When I first ran across the phrase people-centric IT, it sounded like just another industry buzzword that some marketing department had come up with. Technology companies seem to suffer from a compulsion to rename everything every couple of years. Heck, we’ve even renamed renaming; now it’s called rebranding.
Sometimes the motivation behind the change is clear: If a product or service doesn’t catch on, maybe labeling it with a catchier moniker will make it popular. It worked for the service formerly known as ASP, and then SaaS, which suddenly caught on when it became “cloud.” Other times, there’s a legal impetus; thus the transformations of Metro into Modern UI and SkyDrive into OneDrive. Other times, there seems to be no rhyme or reason. Microsoft changed the name of ISA (Internet Security and Acceleration) Server, its firewall that was gradually gaining a loyal following, to TMG (Threat Management Gateway) and then, a few years later, killed it.
So I was skeptical when I heard that BYOD was out and “people-centric” was in. Sure, it sounds friendlier, but what does it really mean? As I delved into it a little deeper and really thought about it, though, I realized that not only do these two names not mean the same thing – they can be construed as basically opposite in meaning. And the move to substitute the latter name just might signal a big philosophical transformation in our approach to IT.
BYOD = Bring Your Own Device. The focus is on the device, and that’s nothing new. The focus of IT has been on the computers since the beginning of business networking. And the focus of security has been about hardening our operating systems, tightening our perimeter controls, locking down our devices. Oh, we’ve given lip service to the users’ role in security, with mandatory enterprise security awareness trainings and the like – but even there, it’s been more about how the users should configure their computers and devices than about the people themselves.
Today, though, the hardware is becoming irrelevant. With cloud computing, in a mobile world, we can access our applications, web sites and data with any old device – company machines, personally owned desktops and laptops, tablets, smart phones, public computers – and it doesn’t really matter. The experience is converging into one and the same. Even the software matters less and less. We can do most of the same things on an Android phone or an iPad that we do on a Windows PC.
This trend shows no sign of slowing down in the future. A security strategy that’s focused on the system or the OS will become increasingly difficult to manage, as more and more different brands and models running different versions of different software come into use in our “bring your own” world. And the old ways of implementing security aren’t going to work anymore in a business model where keeping end users happy (and thus more productive) takes precedence over bending to the IT department’s wishes.
Once upon a time, IT could hand down mandates and (most) users accepted them. That was then and this is now. A new generation of users grew up with keyboards at their fingertips and screens in front of their faces. They’re digital natives, and they aren’t willing to blindly accept the dictates of IT about how to use their devices – especially when they’re paying for those devices out of their own pockets. BYOD saves companies a good deal of money on the capital expenditures end, but it can cost a lot in security if you don’t seriously assess the implications of this new world order and adjust your security plan to adapt to it.
Technological controls are still possible and useful in a BYOD world, but they have to be implemented with more diplomacy, and perhaps with a certain amount of compromise. IT isn’t going to gain back the ironclad control that we once had; that horse is out of the barn. We can’t control people in the same way we controlled devices in the old days; we can’t treat them as company property. Today and for the foreseeable future, IT is all about the people – and ultimately, after all, protecting the people is what security is all about, too.