IT Consumerization Momentum and Implications

Pick up any tech journal and you still read headlines like, “CIOs must be prepared for IT consumerization.” The articles in this genre proceed to warn IT executives that resistance is futile, IT consumerization will eventually impact their organizations.Resistance? Eventually impact their organizations? These warnings were appropriate when dinosaurs walked the earth! Forget the future, IT consumerization is already well underway. According to ESG Research, 55% or large organizations are experiencing “significant growth” of alternative endpoint computing devices (i.e. smart phones, tablet computers, etc.). Why? The biggest driver is “end user demand for different/alternative devices.” So have we entered the “post PC era” as some analysts suggest? Not in my mind. Yeah, I know that web applications and cloud services are growing like crazy but I still see many organizations with thousands of Windows PCs and Microsoft Office. This combination may be the mainframe of this timeframe. Like the S/390 of the 1990s, we have too much invested in Microsoft technology to pull the plug anytime soon. So we are clearly moving beyond Windows PCs in the enterprise. What does this mean? In my mind, we have to remember when managing PCs was the most disruptive activity in IT (not too long ago) and learn from the past. A few thoughts:1. Around 1995 or so, the PC mantra was around standardization. Standard vendors, standard applications, standard configurations, etc. The thought here was to standardize on vendors to maximize volume discounts and standardize on software and device configuration to streamline operations. To the extent possible, this same mindset should be used for alternative devices. I realize it won’t be possible to tell the iPhone or Android crowd to switch platforms, but IT should be have a standard secure configuration for all leading mobile computing devices. IT must also quarterback patch management activities — users won’t do it. I think Symantec’s mantra: “A well managed device is a secure device,” has some merit here.2. Mobile devices place a big priority on wireless security and network access controls. This means that its a good time to review wireless security policies and controls. I also like the Unisys internal policy where employee devices are instrumented with digital certificates for AAA purposes. Oh, its probably a good time to look at RADIUS server policies and functionality as well. Cisco’s new Identity Services Engine was really designed for this intersection between mobility, security, and network access. 3. PCs have security software therefore mobile devices should have security controls. Mobile devices may feel like toys or modern day “boob tubes,” but they are powerful computing devices that could pose a threat to high-value network assets. Additionally, let’s not forget that lost devices are the biggest risk. If these devices contain regulated data, a lost $49 iPhone could lead to millions of dollars in damages. The key consideration with mobile devices is where to put the security controls. Should they be deployed as resident software? Cloud services? Agents and cloud services? All of these options will have an appropriate use case so its important to really research options.A few other note here. First, endpoint virtualization tools from Citrix, Parallels, and VMware will likely play a huge role in mobile device application deployment and security so make sure to some due diligence here. Finally, in the era of Advanced Persistent Threats, it is critical to understand both device and user behavior. If Androids look like anonymous IP devices to monitoring tools, this could be a big problem.