Analyst Blogger: Trent Henry
Consumerization. It's an emerging IT trend that we're watching with great interest. Although it may not be consistently defined, at the very least consumerization is a blend of user-owned devices deployed in the enterprise (think iPhone) and IT departments handing out stipends for users to purchase their own work-related gear. The idea--no surprise--is to reduce cost and lower overhead. This has been going on for several years, but the newest crop of handheld devices and moves from the likes of Citrix (see "Citrix Tries BYOC") have energized discussion.
Last week I read the article, "Assembling the Android army: a sticky platform", and it made me realize there's an aspect of consumerization I haven't heard people discuss: vendor lock-in. When dealing with Burton Group's enterprise clients, we talk until blue in the face about reducing switching costs, rejecting proprietary protocols, using standards where possible, and so forth. However, consumer-facing technologies try their best to be sticky: keep consumers working on their platforms, applications, and environments; they generally make it as difficult as possible to change.
My colleague Jack Santos argues that lock-in and stickiness aren't quite the same thing, and I agree with him. Lock-in means there are clear economic consequences: penalties for switching, extra unexpected expenditures to get the same feature, etc. Stickiness means just that--a sticky affinity to the platform or software that captures your imagination. Similar functionality may even be delivered on another platform for free, but where a user first uses a compelling feature wins the day because there is not a sufficiently compelling reason to switch (even if there is no cost in doing so).
Whether it's stickiness or lock-in, however, consumer devices pose new challenges for enterprises, including difficulty in moving users from a problematic platform (for whatever reason) onto another one. Whatever the advantages of consumerization, this is a detractor that organizations need to keep front-of-mind.
As security practitioners, the last thing we want is for users to cling rigidly to software, devices, or environments that are known to be risky. If one day Microsoft makes an Xbox with a terminal services client, I don't necessarily want users to spend their corporate stipend on that device for corporate email access. But this is a potential logical conclusion for consumerization and the stickiness of platforms and user experience. Time to start writing some user device acceptance policies I do believe....