"The Consumerization of IT"—have you heard this phrase? Probably. Given that I first heard of it in 2006, one can presume that it's jumped the shark at this point. So what does it mean, and what's the point? I like the way Matt McIlwain put it in his post for Forbes (see it here). McIwain says it originally referred to "BYOD"—Bring Your Own Device—and now increasingly refers to "BYOA"—Bring Your Own Application.
It Followed Me Home... Can I Keep It?
When wireless carriers started offering Blackberry smartphones to consumers, employees at enterprises started going out and getting their own Blackberries. They brought them to IT, saying "make this work". Blackberries supported a mission-critical corporate application—email—so it was hard to argue against supporting them. Further, employees were becoming increasingly mobile, meaning that company-issued laptops weren't always sufficient to support this new desire for always-available email.
Since that time, employees have moved on, and now bring in iPhones, iPads and assorted Android devices… all with the same support request for IT. That has spawned an industry around mobile device management, starting with Bigfix (since acquired by IBM), Sybase's Afaria (now part of SAP) and iPass' Endpoint Policy Management, and more recently blossoming into all sorts of hardware, software, and services solutions. And smartphone makers have gotten better about providing the kind of support (remote wipe, device lock) that CIO's need to properly support these devices… Although securing data on mobile devices is still a concern.
Thanks, I'll Use My Own Application
And now, enterprise employees are increasingly introducing their own applications into the enterprise: file sharing and collaboration (YouSendIt, Dropbox, Box.Net, and others) note taking (Evernote), document viewing (GoodReader), and project management (Smartsheet). Cloud-based delivery models, outstanding UI/UX, and "freemium" go-to-market models are all enabling this trend. CIO's recognize that blocking or refusing to support these applications are not winning strategies; the horse is already out of the barn. That said, smart application providers recognize that they'll be more successful if they embrace the needs of the CIO and not simply sell into the enterprise over the CIO's objections.
Work With Me, People!
So what does this mean for application requirements? There are two classes of requirements: what users need and what CIO's need. The user needs are generally well-addressed by the time a CIO sees the application. These cloud-based applications start life outside the enterprise, in the consumer and prosumer market segments. Here, functionality and usability are the lead requirements and are usually the focus of BYOA initial product releases. When these offerings enter the enterprise, the needs of CIO's become paramount. What are those needs?
Data security is a key need. CIO's are increasingly looking to file-based data security as they recognize that the solutions for securing data at the device level aren't always robust enough to pass CSO evaluation. Pure cloud-based (read: no local storage) services can rely on user authentication and session encryption to protect data. But the more common application model is a blend of cloud-based and device-based file storage. In this circumstance, authenticating against the file (via local application or via a corporate authentication server) is necessary for security.
Auditing and event logging are also important. CIO's must be able to demonstrate that they have appropriate procedures in place for safeguarding sensitive data. Audit logs (e.g., showing all activity for a given user or a given file) serve to demonstrate that a procedure is in place and can be monitored.
Automated safeguards have to be provided to reduce the risk of compromising sensitive corporate information. This is important because end users can't be relied upon to regulate their own behavior. CIO's want to know that sensitive information can't be shared with competitors and would therefore want a solution such as a "whitelist" of domains that can be included in sharing requests—with all other domains blocked by policy.
McIlwain argues that integration of these "imported" applications with existing corporate applications is important. I don't see CIO's focusing on this need, at least for some time. What makes these applications work is their simplicity—they stick to a single problem, solve it well, and do so with a minimum of end user training or behavioral change. Asking these applications to integrate with other, custom-configured applications such as those supporting HR, Sales, and Finance is asking for trouble. I would envision "islands" of data being used by small work groups within the enterprise, and any integration with corporate information stores happening in the background, orchestrated by the IT/IS organization using enterprise-focused database and content management applications.
As McIlwain suggests, the BYOA phenomenon is a savvy way into the enterprise for an aspiring cloud-based service provider. Savvier still are the startup's that find a way to partner with the CIO in encouraging enterprise adoption. Services that are loved by end users and embraced by the CIO are the ones that will see the best success in the enterprise.