You’ve noticed it seeping into the IT workday. An end-user calls the support desk for help connecting a new iPod to the desktop. Another asks how to add Skype capability to the desktop. Consumer IT – technology and devices initially designed and marketed for use in the consumer space – has infiltrated the workplace.
CIOs overseeing the invasion of consumer technology know it’s not enough to simply write a management policy, post it on the intranet and then revisit it a few years down the road. “Stagnant policies and procedures just aren’t practical for these types of technology,” says Rob Israel, vice president and CIO at $400 million John C. Lincoln Health Network. Policies need to be revised on a regular basis according to user needs and organizational security concerns – Israel revisits his every four to six months. And for any policy to work, CIOs need to have a strong communication strategy, involve users in policy creation, build in security and find a balance between restriction and freedom of use.
COMMUNICATE EXISTING POLICIES
“I know some CIOs who have 150 or 200 security policies. That’s just way too many,” says Israel. His consumer IT-related policies total 30. The limited number makes it easier to communicate the policies and their updates. When Israel’s team makes a policy addition or change, they explain the rationale to users with straightforward language. “We’ll say ‘Do you know why we encrypt email?’ Then, we’ll explain why we do it in three or four sentences,” he says.
INVOLVE THE END-USER COMMUNITY
Jay Dominick, who recently became CIO at the University of North Carolina after holding that position at Wake Forest University, sees more consumer technologies being introduced everyday. Most come from students who tend to have both disposable income and time on their hands.
“Our policy-making process involves multiple layers of faculty, staff, student input, and the legal office, so it can take six months or a year to reach consensus,” said Dominick, while still at Wake Forest. In 2000, when Napster hit university networks, Dominick said, “it took almost two years before there was a response from universities as to how to manage it.”
That was then. Students now have input in forming these policies, so the specifics get socialized among the user community before a policy debuts. This way there are no surprises. “A policy that is a surprise won’t get followed,” said Dominick.
BALANCE POLICY STRICTNESS
Given the confidentiality restrictions around patients’ medical data at the John C. Lincoln Health Network, Israel employs a high level of strictness in his usage policies for consumer IT.
At Kennametal, a $2 billion industrial manufacturer, there’s more leeway. IT works closely with end-users to find suitable workarounds to its strict policies, says Raj Datt, VP and CIO of Global Information Technology. An example is a request for YouTube functionality by the sales staff. “Our sales team came to us asking for functionality so they could show potential clients current pricing and inventory…from a video perspective. We responded by enabling BlackBerry access to our ERP system for realtime customer data,” says Datt. Working with users to create a viable alternative has helped change their view of Kennametal IT from that of a cost centre to a value-driven organization. “If we don’t give them an alternative, then they would just bypass IT,” Datt says.
Technology tools are a good way to enforce consumer IT procedures and take control of your security landscape. Israel uses automation tools from Lumension (to prevent users from connecting an iPod to the system before prior authorization) and Pointesec (to force encryption for all removable media). “I have a love-hate relationship with thumb drives. We are moving to mandatory encryption where the saved data is encrypted and the thumb drive itself is encrypted with biometrics,” says Israel.
Once a mobile device is configured to access the ERP system at Kennametal, an automatic security solution is deployed that includes password-protection and the ability for Datt’s team to remotely lock or wipe the data if a device is lost. Datt also has policies around device procurement and only supports certain features of some devices. For example, although there is a GPS capability in the 900 BlackBerrys deployed throughout Kennametal, it is not activated for use at the server level at this time.
It is possible to reap the benefits of consumer technologies in the workplace while still exercising control. At John C. Lincoln, doctors and nurses suggested an alternative use for Bluetooth headsets. IT responded and today, health care professionals are using hands-free Bluetooth to obtain medical updates and new patient care information. Kennametal’s CEO Carlos Cardoso joined the blogger community to communicate to employees and share suggestions about corporate strategy.
“Technology is becoming so personal and so capable that smart people want to use it to make their work lives better,” says Dominick.
SIDEBAR Smile, you’re on company TV
A couple of years ago, senior business executives at Jet Propulsion Lab (JPL) were struggling with how to best keep staff apprised of new thinking. They came to CIO Jim Rinaldi with an idea: they wanted to tape seminars and meetings and make them available online. The idea clicked with Rinaldi and his team; his deputy CIO took ownership of the project. Less than a year later, JPL-TV debuted on the corporate intranet. The tool is a variation on YouTube and currently has about 100 videos in its growing inventory, complete with search functionality (which is still maturing). Employees throughout the organization can visit JPL-TV, search for a specific video and then watch it on their desktop. The JPL-TV team are creating a set of specific management policies which will be found on the site and include items like permission to videotape participants in the meetings and specific guidelines about what types of meetings to include.
Carrie Matthews is senior manager, member services, for the CIO Executive Council.