You're going to have to get your HR department involved in your consumerization strategy discussions

It's easy to get caught up in the technical minutia brought about by the consumerization of IT.

It's easy to get caught up in the technical minutia brought about by the consumerization of IT. (After all, that's what this whole site is about!) But the growing consumerization trend also has a profound impact on the business side of things with many thorny legal, policy, and compliance issues to deal with. And as scary as it sounds, fully embracing the consumerization of IT means that you're going to have to get your HR department involved!

All this is based around the fact that today's company policies were written for a world before consumerization. There are several examples that come to mind immediately.

For example, what happens if an employee puts corporate data into a non-corporate-supported location (like Dropbox)? Then if there's a security breach, how should the company respond? A lot of companies take a position like "Our company policy is that sensitive corporate data cannot be stored on personal devices." So if an employee does that, they will be fired.

Okay fine, so you fire the employee. But that doesn't help the company's cause. Firing that employee doesn't "un-lose" the data for the company. It would have been better if the data loss had been prevented in the first place.

The other issue is that most employees probably don't even know that storing company data in non-company locations is against the rules. That "company policy" that HR departments always talk about... where is it? Is this something that the employee signed five years ago on their first day of work when they were excited about their new job and had fifty other papers to sign? Do you really think that any employee remembers that? And what exactly did they sign? Was it something generic that says the employee will "adhere to prudent data protection standards?" What the F does that mean, and how does a random end user know that means they shouldn't save the finance pivot table in Dropbox?



Maybe it’s time to simplify the employee policies around IT assets. Take a cue from the credit card industry in the US where new regulations require that they provide simpler "plain English" monthly statements to their cardholders. Perhaps HR can develop new policies that explain the importance of data protection in clear terms, like, "If you have data in Dropbox and you lose your laptop, anyone who finds it can access those files." (We should probably also let users know that if they lose their laptop, anyone who finds it can access anything. That logon password doesn't scramble the files.)

Unfortunately just based on my limited experience talking to HR, it seems that HR departments are just as clueless about consumerization as IT departments are. (A lot of this is probably because HR people are not as technical as IT people, and the HR people don't even know what's possible or what the risks are.)

So I guess we have a long way to go... Just something else to think about though.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

I agree that this is a problem, but for the most part it's one that we've had for years. We're talking about it now because the potential for disaster grows with the consumerization trend.

I think the biggest problem is that many organizations have a policy just for the sake of having a policy. When I started my last "real job," it was just before SOX was about to kick in, and we had to come up with policies. They tasked me on day 1 to come up with SOX policies for everything Microsoft server-related. I asked what the existing corporate policies were, who makes the ultimate decision, etc... The answer was something along the lines of: "Just make a policy...any policy...we just have to have a policy."

I asked if my policy could be "that we have no policy." They said no. I guess "any policy" was a bit of a stretch.

I'd imagine that, even with tons of effort behind these policies, they're all just formalities that exist because they have to (although, it allows the company to go after the person that violated the policy beyond just firing them). Changing them won't amount to a hill of beans in the grand scheme.


The typical policy stating company data must remain only on corporate owned systems is not only hidden away on documents employees sign when they join a company.

In fact this policy is included in many of the standard compliance training videos that employees must review every year and click to confirm they understand.

This is typically rationalized by employees because they value productivity over security and everyone else is doing it. You cant fire everbody... The real issue for IT is not covering their tail by having a policy in place in case their is a breach and they can blame the user. The challenge for IT should be providing solutions that are easy to use so they don't hamper productivity.( and have the right IT control for security) Once these solutions are provided ... Then contact HR to get the policies and training courses updated specifying the authorized tools.


The more "the Royal WE" think through the BYOD argument, the more we realize that it's not just HR but InfoSec, Legal and other departments we need to include. If the data is already lost, the policy isn't worth the paper it's printed on.  So ideally you'll have InfoSec (or Network teams) block "restricted sites" whether it's for porn or online storage.  Legal has to evaluate what the liability is and Communications has to plan what to tell the press if there is a TJ-Maxx moment.  

But we also have to consider inadvertent use of non-company storage (e.g., local device storage or the HD of your home LaserJet).  Moreover, how are policy exceptions managed?  If we have a policy to not use local devices, what do we do for the sales rep that updated the slide deck on his iPad and needs to print a new copy?  How often should these policies and exceptions be reviewed and who is going to manage this overhead?

IMHO, BYOD should also stand for "Bring your own? DON'T!"


This and a lot more was covered on both sessions I presented at BriForum Europe and Chicago. BYOD is way bigger than most companies/IT departments think of and definitely involve pretty much all departments, from legal and IT to HR. Watch the presentation that Brian and the gang made available to everyone. Definitely an eye opener in many ways.