A lot of people are talking about the "consumerization of IT" these days. Citrix made it one of the core themes of their Synergy 2011 conference last week, and Gartner predicted that consumerization of IT is going to be one of the hottest trends of the this decade. And many CIOs list "consumerization" as one of their current priorities.
Ironically, much like "virtualization" and "cloud," despite all the people who actually want "consumerization," there's no consensus on what it actually is. (And as you might expect, those to do attempt to define it typically do so in terms that support whatever product or service they're selling.)
Despite all the hype, the Consumerization of IT is legitimately going to be a huge deal. And it's something that should be a priority for CIOs over the next few years. But I don't believe that anyone who's talking about it today actually has it right. So I present to you my manifesto on The Consumerization of IT. Let's look at what it really is, what it isn't, and what we (as IT Pros) can do about it.
(Field note: This article is mostly based on the presentation that I gave at BriForum 2011 London last month in my breakout session called "The Consumerization of IT," although I've updated and expanded quite a few sections based on conversations with many IT Pros I've had since then.)
So let's jump right in. The first step is to clear up the misconceptions that are already about there about what the consumerization of IT is.
Why most people are wrong when they think about "the consumerization of IT"
So far it seems that when most people talk about the consumerization of IT, what they're *really* talking about is BYOC. In other words, many CIOs' "consumerization" initiatives are really "BYOC" initiatives, but with the "consumerization" label slapped on since that's cooler. Of course BYOC is a fine thing to do. Who wouldn't like the idea of employees being able to choose their own laptops? (Although let's not kid ourselves. In today's world, "BYOC" really means "letting employees use Macs.")
But while enabling BYOC and Macs is a nice, the reality is that the IT industry already knows how to solve that problem. We licked it years ago with remote published apps and client VMs and VDI and web apps. If someone wants to use a Mac, sure, we have to work out some minor details (like who's responsible to taking it to the Apple store when the screen breaks), but that's the tactical stuff; that is *not* the ten-year major trend that Gartner is talking about. Building BYOC is something you can figure out in a few weeks. It's not that hard.
"The Consumerization of IT" is bigger than that.
Ok, so if the consumerization of IT is not about BYOC and Macs, the next thing people think about is mobile devices. They think about iPhones and iPads and Androids and ATRIXes. But again, getting a mobile device online and syncing with your corporate email, complete with policy enforcement and remote wiping, can be done with any of a myriad of products on the market today. That is *not* the difficult consumerization of IT. That's just Exchange ActiveSync with some third-party security software.
The reason this distinction is important is because if you think that the consumerization of IT is just about personal laptops and iPhones, then you've lulled yourself into a false sense of achievement. You might think, "Ok, this consumerization thing is going to be huge. We're implementing a BYOC program for laptops and users can use any Blackberry, iOS, or Android phone they want, so now we can check that box and say 'Yes, we've done consumerization.'"
And if this is you, you're about to get your ass kicked.
So what *is* the consumerization of IT really?
Explaining what the consumerization of IT really is can best be done through a story. I was having dinner with a friend and his wife recently. His wife, who works for an antivirus vendor, was making polite conversation:
Her: "So what antivirus software do you use?"
Me: (Looking confused) "What? What year is it? Who uses antivirus software anymore?"
Her: (Now also looking confused) "Well, you work for a public company. Surely there's a policy that you must run antivirus?"
Me: "Dunno? Probably."
Me: "So? I don't run antivirus software."
Her: "But they don't check that when you login?"
Me: "Why do I login? I rebuilt my machine and it's not in the domain."
Her: "Don't you need access to files on the corporate network?"
Me: "I use Dropbox."
Her: "What about email?"
Me: "I configured RPC-over-HTTP, so I don't even need the VPN for Outlook."
Her: "Well, don't they do any type of network access protection when you're in the office which prevents your non-authorized laptop from getting on the network?"
Me: "I use a 3G card."
You get the point. There is literally nothing a central IT department can do to prevent users from basically doing whatever the hell they want. And that's the *real* "consumerization of IT" story. In fact I use a different term for it: "fuit." Fuit is a latin word meaning "he was," as in "he was in charge because he worked in the IT department. He's not anymore." I also chose the word "fuit" because it's spelled F-U-I-T. (Spell it out loud to see what I mean.)
So to be perfectly clear. The consumerization of IT is not about BYOC or BYOD. The consumerization of IT is about the fact that today's users can do whatever they want, and you in IT can't stop them even if you wanted to.
But this is just for geeks, not regular users!
At this point in the conversation, whomever I'm talking to usually says something along of lines of "Well sure, YOU can do all this FUIT stuff from your story because you're an IT geek. But regular users don't know how to do those kinds of thing."
Here's the problem with that logic: It only takes one geek to show a non-geek how to use Dropbox or how to connect to the corporate Exchange server without the VPN. Then that non-geek can tell two other non-geeks, and two weeks later you've got an office full of non-geeks who are doing things their own way.
I'll share another real life example. There are 45 employees at the remote office in San Francisco where I work. Before I joined the company, every single one of them connected to the VPN (complete with its client scans) in order to use Outlook when not in the office. Then I came on board. How many people do you think use the VPN for Outlook today? :) The configuration is just a simple change. (It's literally a checkbox and a new server address.) And I only showed two or three people. But now the whole office has switched over, all by themselves, and none of them even know what RPC-over-HTTP is.
And it's not just email. It's web proxies to get around firewall rules. It's using Dropbox instead of file shares. It's a 3G card to avoid snooping networks. It's a sales rep buying the $500-per-year "personal" edition of Salesforce and using that instead of the company's official CRM platform.
But this is just those pissant kids. Screw them! "Real" grown-up workers don't care.
The next thing people say is that this whole consumerization/FUIT thing only applies to the "echo gen" or "Gen Y" or "kids" (or whatever pejorative term you want use to describe them). Older folks try to invalidate the whole movement by implying this is an edge problem that doesn't really affect real business.
Here's the problem with that line of thinking: My younger sister is one of those echo generation pissant kids. But she has two bachelor's degrees, an MBA, nine years of work experience, and she runs a team of fourteen people. Those "pissant kids" are real contributing adults now! And if you don't think that matters today, consider that each of us only works about 40 years, which means that statistically speaking, every year 2.5% of the "real adults" retire off the top, to be replaced by another 2.5% batch of pissant kids who are going to do whatever they want with technology.
Why is the consumerization of IT happening today?
If we take a look at why the consumerization of IT thing is happening now, we can see a few drivers:
First, SaaS/cloud technology means that any idiot with a credit card is only two minutes away from being able to buy access to more technology than you ever fantasized about just a few years ago. The reason that anyone can use Dropbox, Google Apps, SalesForce, and 3G cards is due to the simple fact that they now exist. (And as you know, denial won't un-invent these products.)
The second driver is the thing about the kids. Those dang kids aren't content with us handing them a plastic locked-down Dell on Day One with the stern warning telling them not to break anything.
The third driver is that even old school actual adults now know more about technology than ever. Old people have iPhones and computers at home and file sharing and web apps. So while they might not posses the same enthusiasm as a 30-year-old for testing the boundaries of their employer's security policies, they still know they're being fed a line of horse shit when their IT guy tells them they only have a 500mb mailbox limit.
The risks of getting it wrong
Ignoring this consumerization of IT / FUIT trend is bad for several reasons.
First and foremost is for security. If users can just do whatever they want without the knowledge of IT, what does that mean for data security? This applies not just to accidental loss, but also for the ability to an employee to take his data with him when he leaves the organization.
Another very real risk is that if companies don't embrace the consumerization of IT, they'll have a problem attracting and retaining the best talent. (Today's poor economy might give us a free pass on this for another year or so, but that won't last forever!) The inability to hire the best workers is not just an "Echo Gen" thing that the pissant kids are going to fight against. Instead, users doing whatever they want is the new normal. In fact we're probably really close to the day where I would actually feel nervous if someone accepted a totally locked down environment. (e.g. "What's wrong with this person that he would accept our total control?")
How companies fail trying to "solve" consumerization
While the consumerization of IT trend is just now picking up steam, it's something that's been around in one form or another for the better part of ten years. (Actually we could probably go back twenty years. The first PCs were bought out-of-pocket by employees of large companies who didn't want to wait their turn for time-share access to the central system.)
As I wrote already, one of the major ways companies fail at consumerization is by thinking they "solve" the consumerization problem simply by implementing a BYOC program and letting users have iPhones. The vendors deserve some of the blame here. Citrix is running all kinds of ad campaigns implying that you can "solve" consumerization by delivering Microsoft Windows desktops to users accessing them from tablets and phones. While this is a great party trick and even helps to solve the BYOC/BYOD need, it does nothing to solve the Dropbox/Gmail/3G/FUIT "real" problem.
Companies also fail by thinking their traditional security products actually protect them from this new FUIT world. I recently spoke to the CIO of a company who claimed to have "solved" the problem of users wanting to choose their own (non-Blackberry) mobile phones by configuring their email system so that iPhone and Android users couldn't access attachments from their phones. ("Since we can't fully secure those devices, we can't give them full access," the CIO explained with a smile.) But not twenty minutes after that conversation, I'm walking down the hall with a PR person from that office when her iPhone rings, and I overhear this half of the conversation:
PR Rep: "Hello? Oh yeah, hi.. uh-huh.. yeah, ok send it over. I'm on my iPhone though, so send it to my Gmail."
At this point you might be thinking, "That security risk exists because they're solving the problem in the wrong way. If they had a data loss prevention product on their Exchange server, they could block that at the sender level."
Good luck with that. (Doesn't the sender have Gmail too?)
Some organizations are trying to solve this problem by building secure corporate versions of consumer apps. Intel, for example, has built this thing called "Planet Blue" that's like a corporate-controlled interally-private version of Facebook. And you know who uses that thing? Not a goddamned person. (Seriously. Ask anyone you know who works at Intel whether Planet Blue has lessened their reliance on Facebook for "work" collaboration.)
Or look at VMware who recently bought Socialcast, the corporate-controlled private Twitter-type-thing that many customers choose to host on premise. The problem with Socialcast (according to VMware employees who started using it a few weeks ago) is that it feels like Twitter did a few years ago. It feels old and weird and slow. It doesn't hook into all the great Twitter clients. And let's face it--it's not Twitter!
So Planet Blue and Socialcast are just two of the hundreds of supposedly safe & secure "private" versions of public social apps that all fail in the same way. Their limited audience means they don't have the same benefit of real public social apps, and their limited customer base means they don't have the same features as real public social apps. The result? Employees continue to use the real public social apps for work-related info sharing. Buying & implementing the private versions just causes the company to waste time and money, creates a false sense of security, and doesn't actually make the environment more secure since the private apps can't prevent users from still using the real apps.
And finally, since we're talking about how companies fail when dealing with the consumerization of IT, let's not forget about "denial." I've met several organizations who are in full-on denial that this is an actual risk. They'll say things like "All our desktops are only available via VDI," or "Our users aren't that smart," or "I work for the United States Department of Defense and there's no way a private could just walk out the door with a thumb drive filled with 200,000 classified documents."
What is the solution?
So that's the landscape of the consumerization of IT problem that's out there. Next week we'll look at potential solutions, both in terms of technologies and mind-shift that we can apply as IT Pros to deal with this new crazy world.
In the meantime, what do you think? How do we start to deal with this as IT Pros?
UPDATE: We launched an entire website to focus on the "solution" for these Consumerization of IT challenges. The website is ConsumerizeIT.com, and it's live now.