For IT, deny-by-default is standard operating procedure. Aimed at minimizing risk, this policy has IT?s hand up to prevent end-users from installing any and all nonstandard software. From an IT security perspective, deny-by-default is sound practice. For fostering innovation? Not so much.
Nowhere is this more evident than with the tablet revolution taking place in today?s enterprise. The iPad and Apple?s curated App Store underscore IT?s need to move beyond its deny-by-default history, embrace risk, and evolve its position with respect to the business.
Everything you?ve heard about running IT is wrong. ?IT/business alignment? is a frequently used buzzword (FUB) meant to encapsulate effective IT strategy. But for the most part, this FUB, if you?re of the acronym persuasion, is a poor choice of words and an even worse way of running IT. On a fundamental level, the notion of ?alignment? separates IT from the rest of the business. And if alignment with the business is the best you can aspire to, you?ll soon be toast in this rapidly evolving IT landscape.
As I pointed out (ahem) over a year ago, (Hey Corporate IT, Get Out Of The Stoneage) today?s IT needs to make a double leap to get to the future. Mere alignment isn?t going to do the job.
To succeed going forward, IT must become a successful steward, rather than owner, of technology. It must encourage innovation at every level, right down to the end-user. It must support ?single-actor practices? rather than simply enacting global policies. And to do so, you?re going to need IT/business integration, not alignment. Becoming an integral part of the enterprise, and not just a service provider to it, is essential, because nothing IT does from now on stands on its own. Everything ? people, processes, tools, and technology ? will be wired together to reinforce each other in service of the business mission.
Risk management is the philosophy that has become ITs ball and chain. There is one place where ?alignment? is the right topic, right answer, and right vocabulary, and that?s the choice of priorities.
The most basic fact of business is that there are only three bottom-line priorities: revenue, cost, and risk. No matter what anyone at your company does, in the end it must tie back to making revenue grow, keeping costs under control, or managing risks more effectively.
The way it generally shakes out is this: Small companies, startups, Apple, and ? sad to say ? a small minority of other large companies rank revenue first, with cost coming in second and risk a distant last. Most large enterprises, having fallen into the play-it-safe trap, rank cost first, with cost coming in a close second and, in third place, cost. They?ve given up on their ability to influence revenue, and as they can?t measure whether their risk management efforts have any impact, they tend not to think of risk as a bottom-line value at all.
It?s safe to say that, with the exception of industries in which lives are at stake (health care, nuclear power, offshore drilling), most businesses rank either revenue or cost as their top priority. Risk management just has to be good enough. After all, few actually face the threat of a long vacation in a government-run facility should events go awry.
For IT, the priorities are different, with the most common ranking being Risk, Cost, and What Was That You Said?
In other words, when it comes to bottom-line priorities, IT is misaligned. This isn?t to say that risk doesn?t matter. It?s to say that IT needs to recognize that risk management isn?t the top corporate priority and stop acting as if achieving perfect prevention supersedes all other matters.
For example: In front of nearly every employee is more computing power than existed in the world at the end of WWII. Here?s what most IT security professionals consider best practice to be: Use it to access a server in the data center that emulates the computing power sitting in front of the user.
Why is that? Because it?s less risky because we can control what happens in the data center. If an end-user identifies an application that can help streamline operations (cost reduction) or take care of customers better so they?ll buy more from the company (revenue enhancement)? The operative phrase is ?deny by default.? It means, as if it weren?t blindingly obvious, that allowing end-users to install anything that runs on the powerful computing device that sits in front of them is just too risky because of all the bad things that can happen.
It?s a persuasive argument, because after all, if you stop all bad things from happening, don?t you get what?s left? The good things, that is?
It?s an argument that holds up to at least 3 seconds of close scrutiny, after which it falls completely apart. Because it rests on a faulty assumption: That good things can happen without taking risks to make them happen. And they can?t.
Which brings us to the iPad, and even more, Apple?s App Store. Instead of talking about whether end-users should be allowed to install whatever they think will be useful on their PCs, let?s talk about whether they should be able to install whatever they think will be useful on their iPads. With the exception of a small handful of technologically sophisticated wise guys, we?re now talking about employees finding useful-sounding applications in the App Store and clicking on them so they automagically install.
The reason for deny-by-default is that some PC applications are dangerous. Without intending to, employees might accidentally install what looks like a perfectly innocuous piece of software but in reality is serious malware.
Say what you want about the opaque decision process for what can and can?t be sold in the App Store. The bottom line is that Apple actually screens each application before it can be sold through the store. That being the case, does deny-by-default still make sense?
Not at all. Yes, Apple?s determination to limit its customers to what it sells in its App Store is a level of paternalistic control many of us find dislikable. From an IT risk management perspective, though, it?s more than good enough to stand deny-by-default on its head: Compared to the average cost of an app (10 bucks) and the risk that it?s actually something nefarious (negligible), the opportunity represented by employees taking the initiative to find innovative ways to improve how things get done is, in the aggregate, immense.
When deny-by-default is the policy, the response to any request that leads to someone outside of IT using technology to innovate is, ?Here?s why you can?t.? In the new IT, the response has to be, ?Here?s how you can.?
In the case of tablets, there?s no reason the future can?t be right now.
nhl all star game 2012 pollyanna samuel adams snowy owl one for the money 10 minute trainer sarah burke death
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.