"I'm sorry, but you can't use that device because we don't support it in IT"

Sound familiar? If so, you may want to share this blog post with the person who said that to you.

Some users have chafed under the restrictions that IT has placed on them, in terms of how they access IT resources.  Sometimes it has felt to them as if IT had all the control, and the users must conform, like it or not.

But, IT has been undergoing a significant shift recently called the "consumerization of IT." This trend will probably continue as the flood of new and more intelligent devices continues, and as the typical worker becomes more mobile. 

Some people believe that consumerization of IT means only supporting new, smarter consumer devices.  But, although that was the first symptom, this trend is actually far more important and impactful than that. It also includes the massive popularity of social media vehicles for communicating with others - Facebook, Twitter, LinkedIn, Google+ and many, many more. It also is often viewed to include the strong growth of cloud-based services.

But, it's not just about devices - it's about the shift of control. The role of IT is changing, and this change is highly likely to be long-lasting.  IT can no longer be rigid about how the users will interact with IT resources and what devices and access methods are acceptable.  Users will be using these devices, so IT must accommodate them while both ensuring security and supporting the convenience that they provide. It used to be that IT could say to users - "you play by our rules." Now, IT must play by the rules of their users as a group. 

Users also are changing in terms of their expectations of IT. Today's social-media savvy user has grown accustomed to near-instant gratification on their new sites and applications, and these expectations are carried over to IT. No longer will they tolerate long approval cycles, support for only antiquated devices, and the lack of control that they typically have had in the past.

The impact of these trends will result in a new model of information technology, accurately termed "Consumer-driven IT".  Users will be driving the requirements for IT, in part due to their adoption of consumer devices that are not controlled by a central IT group. This will result in new relationships not only between IT and their users, but also between IT and the business.  IT can become more of a business enabler rather than a mere gatekeeper of technology. In this regard, this trend has the potential to serve as a transformational driver for a new model for IT. 

Why is this trend occurring now? Several factors are relevant here:

• Continued innovation in personal devices - consumer information technology devices have become powerful, ubiquitous, and cheap.
• High growth in use of social media and related applications - as of this writing, Facebook has over 750 million active users, 250 million of them access it via a mobile device, and users spend over 700 billion minutes a month using it.
• Externalization of the business - including use of cloud-based services and outsourcing of other functions.
• The blurring of the line between personal and work life - the workforce is becoming more distributed, more mobile, and more home-based every day.

The consumerization of IT is likely to have important organizational impacts.  Paradoxically, this trend is likely to both expand the scope and reduce the control of IT. The scope of responsibility for IT will be expanded because its role now doesn't stop at the firewall - the corporate network now extends out to the user and their unique access devices. For example, users might download confidential information to their iPhone, and then mistakenly (or worse, intentionally) email it to someone outside the organization. Security for these varied devices needs to be a critical element of IT planning, and there needs to be comprehensive identity and access management capabilities to guard against attacks or improper actions by authorized users. 

But, at the same time, the control that IT can exert has diminished. Decision-making will become more democratic (some IT folks might interpret it as being more "chaotic" than democratic) as users begin to wield more power purely on the basis of their need for flexible use of IT resources. 

There will also be technology impacts. Security will become even more important because access to corporate IT resources from consumer devices introduces new risks that must be mitigated.  In addition, enforcement of access policy should become more flexible and dynamic, as contextual parameters become important in the evaluation of policy enforcement.  For example, contextual parameters of an attempted user authentication (such as location, time of day, recent user activity, etc.) will become important for deciding whether the authentication will be accepted, or whether additional, stronger authentication methods will be required. Finally, transparency of access will increase. The boundaries of IT services are gradually becoming more and more transparent to the outside user, as the assets that are accessed become virtualized, or available through on-premise, cloud, or a hybrid of the two. The user will not care where these assets reside, as long as access is quick, convenient, and secure.

Let's summarize - consumerization of IT is an important trend that has been going on for several years.   It will cause important changes in the way that users access IT resources, and the way that IT relates to its users and the business. 

Stay tuned for some more thoughts on this topic in a future blog ... meanwhile, you can read additional content here and more on security challenges here. But let us know in comments what security impacts you think exist?  How do the security risks of these devices differ from a simple laptop?  What do you think an IT leader should consider when dealing with multiple consumer devices and their security risks?