My previous blog post on consumerisation generated a lot of inbound comment, including some really useful stuff from Chris Peters at Intel which was added to the discussion here. For those of you that haven’t come across this topic before, it is the trend for non-corporate sanctioned devices to be used by employees to access work applications, typically via a browser. The rise of the i-device is partly to blame, not the least because they are nicer than the crappy handsets you get given at work, but also because in a few cases they actually make sense.
However, it did garner some off the record and unattributable comment and I’ve shared the gist of it here. Some of the most interesting comment was from employees at public bodies who are dealing with the consumerisation issue head-on right now. The commonly held view was that consumerisation represents a change that is hard to imagine in the public sector. Mobility is high on the agenda of public sector business managers right now. The curiosity in the light of consumerisation is that public bodies are just moving toward the infosec stance Intel had 10 years ago (i.e. strictly control the devices), whereas the model they appear to want is the one alluded to in the Intel paper.
The difficulty appears not to be a technical one, but a little more difficult to pin down. Bluntly, the feedback is that public bodies are rarely at a stage where they can admit to some of the changes that would be necessary to permit consumerisation to happen within their regulatory framework. Many of these issues could (should?) be dealt with by de-politicising the situation and removing any internal controls that currently mean the silo mentality still exists. This silo mentality means that some staff retain excessive influence because they are the only ones that know how the processes/systems/data work.
This commentary introduces another dimension to the vexed argument about mobility. For many years us InfoSec/IA professionals have battled hard over what connects to the network, and have lost the fight. The need to drive savings, the productivity benefits from mobility and sheer recalcitrant bloody-mindedness of our colleagues has meant that people can now plug all sorts of things in to the network to access data and do their work. Fine, if we are accepting it, let’s accept it, put some policy, procedure (and where needed, product) in place and get on with it. However, the bain of the InfoSec professionals life is raised here: internal politics. In the above scenario, the fact that people internally are not embracing change in order to protect their own space is unsurprising, but it does rather go against the whole context of public sector operation right now, with its focus on innovation and delivering cashable savings. The problem is that if this sort of mentality is manifest across whole organisations, it’s actually going to reduce innovation and cost money. People like my contributor above who find their hands tied are eventually either going to a) give up or b) leave the organisation.
The message? Innovation and change are always going to involve giving up things that we hold dear. But NOT changing may have a far higher cost.