When you work in IT, control seems natural. How else can you ensure things will work?
Here’s how the typical person in the business sees it — and why they’re going to resist even minimal controls like “approved devices” and “let us install this.”
They bought their device, probably in a mall, from a kiosk or store operated by a vendor.
They turned it on, and it worked.
They installed an app or two, and they worked.
They browsed a website or two, and that worked.
Why, then, do you think things won’t work here?
After all, the phone was made a different company than the carrier, the apps all came from even more companies, and the websites are from all over the place.
Yet — phone, pad, netbook, whatever — it all just worked.
That’s the core of why they don’t think IT needs control over what they use and how they use it.
After all, the WiFi at Starbucks worked just fine — what’s special about it in our office?
The reality is, of course, that on the public Internet everyone has had to solve the same security and data protection issues that IT worries about.
Amazon has to protect your credit card and shipping address. The Android Marketplace likewise. The Globe and Mail’s app had to handle the newspaper subscription for that iPad.
Why is it that IT doesn’t see the world the same way?
The way of the Internet: each service is its own thing, and secures itself.
Anything that can route there and establish an IP connection is welcomed.
Instead, IT typically sees security, integrity and protection as add-ons, something that has to encompass everything, while it’s wide open once you’re inside.
That’s a design flaw that no one’s questioned for years. It’s a hangover from having a single computer — mainframe or midrange — with a security package installed on it and dumb terminals attached to it.
In today’s world of virtualized servers, cloud resources, multiple device types, “work anywhere” habits, that just won’t cut it.
Business folk would be readier to play ball if they thought IT had caught up to the twenty-first century.
So IT will lose the control battle. The business will make sure of that.
I think, if I ran IT, I’d be architecting security and controls the business can work with.
That might actually sell a “transitional period” of device limitation and control.
Nothing else will.