You ´ve noticed it seeping into the IT workday. An end-user calls the support desk for help connecting a new iPod to the desktop. Another asks how to add Skype capability to the desktop. Consumer IT - technology and devices initially designed and marketed for use in the consumer space - has infiltrated the workplace.
CIOs overseeing the invasion of consumer technology know it ´s not enough to simply write a management policy, post it on the intranet and then revisit it a few years down the road. "Stagnant policies and procedures just arent practical for these types of technology", says Rob Israel, vice president and CIO at $ 400 million John C. Lincoln Health Network. Policies need to be revised on a regular basis according to user needs and organizational security concerns - Israel revisits his every four to six months. And for any policy to work, CIOs need to have a strong communication strategy, involve users in policy creation, build in security possible and find a balance between restriction and freedom of use.
Communicate existing policies
"I know some CIOs who have 150 or 200 security policies. That ´s just way too many", says Israel. His consumer IT-related policies total 30. The limited number makes it easier to communicate the policies and their updates. When Israel ´s team makes a policy addition or change, they explain the rationale to users with straightforward language. "We ´ll say ´Do you know why we encrypt email?´ Then, we ´ll explain why we do it in three or four sentences", says Israel.
Jay Dominick, CIO at the University of North Carolina - Charlotte, sees more consumer technologies being introduced everyday. Most come from students who tend to have both disposable income and time on their hands. "Our policy-making process involves multiple layers of faculty, staff, student input, and the legal office", says Dominick. "So it can take six months or a year to reach consensus." In 2000, when Napster hit university networks, Dominick says: "It took almost two years before there was a response from universities as to how to manage it."