Policies and Procedures – Page 60 – IS Survivor Publishing

Deciding how far to open the portal door

What is it about vitamins?

When I was a kid they were chewable. Then I grew up and they were small, coated, and easily swallowed.

Now they make me feel like Mr. Ed: They’re the size of horse pills, and if (when) they get stuck on the way down I taste alfalfa, or maybe straw.

Speaking of things that are hard to swallow, correspondent Mark Sowash made me aware that, since at least last October, Gartner has been predicting increased employee ownership of PCs (“Ready or not, here comes user PC choice,” Computerworld, 10/15/2007).

There is, of course, a difference between prediction and advocacy. Still, fair’s fair — Gartner got there first (ouch!) and I agree (the horror!).

The Computerworld article describes a 250-employee consulting company that’s giving employee PC ownership a try.

It isn’t going to be a free-for-all. The company is establishing standards for all PCs that connect to the corporate network, especially for security. It will scan devices for compliance before they connect. It’s moving its enterprise applications to web-based access to keep enterprise data in the data center.

Sounds well-thought-out and workable to me.

Following last week’s column on this subject (“Getting to 21st century IT,” Keep the Joint Running, 3/3/2008) I added two posts on Advice Line, the question-and-answer blog I do for InfoWorld (“Can virtualization resolve the IT/end-user disconnect?” 2/29/2008 and “Getting to 21st century IT – User-owned PCs?” 3/4/2008), asking for comments. The response was enthusiastic, perceptive, argumentative at times, and in all respects worthwhile.

I was struck by something: The positions taken were generally rooted in a hidden assumption about the nature of the workplace and employee. Those advocating employee ownership, for example, tended to be travelers or knowledge workers who are expected to creatively solve problems for their employers. Many of those who rejected the idea (and the idea of significantly loosened controls) support production workers with well-defined responsibilities that are entirely supported by the company’s enterprise applications.

The more I think about the subject the more I’m convinced the right answer isn’t yes or no. It’s “it depends.” This is, in retrospect, obvious. It’s also woefully incomplete, because the moment you say the words, you have to then explain what “it” depends on.

We’ll start the ball rolling this week with three factors: size, role, and regulation.

Size: Small companies tend to succeed through individual initiative, employing generalists who understand a broad swath of what the company does. Most “business process” happens inside one employee’s head.

As companies grow they gain economies of scale. To get them, they have to standardize what was idiosyncratic, whether the subject is business process, HR policy or PC configurations. Employee roles specialize, and what used to happen in one person’s head now happens through defined workflows.

It’s a sad trade-off: With success comes increasing bureaucracy, because the alternative is having costs increase as fast as revenue, or even faster.

Role: Some jobs are defined by their lack of clear definition. While the desired outcome might be clear, the means for achieving it is not. The list might include sales, marketing, consulting, IT developer (yes, IT developer) and varying kinds of analyst.

If you can’t predict what someone will have to do to get the job done it seems futile to lock down a specific toolkit and say, “that’s all you need.”

Other jobs are rigidly defined and narrowly focused. Call center agents come to mind. While they might, and often are called on to be flexible in how they converse with callers, when the time comes to pull data out of the company’s systems and put new data in, you want every agent to use the exact same tools in the exact same way.

Regulation: Some businesses are more highly regulated than others. This is neither bad nor good (I remember the pre-environmental-regulation United States and like what we have now much better). It’s a fact.

Another fact: Regulators care about compliance and only compliance. If compliance means a reduced ability to innovate, too bad. HIPAA regulators care about protecting patient data. The impact on creativity elsewhere in the company isn’t their concern.

The Big Finish: The smaller the company, the broader and fuzzier the role, and the less regulated the industry, the more likely it is you can open things up.

The really tough challenge is figuring out what you can do, if you’re big and highly regulated, to provide as much empowerment as possible. After all, the people who run big companies rarely want to preside over bureaucracies.

They just need an alternative.

Getting to 21st century IT

When is a computer not a computer?

Answer: When it’s a portal to an entire universe, as I pointed out last week with perhaps-excessive lyricism. Lyrical or not, quite a few correspondents agreed with the column’s core arguments:

When using their home computers, end-users experience a vast array of possibilities, but at the office they operate in a very constrained space; and

Increasingly, “work/life balance” is giving way to “live your life wherever you are.”

Many, misreading last week’s column as advocacy of a free-for-all in business computing, were horrified.

My point was something different: This, like it or not, is the situation. IT needs to figure out how to adapt, instead of establishing policies and procedures predicated on a world that no longer exists.

Look, for example, at an increasingly common class of employee — the traveler. Few among us still entertain the notion that this is a cushy, glamorous existence. Travel delays, increasingly cramped airline seating, the need to schlep one’s office and wardrobe along, and the rigors of threat levels eternally Orange combine to make business travel an annoying lifestyle at best.

Add to this the typical corporate no-personal-use computing policy. In practical terms it means no ability to answer personal e-mail for days at a time; no right to use the Internet for non-business purposes, even after business hours; no right to download music and add it to an MP3 player to help pass the time during the next cross-country flight.

In many companies, it appears corporate IT expects travelers to bring two laptops along — one personal, the other corporate. Very nice.

Here’s one more, related point: Many IT end-user support organizations are trapped in the “Whiteout-on-a-screen” mentality while many of the alleged Whiteout users routinely participate in (for example) on-line gaming environments with sophisticated interfaces they nonchalantly figure out on their own, without thinking much of it.

This is the challenge. The question is what to do about it.

Correspondent Richard Resnick provided the most extreme suggestion: No corporate-owned PCs at all. Let employees buy their own — whatever they think they need to do their jobs. It’s Nicholas Carr’s vision in reverse: Only central IT remains. Employees take over ownership of the periphery, including responsibility for their own PC support.

It’s an intriguing alternative, and one not easily envisioned. Certainly, the nature of the protections IT would institute would be very different given the change in boundary. I leave the specifics as an exercise for the reader.

Another correspondent, Will Pearce, provided a less radical alternative: Virtualize. Give end-users two virtual machines.

IT has valid concerns about having to support systems on which end-users have installed unapproved software, so one virtual machine would be buttoned-down, corporate, protected, fully supported, and strongly connected.

End-users and business managers, on the other hand, frequently discover useful software tools that are not on IT’s list of supported applications. Enter the Sandbox — a place end-users can install and use business-focused applications IT doesn’t and doesn’t need to support. If they work without creating conflicts with other applications, more power to everyone, and IT might even add them to the supported list.

If they don’t … it’s the Sandbox. All the user has to do is switch over to the corporate virtual machine to continue working. All IT has to do is to restore the standard Sandbox virtual machine.

I’d add a third virtual machine as well. It would be open, personal, still reasonably protected … but unsupported beyond restoring the virtual machine, and kept outside the corporate firewall. Travelers and other employees in the growing population of those who donate personal time to their employers would be able to use their personal virtual machine to take care of personal business without impinging on corporate IT.

Even if you ignore the issues discussed this week and last, virtualization would appear to provide an easier-to-administer alternative to maintaining standard images for restoring hashed-up systems. It certainly seems like a workable technological core for handling the challenges discussed last week and here.

End-user ownership of the periphery is a fascinating long-shot. Virtualization is a promising but unproven possibility. Entirely different alternatives might prove superior for supporting the 21st century workforce.

Underneath the specific solutions is the contrast between two corporate attitudes. One considers employees a necessary evil — unavoidable, but suspect; untrustworthy entities from which the corporation must be protected. The other recognizes employees as the source of all success.

IT’s response to the 21st century workforce depends on which sort of employee companies think they have.

So, as it happens, does every company’s long-term financial success.