John Donovan thinks that IT departments have a big problem. It can be solved, but doing so will require a radical change in the way IT people think. Wireless devices and networks of all types—from cell phones to PDAs to $100 hot spots to laptops—are proliferating within organizations at a dizzying pace. The problem is that the nature of these technologies makes it easy for them to be used in ways not authorized by IT management.
This can make the CIO's worst nightmare a reality: The enterprise can be invaded by a hidden army of costly and unsecure technologies with no management or security oversight. “The cumulative spending level within the organization on wireless has gone up dramatically in the recent past, without visibility or the ability for the CIO to manage things that are always a concern: security, cost, productivity gain, and the business case aspect,” said Donovan, president and CEO of inCode Telecom, a wireless technology consultancy.
It's a complex issue, since these technologies—authorized or not—often enable workers to do their jobs better. A related issue is that early adopters drive the technology, and these employees most often are very successful employees—competitive and savvy. Reining them in can rob the organization of momentum and initiative. Even if you try to stop them, they're hard to catch. They can be adept at moving funds around to hide the costs of technology that they go out and buy on their own.
Using the outlaws
The good news is that these folks—whom Donovan refers to as rogues—can be keys to a more successful wireless operation.
Examples of how rogues do things differently aren't hard to find. Perhaps a sales executive doesn’t want to use a company cell phone because too many clients already have the number of his current phone. Perhaps he loves Mac iBooks and hates the Dells issued by the company. If he's a road warrior, he may feel that purchasing high-speed connectivity at hotels is a must. Perhaps he's an amateur techie and decides to set up a private Wi-Fi in the office with the three or four people he works with most often.
Donovan maintains that unauthorized activities are proliferating. Moreover—just as the class clown may be voted the most popular kid in class—folks who pay no attention to policies may set the tone for the enterprise. “It’s very, very hard to rein in early adopters,” he said. “Early adopters went in and infected the whole organization. There is a wildfire being started by the rogues that have the best of intentions.”
The situation is not hopeless. Donovan suggests several steps to controlling runaway wireless IT use without stifling the creativity and initiative that causes it. The most important thing is to identify the users. Indeed, the need to do this goes beyond IT as wireless communications becomes a focus of law enforcement efforts.
“It’s really not possible for employees to throw up their hands and say, 'Employees are going to do what they want and we can’t control their actions,’ because e-mail [and other electronic communications] are the equivalent of DNA evidence in importance in workplace lawsuits and regulatory actions,” said Nancy Flynn, executive director of the ePolicy Institute and author of E-Mail Rules, a guide to electronic communications policy management.
Donovan gave four steps to addressing unauthorized wireless IT:
Find the rogues: Employees may want to use nonapproved equipment and networks but they won’t want to pay for them. This means that they must seek to hide expenses. Donovan said that rogues are generally smart cookies who are good at moving funds around a T&E report. Regardless, a savvy bean counter can find them. “The procurement department has to tighten up the points of leakage,” he said.
Reward, don’t punish: “Establish or build an acceptable solution in which compliance is viewed as not just necessary but as worthwhile,” Donovan said. It’s not a good idea to be punitive for two interrelated reasons: You're dealing with some of the brightest lights in the organization, and the ideas their nonstandard approaches represent may well be positive steps for the organization. Also, these employees are good at what they do and probably bring in a lot of revenue. It’s far from certain that you would win a power struggle with them.
Enfranchise the rogue: Let the rogue know that his or her ideas have merit and that the IT department simply wants to ensure that what he or she is doing is accomplished in a way that complements the basic goals of the organization. For instance, you may tell the rogue that he has good reason for a private Wi-Fi for his immediate circle of contacts—but that these networks are inherently unsecure. Once informed of the dangers of such networks, the rogue is unlikely to object to letting IT implement security.
Codify: Once the details are worked out, codify the new arrangement into company policy. It doesn’t help to have a dozen handshake agreements with a dozen rogue executives.