The consumerization of IT: Why most vendors get it wrong, and why it's a challenge today. (Part 1)

Citrix made "consumerization of IT" one of the core themes of their Synergy 2011 conference last week, and Gartner predicted that consumerization of IT is going to be one of the hottest trends of the this decade.

A lot of people are talking about the "consumerization of IT" these days. Citrix made it one of the core themes of their Synergy 2011 conference last week, and Gartner predicted that consumerization of IT is going to be one of the hottest trends of the this decade. And many CIOs list "consumerization" as one of their current priorities.

Ironically, much like "virtualization" and "cloud," despite all the people who actually want "consumerization," there's no consensus on what it actually is. (And as you might expect, those to do attempt to define it typically do so in terms that support whatever product or service they're selling.)

Despite all the hype, the Consumerization of IT is legitimately going to be a huge deal. And it's something that should be a priority for CIOs over the next few years. But I don't believe that anyone who's talking about it today actually has it right. So I present to you my manifesto on The Consumerization of IT. Let's look at what it really is, what it isn't, and what we (as IT Pros) can do about it.

(Field note: This article is mostly based on the presentation that I gave at BriForum 2011 London last month in my breakout session called "The Consumerization of IT," although I've updated and expanded quite a few sections based on conversations with many IT Pros I've had since then.)

So let's jump right in. The first step is to clear up the misconceptions that are already about there about what the consumerization of IT is.

Why most people are wrong when they think about "the consumerization of IT"

So far it seems that when most people talk about the consumerization of IT, what they're *really* talking about is BYOC. In other words, many CIOs' "consumerization" initiatives are really "BYOC" initiatives, but with the "consumerization" label slapped on since that's cooler. Of course BYOC is a fine thing to do. Who wouldn't like the idea of employees being able to choose their own laptops? (Although let's not kid ourselves. In today's world, "BYOC" really means "letting employees use Macs.")

But while enabling BYOC and Macs is a nice, the reality is that the IT industry already knows how to solve that problem. We licked it years ago with remote published apps and client VMs and VDI and web apps. If someone wants to use a Mac, sure, we have to work out some minor details (like who's responsible to taking it to the Apple store when the screen breaks), but that's the tactical stuff; that is *not* the ten-year major trend that Gartner is talking about. Building BYOC is something you can figure out in a few weeks. It's not that hard.

"The Consumerization of IT" is bigger than that.

Ok, so if the consumerization of IT is not about BYOC and Macs, the next thing people think about is mobile devices. They think about iPhones and iPads and Androids and ATRIXes. But again, getting a mobile device online and syncing with your corporate email, complete with policy enforcement and remote wiping, can be done with any of a myriad of products on the market today. That is *not* the difficult consumerization of IT. That's just Exchange ActiveSync with some third-party security software.

The reason this distinction is important is because if you think that the consumerization of IT is just about personal laptops and iPhones, then you've lulled yourself into a false sense of achievement. You might think, "Ok, this consumerization thing is going to be huge. We're implementing a BYOC program for laptops and users can use any Blackberry, iOS, or Android phone they want, so now we can check that box and say 'Yes, we've done consumerization.'"

And if this is you, you're about to get your ass kicked.

So what *is* the consumerization of IT really?

Explaining what the consumerization of IT really is can best be done through a story. I was having dinner with a friend and his wife recently. His wife, who works for an antivirus vendor, was making polite conversation:

Her: "So what antivirus software do you use?"

Me: (Looking confused) "What? What year is it? Who uses antivirus software anymore?"

Her: (Now also looking confused) "Well, you work for a public company. Surely there's a policy that you must run antivirus?"

Me: "Dunno? Probably."

Her: "Soooo..."

Me: "So? I don't run antivirus software."

Her: "But they don't check that when you login?"

Me: "Why do I login? I rebuilt my machine and it's not in the domain."

Her: "Don't you need access to files on the corporate network?"

Me: "I use Dropbox."

Her: "What about email?"

Me: "I configured RPC-over-HTTP, so I don't even need the VPN for Outlook."

Her: "Well, don't they do any type of network access protection when you're in the office which prevents your non-authorized laptop from getting on the network?"

Me: "I use a 3G card."

You get the point. There is literally nothing a central IT department can do to prevent users from basically doing whatever the hell they want. And that's the *real* "consumerization of IT" story. In fact I use a different term for it: "FUIT." Fuit is a latin word meaning "he was," as in "he was in charge because he worked in the IT department. He's not anymore." I also chose the word "fuit" because it's spelled F-U-I-T. (Spell it out loud to see what I mean.)

So to be perfectly clear. The consumerization of IT is not about BYOC or BYOD. The consumerization of IT is about the fact that today's users can do whatever they want, and you in IT can't stop them even if you wanted to.



But this is just for geeks, not regular users!

At this point in the conversation, whomever I'm talking to usually says something along of lines of "Well sure, YOU can do all this FUIT stuff from your story because you're an IT geek. But regular users don't know how to do those kinds of thing."

Here's the problem with that logic: It only takes one geek to show a non-geek how to use Dropbox or how to connect to the corporate Exchange server without the VPN. Then that non-geek can tell two other non-geeks, and two weeks later you've got an office full of non-geeks who are doing things their own way.

I'll share another real life example. There are 45 employees at the remote office in San Francisco where I work. Before I joined the company, every single one of them connected to the VPN (complete with its client scans) in order to use Outlook when not in the office. Then I came on board. How many people do you think use the VPN for Outlook today? :) The configuration is just a simple change. (It's literally a checkbox and a new server address.) And I only showed two or three people. But now the whole office has switched over, all by themselves, and none of them even know what RPC-over-HTTP is.

And it's not just email. It's web proxies to get around firewall rules. It's using Dropbox instead of file shares. It's a 3G card to avoid snooping networks. It's a sales rep buying the $500-per-year "personal" edition of Salesforce and using that instead of the company's official CRM platform.

But this is just those pissant kids. Screw them! "Real" grown-up workers don't care.

The next thing people say is that this whole consumerization/FUIT thing only applies to the "echo gen" or "Gen Y" or "kids" (or whatever pejorative term you want use to describe them). Older folks try to invalidate the whole movement by implying this is an edge problem that doesn't really affect real business.

Here's the problem with that line of thinking: My younger sister is one of those echo generation pissant kids. But she has two bachelor's degrees, an MBA, nine years of work experience, and she runs a team of fourteen people. Those "pissant kids" are real contributing adults now! And if you don't think that matters today, consider that each of us only works about 40 years, which means that statistically speaking, every year 2.5% of the "real adults" retire off the top, to be replaced by another 2.5% batch of pissant kids who are going to do whatever they want with technology.

Why is the consumerization of IT happening today?

If we take a look at why the consumerization of IT thing is happening now, we can see a few drivers:

First, SaaS/cloud technology means that any idiot with a credit card is only two minutes away from being able to buy access to more technology than you ever fantasized about just a few years ago. The reason that anyone can use Dropbox, Google Apps, SalesForce, and 3G cards is due to the simple fact that they now exist. (And as you know, denial won't un-invent these products.)

The second driver is the thing about the kids. Those dang kids aren't content with us handing them a plastic locked-down Dell on Day One with the stern warning telling them not to break anything.

The third driver is that even old school actual adults now know more about technology than ever. Old people have iPhones and computers at home and file sharing and web apps. So while they might not posses the same enthusiasm as a 30-year-old for testing the boundaries of their employer's security policies, they still know they're being fed a line of horse shit when their IT guy tells them they only have a 500mb mailbox limit.

The risks of getting it wrong

Ignoring this consumerization of IT / FUIT trend is bad for several reasons.

First and foremost is for security. If users can just do whatever they want without the knowledge of IT, what does that mean for data security? This applies not just to accidental loss, but also for the ability to an employee to take his data with him when he leaves the organization.

Another very real risk is that if companies don't embrace the consumerization of IT, they'll have a problem attracting and retaining the best talent. (Today's poor economy might give us a free pass on this for another year or so, but that won't last forever!) The inability to hire the best workers is not just an "Echo Gen" thing that the pissant kids are going to fight against. Instead, users doing whatever they want is the new normal. In fact we're probably really close to the day where I would actually feel nervous if someone accepted a totally locked down environment. (e.g. "What's wrong with this person that he would accept our total control?")

How companies fail trying to "solve" consumerization

While the consumerization of IT trend is just now picking up steam, it's something that's been around in one form or another for the better part of ten years. (Actually we could probably go back twenty years. The first PCs were bought out-of-pocket by employees of large companies who didn't want to wait their turn for time-share access to the central system.)

As I wrote already, one of the major ways companies fail at consumerization is by thinking they "solve" the consumerization problem simply by implementing a BYOC program and letting users have iPhones. The vendors deserve some of the blame here. Citrix is running all kinds of ad campaigns implying that you can "solve" consumerization by delivering Microsoft Windows desktops to users accessing them from tablets and phones. While this is a great party trick and even helps to solve the BYOC/BYOD need, it does nothing to solve the Dropbox/Gmail/3G/FUIT "real" problem.

Companies also fail by thinking their traditional security products actually protect them from this new FUIT world. I recently spoke to the CIO of a company who claimed to have "solved" the problem of users wanting to choose their own (non-Blackberry) mobile phones by configuring their email system so that iPhone and Android users couldn't access attachments from their phones. ("Since we can't fully secure those devices, we can't give them full access," the CIO explained with a smile.) But not twenty minutes after that conversation, I'm walking down the hall with a PR person from that office when her iPhone rings, and I overhear this half of the conversation:

PR Rep: "Hello? Oh yeah, hi.. uh-huh.. yeah, ok send it over. I'm on my iPhone though, so send it to my Gmail."


At this point you might be thinking, "That security risk exists because they're solving the problem in the wrong way. If they had a data loss prevention product on their Exchange server, they could block that at the sender level."

Good luck with that. (Doesn't the sender have Gmail too?)


Some organizations are trying to solve this problem by building secure corporate versions of consumer apps. Intel, for example, has built this thing called "Planet Blue" that's like a corporate-controlled interally-private version of Facebook. And you know who uses that thing? Not a goddamned person. (Seriously. Ask anyone you know who works at Intel whether Planet Blue has lessened their reliance on Facebook for "work" collaboration.)

Or look at VMware who recently bought Socialcast, the corporate-controlled private Twitter-type-thing that many customers choose to host on premise. The problem with Socialcast (according to VMware employees who started using it a few weeks ago) is that it feels like Twitter did a few years ago. It feels old and weird and slow. It doesn't hook into all the great Twitter clients. And let's face it--it's not Twitter!

So Planet Blue and Socialcast are just two of the hundreds of supposedly safe & secure "private" versions of public social apps that all fail in the same way. Their limited audience means they don't have the same benefit of real public social apps, and their limited customer base means they don't have the same features as real public social apps. The result? Employees continue to use the real public social apps for work-related info sharing. Buying & implementing the private versions just causes the company to waste time and money, creates a false sense of security, and doesn't actually make the environment more secure since the private apps can't prevent users from still using the real apps.

And finally, since we're talking about how companies fail when dealing with the consumerization of IT, let's not forget about "denial." I've met several organizations who are in full-on denial that this is an actual risk. They'll say things like "All our desktops are only available via VDI," or "Our users aren't that smart," or "I work for the United States Department of Defense and there's no way a private could just walk out the door with a thumb drive filled with 200,000 classified documents."

What is the solution?

So that's the landscape of the consumerization of IT problem that's out there. Next week we'll look at potential solutions, both in terms of technologies and mind-shift that we can apply as IT Pros to deal with this new crazy world.

In the meantime, what do you think? How do we start to deal with this as IT Pros?

UPDATE: We launched an entire website to focus on the "solution" for these Consumerization of IT challenges. The website is, and it's live now.

Dig Deeper on Enterprise desktop management

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Spot on- especially the part about this whole thing starting with folks buying PCs on their own dime. Just as before, people are trying to get control of their own business destiny and will continue to use technology as a way to do it and say fuit.

But...I suspect it won't stop the security companies from trying to stay no more than a step behind the bow wave.

One idea we could see: Services like Dropbox start offering a premium feature that allows companies to provide accounts to their employees but keep track of what goes in and out of each user's space in an auditable way, and maintain an archive.

Another: Information audit and security standards that cloud and SaaS providers can self-certify with and offer assurances to prospective corporate clients that they can survive an audit.

Yet another: OS vendors offer a session-level digital fingerprint setting that signs every document on the computer so the source can at lest be tracked down for punitive purposes should sensitive documents be leaked.

I don't care for any of these options, but I suspect the solutions we eventually see might fall along these lines. They're pretty much placebos because new companies will continue to pop up to help folks get their freedom back for a few bucks a month.




brilliant article. i gave a similar presentation yesterday. I will add that one of the reasons why CoIT is happening is that technology companies are no longer marketing to IT, they are marketing directly to the consumer.

Give them a service for free and make money on ADs. CoIT is leading innovation with consumers also getting into technology by delivering services to other consumers that is simple, easy to use and does not need IT.

It has become a road block and needs to learn to be flexible and integrate CoIt rather than fight it



My sister works for a company that blocks access to Facebook, but only in IE. They use FireFox for one browser-based app in the company, and she learned that if you use FireFox, you can browse to any site you want. Now the whole office knows! (Not that that's a good thing.  Hope her company doesn't read this :)

It's not just kids. My dad has a retirement job at a retail store that does online price matching, but whatever system the use won't let them google for certain things. He learned that if he uses Bing he can get around that. Now everyone at the store uses Bing to do their job.

These are two people that are far from being IT Pros and that didn't ask me anything about this ahead of time. When I learned after the fact, I was amazed (and kind of proud) that they circumvented the system on their own, and their companies are none the wiser.

F.U.I.T indeed.

If you're reading this and thinking that your company doesn't have this problem, think again.


After a week at Summit/Synergy, this is a timely piece, Brian.  Great job.  This should hopefully re-center the IT thinkers, designers, and decision-makers and serve as a reminder that technology is not only a great enabler, but also a great equalizer,  Every IT shop knows that this is not a new idea, but I think very few are yet willing to make that paradigm jump quite yet.

Arguably, things like HIPAA, SOX, and other regulatory requirements will always have an influence on CoIT, but then again there should, with the consumerization of IT, come the responsibility of the consumer to adopt and employ appropriate and necessary security and assurance processes and technologies to protect the CoIT-based resources they choose to use.  Security managers will continue to promote social and cultural changes to a more security-focused mindset like they always have, and will employ appropriate safeguards and protections where necessary.

Where can I order the first batch of "FUIT" t-shirts and swag???


FUIT part 1 was entertaining!

Here's the irony - FUIT started in IT! The techies wanted none of their own controls or policies (they were above the law). But non-compliance is a story for another day as well as corporate gatekeeping and data security.

The Consumerasation of IT simply means simplicity. Keep something simple and doable and then it will be adopted. Too many companies have started using the analogy that their product is "Apple-simple". I hear this and cringe. Is that really their strategy?

Now - Brian has decided to use 4 / 5 programs to access and exchange files. Each program may have between 2 and 4 steps. There's the  problem and potential opportunity.

Another take on the compliance issue: If you switch to Google Apps or another cloud-service, are you still in compliance and regulatory acceptance?

Every company is different and every employee is different. How can the CoIT make thing easier for everyone?


@ SillyRabbit: Good call on the origins of FUIT - I just wish I would have thought of that moniker!!!

Simplicity is exactly the point I was driving at.  Many IT old-schoolers will continue to argue that no matter what is done to make IT "simple" or "consumerized" to the end user is always a function of increasing complexity on the back-end infrastructure.  That's the other end of where the mindshift needs to happen - at the IT architect / systems designer / IT Management level.

Taking on a holisitc view of IT in the XaaS model, where x= whatever you are providing (desktop, software, infrastructure), it behooves us as technologists to adopt the mindset as well, beyond what we already do to consumerize IT (by installing Windowblinds, VisionApp, Putty, AngryIP, DropBox,etc. on our laptops we use), but to promote and adopt that mindset throughout the infrastructure and capitalize on it's principles when it's practical and fianancially sensible.

The cloud-centric focus of the virtualization industry is increasingly moving towards forcing providers to take on the issues around regulatory compliance.  It's evident in the hardwalling and multi-tenancy features now being built-in to so many of their offerings, and it's going to have to become a standard as more and more enterprises move that way.  Perhaps that can be IT's great catalyst towards forcing buy-in and adoption of CoIT at a corporate culture level as well?  I'll wait to see Part @ of Brian's manifesto, but I doubt if there is a one-size-fits-all approach to CoIT making EVERYTHING easier for EVERYONE.  There's always going to be outliers (government, highly secure environments, etc.).  I think being able to parse out valuable features and initiatives to support CoIT will be something each organization will have to take on individually and at their own pace.  


Consumerization of IT has been the theme for the past 5 years. When I was at FaceTime [now Actiance] -- our mission was to allow the IT to embrace "consumerization' in a safe and productive way for the business.

In my view consumerization manifests in 3 primary ways..

1. Choice of user device

2. Choice of apps [consumer and cloud apps]

3. Location independence [work anywhere both inside the corporate or outside]

IT traditionally played the role of putting strict controls to block anything that is not managed by IT.. They used to take the philosophy of "Allow/Block" -- only allow IT managed stuff and block.. They were relying on PC security, Firewalls, NAC etc to do this..

Two things have happened in the last 5+ years..

1. Businesses recognized the benefits of consumerization [devices, apps, cloud etc]

2. IT also failed the blocking of consumerization.. In fact, 5 years ago we were making news in detecting skype and other consumer apps inside the network.. And the apps got stelthier..

Now companies such as Palo Alto networks, Actiance [fomrely FaceTime] and others are building solutions that safely enable the consumer/cloud apps with access controls, malware protection and data leakage and compliance stuff.

VDI addresses one piece -- choice of device.. But customers need a range of other solutions to fully enable the 'consumerization of the IT' -- to the safe use for business.

Some of the cloud apps also provide federated management for some userIDs so that they can be managed.

In my view, it is not FUIT -- but users and IT are working together to unlock the benefits of consumerization.

I think we need to help businesses on the range of solutions [desktop, network, cloud] so that this is possible.

My 2C.



What's the value of IT?  We live in a world where some people have brain dead IT, other's have world class IT and most people in the middle are bullied by chief paranoia officers in the security department trying to control everything and no commercial responsibility to provide business solutions.

I am a goals orientated employee of company X, and understand my job.  Let me choose the tools that I need. They may come from IT, they may come from elsewhere. I may be in a regulated industry which makes this harder. But we keep talking about regulated industries. Most of the world is not regulated so how fast will innovation occur in regulation or those industries? Slowly IMO., fighting the forces of inertia which over time makes them inefficient.

In the majority of the world, trusting employees to do the right thing in return for a more flexible way to work is very powerful. If there are cases where people abuse this, I am confident that the majority will have little reservation in ejecting these people from the culture in order to preserve the right for themselves. It's a little bit like Wikipedia. Post crap and the community rejects it. Twitter also, post junk and you have few followers etc. The power of community is key in enabling consumerization.

Even in these organizations there may be a real need for super secure, managed solutions. Ok so make that the exception and offers tiers of service. IMHO for IT to remain relevant, it needs to think like a service provider and offer tiers of service. A one size fits all approach will not work. IT will need to think about stitching together various services and determining if they are cost effective and provide guidance on governance. They can't control it, except in very specific use cases, where people will cheat anyway. In some cases, IT should not care if the user does something. That's going to be life and I don't believe IT can bear the sole responsibility for security. Users have to do something as well in the new world. I.E don't share sensitive date, use judgement, when in doubt encrypt or use an approved secure IT system. In my mind that's a far more realistic approach, to managing risk vs. avoiding it like the typical chief paranoia officer who builds nothing.

If I was still in IT, I'd ask my users how much risk are they willing to personally accept for the business they drive and then start a conversation on tiers of service that enables IT to get out of the way as much as possible. This is a two way conversation and about enabling the business while also provide a sensible level of governance as opposed to control. I'd show them different cost models of cloud services, IT hosted vs. risk and let them choose. At the end of the day, businesses have to determine what level of risk they are willing to accept and then will choose the most economical way to operate. So IT should guide those choices, not try to dictate. Dictating is a loosing battle.


I have read through this a couple of times and I really can't tell whether or not this is an evolution of the AppDetective click-whoring performance or you sincerely believe this.

So far all I've been able to discern is that TechTarget have an IT department that is ill-equipped to support its employees needs, and that you don't understand what consumerization of IT is either.  

Consumerization of IT is not a rabid free for all, with employees running around waving credit cards demanding to be allowed to do whatever the hell they like.  Far better to consider it as IT adopting new ways of providing service that use 'new' consumer models like the app store as their starting point.  

In many ways the Apple app store is the ideal analogy.  It fulfills many aspects of the consumerization 'just give me access to what I need and let me get on with it' way of thinking, but just like enterprise IT, the app store is not a free-for-all. You cannot buy anything you want from the Apple app store store; Apple has its rules about what can go in its app store, and many of these rules are just as arbitrary as an IT rule saying you are only allowed 500 MB of e-mail storage.  The big difference is that for the vast majority of consumers, the user experience is so good that they do not want to leave the app store.  This is the model that IT has to emulate.  Not to put up so many shutters that users cannot do their job, but to deliver an experience that is so good that they do not need to or wish to leave the IT service in favor of mediocre solutions like Dropbox.




To be clear, I absolutely believe everything I wrote here. It sounds like maybe the only thing we don't agree with is the terminology. What I mean is I think this problem (FUIT or consumerization or whatever you want to call it) is 100% real, and something that CIOs have to deal with. Maybe you think "consumerization" is App Stores and IT transformation, so fine.. we're talking about two different issues then.

But I don't see how App Stores is the biggest issue of the decade? I mean we had self-service apps back in SMS 2.0 in the 1990s. App Stores is just a delivery method. If IT departments have to vest and test and provision everything that goes into the stores.. yikes!

And just having an app store doesn't prevent users from doing whatever they want outside of the store. So that's where I'm coming in with this FUIT or whatever you want to call it. Fine if you don't want to call it consumerization. But no many what you do call it, it's my belief that this is the biggest challenge facing CIOs today.

I'm also not clear on how IT is supposed to provide an experience that's so good that users don't need or wish to leave. Isn't that what IBM is doing with Planet Blue and VMware with Socialcast? And isn't that failing? How can an IT department compete with the consumer apps which have millions of users? IT will always be behind, and users will always be looking for the next thing.


Ahhh you see though @Brian, the difference is, in the 1990's we (IT) we the centre of every users IT experience and self service was an alien/scary concept for most (*remembers helpdesk days). Users had to be hand held through every step.... I think we're now at the age when we can say "off you go" to them and self service is good enough. Be it AppStores (public and private), dropbox, internal/external services etc etc etc...

I think @harry is SPOT ON saying "Let me choose the tools that I need. They may come from IT, they may come from elsewhere". It's exactly the model we've been introducing for some time now but then we can get away with it for pretty much every user.

Oh... I absolutely think that corporate social networks suck bum!

One more thing... The powers that be at my place of work have asked to use a "standard" email signature.... F.U.I.T and hello GMAIL!


Most of the readers and posters here are either in IT, coming from IT, or in an IT service delivery company. Basically this is a sarcastic challenge to all of us to make things simpler for all of us and decentralize the control.

I remember hearing some Citrix folks a few years back refer to this as simplexification; The challenge of making complex things appear simple in your infrastructure.

@harrylabana – philosophical issues are not resolved in companies easily for the same way change does not happen overnight. I think we all understand that. It is far easier to build a company from the ground up today than it is to change a large company from within to simplify. It’s politics (or IT’s politics). IT is traditionally not incentivized to change.

It is truly silly how far we've had to come to realize how simple we want things to be.


I don't disagree with this article or consumerization of IT, but I think there are still way to many legal and HR implications of consumerization.  No offense, TechTarget is a publicly traded company with a market cap of $270M and trading at a P/E of 310, which essentially means its not worth anything....i.e. no one gives a *** about a what TechTarget IT is doing.  Any large market financial company isn't even entertaining the idea of consumerization.  Yes, there looking at VDI - for security, yes they're publishing RDS apps - for security, but like you just wrote, that's not consumerization.

Until there is a fundamental shift in IT security, legal disclosure, HR, etc its a ways away.  Just about every company has some kind of HR Code of Conduct which usually includes use of electronic equipment, you break code, you get canned...again fundamental shift required.  Based on this article, consumerization would technically only work in the does consumerization fit in with EMEA privacy laws? doesn't.

And seriously...people turn down jobs because they can't use their iPhones?  I've yet to meet that jackass....


I loved the article. (and the video.)  I think Brian you are 100% correct as many other here do. It is important for CIO's and CTO's to understand why this is happening.

In many cases the users have becoming smarter than IT.  They know way more how to do and circumvent systems and policies that we put in place. So the consumerization of IT is simply the evolution of the end user in to an IT guru or geek. So there is no way to stop this, so we must just embrace it. Like it or not.



@Tony, I agree about no one giving a *** about TechTarget.. :) But I don't agree that consumerization is a ways away because of all the issues.

In fact the whole point I was trying to make was the exact opposite of that.. that consumerization is here whether IT wants it or not. Sure, we have codes of conduct that say we'll get fired if we don't follow them, but I wonder how recently those codes of conduct have been updated? Are they just pages and pages of fine print that still have clauses from 1997 regulating that the Internet is only to be used for work purposes while in the office? Perhaps updating the codes of conduct is part of the solution.. something to make it clear what's ok and what's not in today's world?

As for consumerization being a US only thing, I can 100% disagree with that. I spent a week in the UK after BriForum last month meeting with customers talking about this exact thing.. and some of the meetings were with CIOs of some large companies.. a couple of the largest companies in the UK in fact.. and every single CIO (seriously, like 10 out of 10) is concerned with consumerization. Their concerns are like the article.. that the users can do whatever they want, so the CIOs have to scramble to support what they can lest the users do their own thing anyway. So it's here, whether the CIO enables it or not.

And as for the guy who quits because he can't use an iPhone.. maybe that's an extreme example. (Although if all things were equal between two jobs and one offered a Mac and an iPhone and another offered a Dell and a Blackberry.. a lot of under 30s would go to the former. Cement Australia is a company whose done a lot of studying on this and ultimately decided that spending an extra $1k on hardware every few years is one of their best employee retention tools.) Anyway, so maybe people won't quit because they can't use their iPhone.. they'll just find a way to use the iPhone anyway in a way that IT can't control.. and that's even worse!


I see this trend happening more and more, especially among younger users and "power" users.  However, most people in IT are still oblivious.  They either truly believe that everyone follows the rules, or they deride the "stupid" users and don't treat their requests/demands seriously.  The times I've seen user's go along with draconian IT policies that make no sense is when they just don't care if they are productive or not.  (This happens in government a lot.)

However, I don't think it is "F.U.I.T.", at least not intentionally.  It may end up like that if you have a terrible IT department that is disconnected from reality.  The truth is IT just needs to make it easiest to do the "right" thing.  So allow users to use their devices of choice, give them a nice re-made VM that's easier than building their own, allow them access from anywhere, and give them a self-service portal with all the resources they need.

IT's job is to enable and empower employees.  There's no need to "FUIT" if IT is doing their job and supporting the users!


How we start to deal with this as IT pro's? By accepting our role as it has been for decades: facilitators.

One of my former employers used to have policies regarding company cars. Employees that needed a car to do their job effecticely (Dutch rail transport is not reliable) had three choices of company cars: Volkswagen, Volkswagen and Volkswagen. All very reliable but boring. The good thing was that everything was taken care of: maintenance, service and when a car broke down, a new one would be available within hours. Broken cars would not be the reason to be late for an appointment. The bad thing was the fact that the car was boring and I had to sign a long legal document.

One of the reasons (not the most important one) I decided to accept the offer of my last employer was the fact that he offered me a choice: buy your own car and I will pay for it or lease your own car and I will pay for it. Responsability shifted but I didn't care: I got to drive a car I liked to drive. The fact that I was responsible for maintenance and replacement when the car was broken felt natural to me. I still need to be able to make my appointments in time. Company owned car of employee owned car: It doesn't matter: you are responsible to do a good job. As to the role of fleet management: we don't have those. That role has been shifted to the HR department.

I expect the same will happen with IT services. Employees will have a choice. Use your own or use the ones we provide you (if any). Whatever you need to do a good job. On the short run this shift will be driven by other cost related arguments (every device or application you don't own saves costs on licensing and support). On the long run, exployers will accept the secondary benefits (happy, productive employees using the tools they like)


I agree with some commenters that the risks related to this new approach of delivering IT services are all about security. If you don't want sensitive information to leak, you need to teach people how not to leak it. IT will not solve this problem by using IT. Context aware (workspace) management systems might reduce the risk by will never prevent information from leaking. An example. One of my friends is a district attorney. The files she and her colleagues work with are sensitive. Although very sensitive, some of these files made it to TV shows before making it to the court room. The IT department suggested two solutions: access to legal files would only be available via remote sessions (in a court room!) and second, a vault would be places in her home where she could store the files when at home. The second suggestion was implemented. The first wasn't because reading files during a court session from a screen was decided not to be efficient. What did help however was explaining all legal personnel not to bring files in a shoppingbag when having drinks in a bar or store them on a bike when riding home. This 'advice' solved the problem.

The role of the IT pro?

I expect the role of the IT pro on the long run to be a liaison between the HR department and IT service providers. Someone who understands both worlds and is able to negotiate and manage good SLA's (just like a fleet manager)


Consumerization of IT is present and it is a challenge for IT departments. A couple of years ago the company that I worked (and still work) for as external consultant banned all non-corporate laptops from the network, also they blocked internet access to mail services and social networks (for everyone) and so on for "security reasons". In the meantime Smartphones evolved with the inevitable "go and have fun" data flatrates, and now guess what... sure, people like me don't need the corporate network any longer, they bring their own and even connect their iPad to the smartphone's wlan router.

Now, what the policy can't achieve: keep users from doing what they want.

What it still does: protect the site's IT systems (e.g. from threats originating from unmanaged laptops)? Honestly, that's an illusion....

I'd like to point out another aspect that Harry & Tony already mentioned: once I learned that from the business perspective IT is just an enabling function, that doesn't live for itself. What the users can do with their devices and private document management and mail solutions or how deep they leverage social network and web 2.0 resources does not necessarily determine the way how their business processes at work are supported best. But who can make decisions about this? I don't see that user with FUIT attitude would survive in my company (pharmaceutical with tons of regulations (btw required by the FDA, an american institution ;-))), on the other hand who can firmly assert that more freedom with consumerized approaches won't create more business value in the future?


When people hear consumerization of IT, they typically think about the hardware (phones, tablets, laptops, etc) and letting the users pick their own.  That is more of the BYO program.  Honestly, I don’t like consumerization name because it is too vague (plus too hard to spell). What I see happening all over is Self Service.  This is the way the world is moving, and I’m not talking about IT anymore.  Go to the grocery store, Home Depot, the airport.  We have at least 3 different grocery stores in my suburb. Which one do I go to? The one that allows me to check myself out.  I don’t want to wait in line when I can just do it myself.  I have 2 Home Depots within 10 miles from my house. I always go to the one with Self Service lines.

The exact same thing happens in IT. Whoever is going to give me service faster and easier, they got my business. We all hear about “Security Risks” with this type of self-service model.  I call BS here.  A lot of users aren’t dealing with secret data.  Those that are, know it and should know the ramifications if they screw up.  

This is the “I want it now generation”, and we are all part of it.  If you can’t get it now from one place, you will invoke the words of Eric Cartman “Screw you guys, I’m going elsewhere”

I don’t want to blame IT because technology is evolving so fast and they have to manage the legacy systems and those critical line of business applications. You can’t expect them to create a dropbox-like alternative.  IT needs to refocus. Instead of focusing on all things technology within the organization, they need to focus on a smaller picture that is open but still provides users with the core infrastructure.  

IT needs to ask itself “What are the services we MUST deliver to our users?”


I do agree that not many people get the consumerization correct.. I have been working in the consumerization of IT for the last 8 years -- and pioneered this at FaceTime [now Actiance].

In my view, consumerization manifests in the following ways:

* Choice of devices -- BYOC, iPads

* Choice of apps -- user apps, cloud apps etc

* Choice of network/location -- outside the corporate network

We were evangelizing on why consumerizing is good for business, increasing the  productivity -- but IT used to focus more on 'blocking' consumerization -- simple allow/block.

It was using FW, Next-gen FW, IDP, pFW and whole suite of networking technologies to block consumerization.

However, in the last few years -- customers tend to accept that consumerization is good for business -- and they need to enable it, but in a secure way for business.

VDI solves 1 dimnesion of this, but customers need to take a wholistic approach to emracing consumerization with a combination of VDI + other networking and security technologies + including federation with some cloud apps..

If consumerization is not managed properly, this could be detrimental for business. I know of incidents where people used Skype to send sensitive documents to a competitor in China..

These applications are also stealthy on the network with P2P, onion-routing, HTTPS proxying, AES like encryption etc -- so that they avoid the detections..

I think we need to advise customers on the end-to-end blueprint on how to securely enable the consumerization with a combination of VDI, networking, security and cloud solutions with even federation...

FUIT is not the right approach.. it will be counter productive to business interests in terms of security and compliance.



I have to agree with @srini. At the end is really all about reinventing IT to be closer to what the users want, so IT and users agree to a common denominator. This whole idea you describe Brian of people getting whatever software they want to do their work I do see the benefits but at the same time you, and probably all the other users out there trying to do the same, completely forget about the legal implications and ramifications with such approach. Have we all read the EULAs on all the apps we get off the internet if they can be used for business for free or by paying the lowest price? Probably not, and we are technical people. Non-technical ones do not even know what an EULA is.

From a security standpoint, there will always be a way to sneak data out of the office for as long as a camera does exist. :-)

So the bottom line is all about finding a happy medium between IT and users where they get most of the stuff they want/need but provided to them with some sort of control and with legal understanding of the whole approach.




"Quote -  I agree that IT is evolving fast but I dont agree that corporate IT shouldnt be exempt from  providing systems which negate the need for consumerization, quite the opposite"

Note to self, see if you an fit any more double negatives into a single sentence next time around. :-)

An edit option would be nice Brian.


One other commment..

Users are jumping on all the devices, apps and access different websites with no aware of what they are doing. They get the movie, picture, video and facebook -- they are good. In my past life, when I did the study, 40% of worldwide PCs are botted.. There are very sophisticated attacks -- now using social engineering stuff.. Yes, cloud apps with receiver is one way of doing it -- perhaps running on chromebooks is one way to protect against the malware.. But what about data that users exchange on the web...

We live in a world where we are driven by consumerization -- but we also need to institute some best practices for consumers on how to manage their personal stuff. It is wild wild west right now.. And businesses suddenly have to embrace this wild wild west..



Great article, but I gotta say a few of your examples just point out that your IT department is lazy.

RPC over HTTP?  Nobody who cares about endpoint security would enable that.

Web proxies to get around firewall rules?  How about blocking all outbound web traffic unless it goes through your proxy server...which by the filter to prevent access to dropnox, gmail, etc?

If you rebuilt your laptop, your desktop group should notice that it isn't checking in anymore and should which point you would be immediately terminated for violating company security policies.

I agree that CoIT is a big issue, and it will not only be a tool for recruiting and retaining talent but also an opportunity to offload a bunch of the mundane day-to-day work that IT groups have to do so that we can focus on making the business more productive.  But I think your opinion on how easy it is to circumvent IT would be different if your IT group was more on the ball.  

I look forward to the second part of this one.

Btw, I really enjoyed your "how to lie with cost models" session at Synergy.  Great stuff hilariously presented.


Apple IS the consumerization of IT, and as long as they need to do things differently from everyone else they will always be the underdog - even now that they are the dominant player in the tech industry. Steve Jobs, RIP I hope Apple builds you an iCoffin soon.


@ Brian - Very good article..

For some posters here I recommend you disconnect internet access to your user population :)


The real issue is the implementation approach by IT.  If IT has to place restrictions on the users because of a risk to the company – the methods by which they place the restrictions are the issue.  IT must change the way they are thinking.  Old school doesn't work.  This is true for cloud evolution or on-premise solutions.  IT must focus on the end user as the customer - not the adversary.  IT must empower, simplify, and streamline the end users tasks. ie) be helpful.  Not get in the way.  The resolutions to the restrictions mentioned above, are indications of an end user problem with the wrong solution imposed by IT.  Instead of the “block the user” mentality, IT must look beyond the problem and ask, “What can I do to make the end users life better”.  End users finding creative methods to circumvent IT restrictions is a clear indication of IT becoming the problem vs solving the problem.  Clearly, a different way of thinking is required.


God I get tired of the FUIT-wah-wah-IT-is-keeping-me-from-doing-what-I-want. Great, the salesman buys his own copy of Salesforce. What if he needs it to exchange data with the company platform? Who takes care of that? What if he has problems with the app, who takes care of that? Is it really a good thing to have your salesman spending time resolving software problems instead of selling product?

Most IT people don't get their jollys preventing users from doing things. IT departments, like everyone else, has limited budgets. They can only support so much. They can only have so much staff. I fortunate to work at place where  the view is that IT's job is too help their user's do their's. If someone finds an app that benefits the company and is cost effective, we implement it. But there is only so much we can do. We have the research area where they can buy their own equipment and software. They know if it is not the company standard, support will be limited and they will pay extra for a Tech visit. Maybe in a Consumerized IT future when users buy their own devices and software IT can use the savings to hire more staff and train them to support all the apps and devices.

I can see why you have a FUIT attitude though. You worked at place where they had to VPN in to use Outlook? Really? They never heard of web access?  


so, at the risk of "kicking the hornets nest" and enduring the stings of " duhhhhhhhh".....

Does the info we have all seen on Windows 8  potentially running across Phones, Tablets, PC's, VM's / and, integrating current, legacy, local, and cloud apps/services - thereby perhaps giving IT a new "standard" in the face of all this heterogeneity - and users appetites for rogue solutions satisfied actually make a lot of sense?

There are some major gaps - though thinking about it - not sure if they are fatal.

Did Microsoft just signal they intend to solve a big part of this problem ???


I think the base article is on the money and, imho, the message is that IT incorporates, recommendes, and supports internal and external services. Essentially a published set of options, with caveats/support info, relative to thing they can control and those things they cannot. I think of it is a more complex/complete policy around the use of IT services. There's no reason IT can't incorporate dropbox, gmail, whatever into their accepted offering; with the caveats of "you can't use XXX app when you deal with YYY type of data." Turns out that scenario is even addressable with some tools out there (white/black list, user virt solutions, etc.). The bottom line is IT is better served by being a consumer of CoIT than completely igoring it. Is it easy? Heck no! I don't think the current or next article will suggest that. Is it doable? Sure, through policy and guidance. Sounds like parenting almost.

I get tired of hearing how VDI/SBC/Web2.0/appvirt/user virt solve all problems...they solve some, but utlimately don't address the CoIT issue, they are delivery mechanisms as mentioned. I also get tired of talking about devices, part of the solution here is figuring out Who the users are, Where the users are, and What applications/functionss the users need. IT can then provide or recommend solutions as the device world changes. I'm a Microsoft fan for the most part, but I sure hope my heads-up, 3D, hologram workspace of the future isn't presenting me "private cloud" only solutions.


I agree that this is happening. In my last work place we had a Brian Madden. He brought his own Mac and connected through our CAG to get to his Citrix Desktop and used his own iPhone to get his email through EAS.  He even sat in one of our remote offices and used his personal 3G card to connect in through the web instead of using the perfectly good Wyse temrinal on the same deskt he was sitting at.  No problem, his choice, his cash, not my problem right??

We allowed bring your own handset and had universal access to our Citrix environment.

The big problem I found with it was support. Sometimes people's email on their iPhone just stopped syncing. Someitmes Safari or Firefox would just stop connecting to the CAG and they couldn't get in using their stuff. Do you think it stopped them calling IT to say that they couldn't connect? No it didn't. Every time the smarmy bugger would ring up and blame the infrastructure and every time the issue was with his equipment. This was the only real issue I had with the FUIT model. My position was "Go for it, be productive. Be trendy with your Macbook, but don't call me when you can't get your ***t to work".

I've looooong been an advocate of no lockdown. It just make people less satified with IT and less productive. If you want people to respect your data sovereignty then offer then some training about what is important and why (wuthout being bloody-mineded or arbitrary) and fire the first guy who likes his freedom better than his job. Other than that let people do their jobs in the best way that make them productive.

In fact when find people are on to something good then make everyone else use it too!

I think Twitter and Facebook could make some really cash by offering corporates a way in. If we can't offer people a virtual team or collaboration platform that is better than Facebook then use Facebook, but do it in a consistent manner that fits into the management and provisioning framework.





Was part 2 ever published? A very interesting and timely article.

Jeremy makes some good points but one of IT's main objectives is to assist the business in making business and if that means assisting someone with their iPhone or Atrix or whatever then them's the breaks. But make business aware of the cost to support this....

Another one of the main objectives of IT to the business is protecting it's intellectual property. It's data. Perhaps the better way to approach this is to rather than lockdown and prevent someone from doing it is to educate the user (amd the busines) to the risk associated with the loss of this data. Then also monitor and track the movement of the data to cover IT's behind.

Ultimately it should be the business responsibility and not IT's to determine the policy.

I know, I know. Easier said than done and we are the ones left with the iPhone in our hands and an unhappy client.


Hi! i great read, however I can not see part 2?