Thursday, November 11, 2010

Forget governance, I want an iPhone!

We have seen that iPhones and iPads have become popular products, firstly for personal use and secondly now within the business context. In our organisation we went through a similar process to ‘adopt’ these devices as I expect as it would have taken place in many other organisations. Though I think that these devices are great products, I just want to reflect on the process of how these devices seem to be rolled out in some organisations. Besides the business reasons, there is that other pull of the new shiny device... Normal governance does not seem to apply to iPhones.

You hear more and more that IT departments are not able to keep up with the speed of how technology and specifically consumer technology changes. I read that about website development including the use of social networking sites and also about all the mobile devices. I don’t really belief that the IT department per se is not able to keep up with the speed of these new developments but that one the one side they are not given the funding and resources to work on these items and that on the other side they bring quite often many practical issues on the table. These issues are usually considered road blocks by management and the business.

When in our organisations the first calls for an iPhone were raised and for good business reasons, we said that we could provide one to a selected few people but that there was a big risk in relation to security. We simply did not have had the time to assess the risks for the network and for the sensitive data on the device itself and find ways to control them. We could do that with the Blackberry which was our standard mobile phone and for the time being advised against iPhone for broader roll out.

This is not much different as it happened in a large organisation in Australia. Management wanted the iPhone but the IT Department raised issues in relation to the risks. The device was however so appealing to management that the response simply was “Give us the phone or else ....”.

It is actually funny to observe how the iPhones with their security risks have been rolled out into organisations. These days auditors are very strict in relation to security and business continuity. Just like many other organisations we have now strict rules around our network security, password policies, etc. When I informally asked our auditors what their position was in relation to the iPhone, I did not get an answer. But what they could tell me was that their management also used iPhones. In other words, the same probably happened there just as in any other organisation: the IT department probably advised against it but that this advice was put aside in favour of the attraction of the new shiny device. So if the auditors can use the device, they would never come with an audit report telling their customers not to use it or that they were not diligent enough with the roll out. Doctor, help yourself!

The problem we run into is that there is this nice shiny device that looks so great and so handy, that any potential risks are put to the side going against any rules and measures put in place to control those risks. In recent years many organisations have focussed on improving policies and security mechanisms to control unauthorised access to data and systems, but these policies don’t seem to apply to iPhones. If the reward is big enough, people are willing to take the risk and simply don’t want to hear about the risks. And the reward here is much the sensation and feeling good, not much different than a drug addiction. The iPhone makes you feel good and increases your status.

My wife is considering an iPhone as well. If I explain that you can get the same from a different brand with the android operating system, she just looks with glary eyes and replies simply that she wants an iPhone. And no wonder, you got to have an iPhone these days to be considered a modern human being. Would you think that 13 and 14 old kids need an iPone? Probably not but the truth is that large number of kids come with an iPhone or iPod Touch at school. On top of my 9 year old daughter’s whish-list is the iPod Touch. But with all these electronic toys, aren’t we spoiling our kids a tat too much? Can’t they just play their games on the Nintendo that was so important to have a year ago? How square can their eyes get? Isn’t there already enough peer pressure and cyber bullying?

The initial risks that we identified with the iPhones was that sensitive data will be stored on the device, specifically because they will be used by the those on the most senior level. This risk is primarily with the loss or theft of the device making all the data on the device is accessible by the new owner. The risk that the phone would be hacked remotely to gain access to the corporate network would exist as well but I considered that risk already much lower but not unrealistic. You’ve spent millions to secure your network from all sides just to open a new door?

To mitigate the risks and provide support to the mobile devices, the helpdesk and some key IT staff need to build up their knowledge and experience and therefore need to use one themselves. Of course they understand the technical risks and you expect them to use it sensibly. It is not unthinkable that some of them are not immune to the attraction of the device. They might opt to access various systems via the device and therefore introduce the real risk for hackers by storing various network addresses with usernames and passwords on the device. That device with its high risk of loss, theft and lack of security will then form a realistic threat to the whole network.

I see this not much different than the use of opium over 100 years ago as a solution for psychiatric problems. The symptoms temporarily disappeared and it made the patient feel good. There was in those insufficient understanding of the risks including the addiction that would follow. In those days many doctors experimented themselves with the drug as well with of course the necessary consequences. Sigmund Freud experimented with cocaine, not only for himself, but also for patients. Doctor, help yourself!

In public places I notice, that I am still one of the happy users of a classic Blackberry and do not have an iPhone. And there is something to say about the iPhone (or equivalent modern device). You can access your Google Maps or run a sat-nav program to give you driving directions. As I said before, I am quite often a big fan of old technology. For driving through Sydney I get by very well with the old fashioned street directory on paper. Specifically when it comes down to the last bit of the drive, I sometimes need to stop and look up the directions again. You might think that a sat-nav is then so much better, but I hear others who have a sat-nav also often say that they were steered in the wrong direction. I think the old technology exercises my brain and keeps it young (I love old technology), but there are of course the odd situations that you wished you had sat-nav with you.

An iPhone is of course a fantastic business tool. Browsing the web, reading emails etc. just became much easier and comfortable. I do belief there is some level of productivity gain and there are many cases where these gains can become significant. Many organisations have staff out in the field and if you can bring the relevant software applications to them on their travels, it is easy to see the benefits. It is easy to develop a business case for it.

But there are also so many instances or aspects of the roll out of those devices that purely are driven by the feel good sensation and I observe that common sense is being put to the side. Whether that is that we give in to our kids or demand as executives what that they give us the latest gadget. We should consider better if this really is the right thing to do or if we should first develop our business case and assess the pros and cons.

Let me make it very clear that I don’t have anything against iPhones! This is not a rant against iPhones. Apple did a fantastic job and finally delivered something that was already anticipated over 10 years ago during the heydays of the Internet boom.

I think that the IT department should be given more time to evaluate such a product and develop their control mechanisms and that you also should give the product itself the time to mature. Over time Apple introduced improved security mechanisms and the question is whether you should give it a bit more time to mature and really need to jump on the bandwagon straight away.

There are many good business cases for mobile devices such as the iPhone and in combination with the above you should work those out. Feeling good is always important in life – at work as well as at home. But sometimes you should also consider whether it really improves your productivity and what the real benefits and threats are. Of course I also want an iPhone but for now the Blackberry suffices, just as my street directory.

Just a note for mothers. I think that all mothers of young children should have an iPhone. All parents know that babies and toddlers prefer their parents keys and phones above all toys in the world. And the beautiful thing of an iPhone is that it is not only a nice shiny thing, there are actually moving images on it. It is a small TV and we know what that does to kids. It keeps them quiet! iPhones signficantly reduce the screaming and crying in public places. Here some apps. The iPad with fully downloaded movies will be the next step in this silent revolution.

2 comments:

  1. It is now very clear that any organisation that cares only a bit for their staff will need give them all an iPhone:

    http://www.theaustralian.com.au/australian-it/exec-tech/a-call-for-help-is-just-two-clicks-away/story-e6frgazf-1225949643333

    There is a real risk that I get bitten by a snake on my way from home to work.


    But these life saver apps raise a question. If I download all apps that I ever might use in the future to my iPhone, I probably have downloaded a couple of thousands (provided that I have the storage capacity), then when in case of emergency it probably will take a little while before I have located this app. Maybe calling 000 might be quicker. Or in case I need info, Google...?

    ReplyDelete
  2. I like how the security issue of people reading confidential documents or emails on public transport is always overlooked. As more people have access to these devices the more people I see showing off these gadgets to everyone.

    I like to see peoples reactions on trains as I "blantanly and deliberatly" look over their shoulders and read the documents they are working on. I get a look of me being rude but they still keep them open. Just glancing at an anonymous persons Facebook can tell you a great deal about a person. Where they work and what they do and with whom.

    What about the basic questions you get from banks and other institutions when you forget your pasword over the phone. What is your DOB and whats your address at home? Pretty easy answers you would get from asking anyone at work.

    How many times have I read on BBC where a MOD (Ministry of Defence) laptop has been stolen, lost or sold with all the information still intact and insecure. One occurence happened just last week when a laptop was purchased on eBay with all the details of soldiers fighting in Afghanistan was stored.

    The more access and ways of getting access to information will make interesting times for IT departments and interesting over shoulder glances for me :)

    ReplyDelete

You are welcome to leave any response or thoughts that you have as feedback.