? BYOD exposes IT’s deep distrust of users,” was originally published at InfoWorld.com. Read more of Galen Gruman’s Smart User blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.