Non-profit organizations and companies alike have been struggling with control issues since the first personal computers hit the market. Competing with what's available at the local Best Buy and Apple store gets harder every year. The laptops are shinier and faster, the monitors are bigger, the phones are cooler, and freely available software is useful and well-made. A proliferation of online tools and software like Google Apps, Facebook, Open Office, Firefox, Skype, and Pandora Radio, not to mention all the slick apps that come with every new Mac, are as good as or better than anything traditionally provided by enterprise IT Departments.
So what's a CIO/IT Director to do? Build the walls higher! Dig a deeper moat! Call in the cannons and archers! Historically, these were the favorite tactics. But more and more we're taking a less confrontational approach to hardware and software choices. The change was hard, but inevitable. Opening firewalls for corporate email and calendars is becoming more common and necessary. Our users are able (and actually want) to work more and be more efficient when not plugged into the corporate LAN or WAN. Their iPhones are much more attractive to use than the clunky Blackberries that many IT Departments are still handing out. (Not to mention the savings to the environment if we only have to produce 1/2 the mobile phones.) The 7GB mailbox size and 12MB message size in Gmail are hard to compete with for a budget-strapped Exchange shop. The examples of consumer products outdistancing corporate-provided products are endless.
So how do we allow these consumer products and maintain the level of security we're used to? With a little flexibility, an analysis of the latest technologies, and some effort by a security tech it's entirely possible. For example, Google has an authentication API for its Apps product line that will allow logins to be passed to your own auth infrastructure--then you can control account creation, suspension and removal and password complexity and expiration. And the abilities of most major firewalls can be configured with a combination of DMZs and app tunnels to allow corporate email out to personal mobile devices. I wouldn't recommend these options for high-security operations, but businesses that want higher productivity from their employees could easily fit these and other options into their security models.
Besides the difficult-to-measure benefits of higher productivity, it's possible to experience concrete budget savings from taking advantage of consumer products in the enterprise. One way we (Greenpeace USA) have done this is, instead of providing mobile devices maintained by our IT Department, we reimburse staff who require them for their jobs a monthly amount to cover part of the monthly bill for their personal mobile device. We provide IMAP and POP service to our email as well as CalDAV for calendars that we help staff configure on their phones. We have a list of devices that we generally support but are flexible if someone brings in a phone not on the list if it does support the standards for communicating to the email and calendar server.
We also have many users that prefer to use their personal laptops over the ones we provide. We don't reimburse staff who do this, though it is under consideration, so the budget savings here is obvious. Some considerations here include whether or not the staff-owned equipment has proper anti-virus/anti-malware protection and is properly maintained and updated with the latest OS and other software versions.
Taking advantage of consumer products in the enterprise does require the loss of some control but with some patience, flexibility and lots of deep breathing the benefits can be enormous including increased morale of staff, cost savings and, not the least of which, the increased popularity of your IT Department.