In 2003 I introduced InfoWorld’s readers to the Value Prevention Society (VPS). You’ll find the complete account below.
I’m republishing it instead of posting a new column because I’ve been traveling and haven’t been able to set aside the time and concentration to write something new.
In the meantime, I’d appreciate your taking the time to review my logic in ridiculing the VPS and its members. The world has changed quite a bit since I originally published the idea and I’m interested in your thoughts as to how relevant it is.
Please share your thinking in the Comments.
Thanks!
– Bob
# # #
We can’t just let users install anything they want!” This, the mission statement of the Value Prevention Society (VPS), has, in a decade, evolved from controversial policy to unquestioned postulate.
The history of the personal computer belies it. PCs succeeded because they freed end-users from the constraints imposed by centralized IT, letting them select, install, and make innovative use of whatever capabilities they could program themselves or acquire through the purchase of inexpensive shrink-wrapped software.
“Nice theory, but,” I can hear VPS members respond, “supporting uncontrolled desktops would blow our IT budget.”
This strawman argument misses the point perfectly. VPS members live in a binary world — the only alternatives they recognize are complete lockdown and total free-for-all. The real world is more interesting. So in the interest of offering solutions instead of criticism, here are some elements of a more balanced desktop support policy:
- Establish multiple levels of supported software. The stuff you install, support, and pay for out of the IT budget right now is one level — fully supported. Next comes software IT has tested and found reliable, but doesn’t pay for or install. Call it endorsed. Third is software IT hasn’t tested, but is well-known, comes from a reliable vendor, or otherwise is deserving of some trust. Call it acceptable. And finally, there’s that other stuff. Call it disallowed.
- Establish multiple levels of support. Problems with fully supported software are first in queue. Next come problems with endorsed software. Problems with software rated acceptable rate the lowest priority, with no guarantees beyond restoration to a standard image.
- Require management approval. As Ronald Reagan was fond of saying, “Trust but verify.” Trusting employees doesn’t mean trusting them blindly, so if an employee wants to install (for example) a personal information manager (PIM) other than the company standard, his/her manager must approve the purchase … and, of course, the PIM must rate “acceptable” or above.
- When integration is vital, company standards rule. If you have no CRM software in place, for example, sales representatives should be able to buy and install whatever contact manager they want. If you have implemented a serious CRM suite that includes sales force automation, the standard overrides personal preferences.
What’s that you say? It’s easier to just lock ’em down?
Of course it’s easier. That’s often the nature of a bad decision.
I remember the VPS from its 2003 introduction (can I possibly be that old? Yes, I can). It should be a source of pride for you that it predates Dilbert’s “Mordac, the Preventer of Information Services”.
I haven’t worked in a few years, but my impression is that most companies have fully authorized, fully supported packages for most common functions. Also, most functions are online as opposed to software that people install on their company-issued laptops.
The VPS is still in power, however, when it comes to anything new and innovative. And they may have a point, at least in some circumstances. For every great new way to approach a work function there’s a TikTok.
We went with “management approval” through an automated, simple tool that requires all software installs to be held for 3 minutes pending IT department review. The promise is a limited delay in exchange for the ability to verify something isn’t junkware or worse. So far, so good.
Only 3 minutes for IT dept review? How do you manage that?
While I agree with the concept on multiple levels of software and support my experience makes me doubt IT departments accepting it. I have seen firsthand how long and arduous getting any software approved. I cannot envision the architecture group or whomever approves any kind of infrastructure component agreeing to software that is outside their standard. They have neither the resources not the inclination to consider and investigate the different types of end user software.
Support is one issue and possibly ripe for ridicule or commentary. The bigger issue nowadays is security. What I load on my PC could provide a hacker entry into our central functions. And that could destroy our systems. What’s the risk:benefit ratio in this case?
Yes, your comments are still largely relevant, albeit with the complexities of more platforms on the technical side, and the complexities of regulatory compliance on the business side- eg I don’t recall if HIPAA was a big concern in 2003; California had just passed their data breach law; GDPR was over a decade away. The regulatory issues became a big stick in the ‘disallow’ category.
VPS folks have an added tool these days — the invocation of cybersecurity. Even so, I think the multi-level concept is still valid, though. It’s a good ideal to strive for. But when the emails flow in faster than you can deal with them, the easier way out is oh so tempting …
I am absolutely in favor of being responsive to End User needs. And overall, IT has earned the reputation as “The Department of ‘No’.”
In my [personal limited] experience, the biggest problem is the “My job is to buy it. Your job is to make it work.” No way to easily import data to a new system? Your problem, not mine. The $400 laptops can not run software? Your problem, not mine. The new system violates a variety of laws and regulations? Your problem, not mine.
This mindset is why (except in rare cases) I do not volunteer my IT skills and knowledge.
The multi-level concept is great…if senior leadership buys in and practices it. Otherwise, it becomes one more tool to demonstrate political power within the organization.
There are two essentials that have to be understood for things to work:
Support. If IT is going to support it, they MUST be part of the process.
I got my Assateague smoked one time because an executive stored critical documents on a Dropbox created by someone who was no longer with the company, and he forgot the password. The fact that I had no Admin privileges with Dropbox did not matter. Thankfully, the CIO had my back (yes, it went that far).
Of even more importance is security and compliance. Picking on Dropbox again, imagine storing documents that could impact stock prices on a Dropbox passworded with password123.
If these issues can be addressed, it would be a great system.