misleading article about letting users manage their own pc

I’ve finally actually read the article I previously mentioned, IT heresy revisited: Let users manage their own PCs . While I like the topic and it brings good discussion, the author goes off on too many bad points. In fact, I think the author needs to simply spend some time in an IT department (more than likely the author is a stay-at-home cyber journalist who is king of his 2 computer home network and all-in-one fax-printer…).

I want to start out with a disclaimer that I am sypathetic to both sides of this debate, both on the side of centralized control (both for operations and security) and on user freedom. I can argue this on both sides all day or night.

The author repeatedly uses Google and BP as examples of this empowerment of users, but this is misleading.

Search giant Google practices what it calls “choice, not control,” a policy under which users select their own hardware and applications based on options presented via an internal Google tool. The U.K. oil giant BP is testing out a similar notion and giving users technology budgets with which they pick and buy their own PCs and handhelds.

This is a hell of a lot different than opening up employees to truly choosing their own hardware and software. This is still a list approved and likely supported by Google’s internal staff.

In this Web 2.0 self-service approach, IT knights employees with the responsibility for their own PC’s life cycle. That’s right: Workers select, configure, manage, and ultimately support their own systems, choosing the hardware and software they need to best perform their jobs.

Really, they support it? So when they mess it up, they have administrative rights to uninstall and reinstall? Do they have the ability to call the manufacturer and talk through a motherboard that is flaky and get a new one sent out? I’d have to call dubious on that. Sure, they can choose their software from a list of options, but that’s still not truly the freedom many workers are looking for in managing their own workstation. If they can’t put on Yahoo toolbar, Google toolbar, 3 different IM systems, and 4 screensavers of their choice (yes, people still do that!), then it’s not the freedom they’re often wanting. The author is misrepresenting this group, or poorly defining the group (more on that later!).

All too often, IT groups write and code policies that restrict users, largely based on a misbegotten belief that workers cannot be trusted to handle corporate data securely, said Richard Resnick, vice president of management reporting at a large, regional bank that he asked not be identified. “It simply doesn’t have to be this way,” Resnick said. “Corporations could save both time and money by making their [professional] employees responsible for end-user data processing devices.”

I can’t outright agree with these sentiments. There are plenty of instances where employees shouldn’t be trusted with such data. In my company, we have an email filter that looks for sensitive data such as SSN fields in an Excel spreadsheet being sent. It captures this and turns the email into an “encrypted” email by forcing the recipient to log into an account on our mail server and pick it up. Users don’t like this (duh, it’s a terrible solution) and we’ve had one user mask the SSN field just so she could email the document to a client. This user didn’t even have any admin rights on her system, but still had the ability to put data at risk to satisfy a task.

People don’t think about data security, even if that is spelled out as their responsibility in a policy. Users care about getting their jobs done. While this isn’t universal and plenty do act responsibly, we are forced to react to those that don’t.

To IT, the glaringly obvious advantages of user-managed PCs are reduced support costs and far fewer pesky help desk calls.

I don’t buy this either. Users may have more questions since they all have their own setups and IT staff will need to know a wider array of those options. That or they will turn users away when confronted with unsupported software/hardware, causing frustration.

One thing IT needs to worry about is simply displacing the frustrations that users have. Such empowerment may move frustration from users not having enough freedom to users having so much freedom that IT can’t properly support them. Should users be frustrated with not being able to install their favorite softwares or be frustrated when their PC runs dog slow with all the crap on it? Or will they be frustrated with the array of choices in software and hardware and just want a template for their job? I know many coworkers who would actually be unable to properly choose their own hardware and software to get their jobs done, and feel far more comfortable having it prescribed to them. Sure, the freedom may be fun, but the grass on that side of the fence still tastes like grass after a few chomps.

Google CIO Douglas Merrill concurred. “Companies should allow workers to choose their own hardware,” Merrill said. “Choice-not-control makes employees feel they’re part of the solution, part of what needs to happen.”

Again, I disagree in part. For many workers their job duties do not include maintaining a proper PC system. They want and need IT to take care of that often frustrating piece of their day. We fight this every day in the security field with people claiming security isn’t their job. (And I’ll argue that they’re both right and wrong.) Besides, do you want your employee making sales calls all day, or spending half the day maintaining their system?

“Bottom line: The technology exists,” Resnick said, “[But] IT has no interest in it because their management approach is skewed heavily toward mitigation of perceived risks rather than toward helping their organizations move forward.”

I’ve disagreed a lot with this article, but I do realize the problem posed above. I don’t think these risks are necessarily perceived risks, but we do have to keep an open mind toward improving employee morale and productivity with computing. If we can peel back control without incurring excessive costs and risks, why not? Are we holding the company back, or are we encouraging innovation and creative solutions?

Sadly, the article continues to pound home that workers should be able to choose their own hardware and systems. This is a hell of a lot different than someone downloading and installing and managing their own software independent of IT entirely.

“I would expect most companies to implement basic security protocols for employee PCs, including virus scanning, spam filters, and phishing filters,” Maine’s Angell said. “They might provide software tools or simply implement a system check to make sure that such items are running whenever the employee’s laptop is connected to the company environment.”

Unfortunately, some host-specific security mechanisms will be more useless if users have administrative rights to the systems. IT cannot rely on the host-based firewall to be configured to limit access to network resources (users can just turn it off) or to stop the egress of malicious connections (users can just click allow). A piece of malware run by a user may disrupt such controls immediately. Basically speaking, IT can monitor systems remotely that users control, but can guarantee no level of security. IT no longer owns that piece of hardware, someone else does.
Finally! At the end of the article the author defines the audience he’s really been addressing this whole time: users who have some technical proficiency and stake in remaining creative with their problem-solving using their PCs. The author should really have put this at the front of the article, but instead chose to hold it back until now. Basically stirring the pot with a sensational piece and then limiting it down to something more reasonable at the end, much like trudging 3 blocks in the pouring rain only to arrive at your destination and realize you could have gone one extra block and taken a skywalk the whole way.