Setting IT User Policies That Work
Trends like enterprise mobility, bring-your-own-device and cloud computing are knocking on IT's doors and CIOs are having a hard time deciding whether to welcome them in or be the rude host and turn them away.
The wave of new age technologies that are invading the enterprise has spurred the debate on who sets IT user policy and how organizations can control it. Richard H. Thaler, a Professor of Behavioral Science and Economics, in his paper- "Test, Adapt, Learn: Developing Public Policy with Randomised Controlled Trials" cites two principles that help policy makers create good policies that work for normal people:
- If you want to encourage some activity, make it easy.
- You can't make evidence-based policy decisions without evidence.
"These are exactly the principles that CIOs should apply when making decisions and rolling out a workforce technology, be it a social business and collaboration strategy, hardware refresh, tablet deployment, teleworking strategy, desktop virtualization program, or any other technology program that touches a lot of employees," writes Ted Schadler, Vice President, Principal Analyst at Forrester Research in his blog.
Be it full-fledged enterprise mobility or accessing corporate e-mal over the phone, there needs to be a specific set of rules and guidelines incorporated in the user policy that defines who gets to do what, when and where. The conversation titled ' Who Sets IT User Policy? A CIO Power Panel Discussion' at the Computerworld IT Roadmap event held across the three cities of Bangalore Mumbai and Delhi threw up multiple points of view on the ownership of the policies, the implementers and how to gain maximum compliance.
While creating an effective IT user policy falls under the domain of IT, Sudhir Reddy, CIO, MindTree believes that it is not the sole responsibility of IT. "While a large portion of the responsibility rests on the shoulder of IT, policy building is a very collaborative and consultative effort," he says.
Sunil Mehta, Sr. VP & Area Systems Director- Central Asia, JWT concurs, "User policies cannot be developed by IT in isolation and will have to be a consultative process with the departments involved. IT cannot the big daddy of the organization and dictate terms for everything".
User policies, however, aren't things you could develop once and forget about. With evolution in the technology space, the policies too will need to transform.
The development of user policy is a balancing act since there are internal stakeholders other than the CIO within the organization and there are customers and external partners. Ranga Raj, CIO, CelStream states, "Organizations need to look at what makes sense keeping in mind the strategies of all parties involved".
Once the user policies are built collaboratively it needs to be communicated to the employees in an easily understandable format. The onus of ensuring user compliance does rest with IT. "Even though the development of the policy is a consultative effort, IT still owns it. There will be instances where IT will have to put its foot down and decide the course of action," says Guruprasad Murty, VP-IT & IS, Microland.
Mehta feels that, as the custodian of corporate data, it becomes the responsibility of IT to create the user policies in a way that the users are motivated to follow the guidelines. "We crunch our policies into 5 action points and send those to users along with the detailed policy document that is attached for their reference," he adds.
Organizations are also grappling with the problem of attrition that adversely affects today's enterprises. Almost as soon as the organization trains a batch of its employees some of them decide to leave and new ones take their place. "This necessitates continuous training and awareness programs for the employees," says Neena Pahuja, CIO, Max HealthCare.
User policies, however, aren't things you could develop once and forget about. With evolution in the technology space, the policies too will need to transform. "Technologies, ecosystem and people change. So the user policy has to be a constantly updated document and refreshed with the latest that impacts us," states Ranga Raj.
But even a constantly updated policy that is easily understandable fails to gain traction with employees if the senior management does not set the right example. "We roll out our policies top down and make sure we set the right example in terms of complying with the user policies and then it is filtered down the line," says Mehta.
Vijay Sethi, VP & CIO, Hero MotoCorp also believes in leading by example. "If there are any guidelines that any one in the top management feels uncomfortable about, then it is scrapped for everybody," he says.
Security has long been a primary challenge in the health IT market, and two new reports help illustrate the vulnerabilities surrounding some of the most sensitive consumer data.
Is it possible to secure the Internet? And if so, what would it cost?
The information security industry is hot right now, but it's hot because it's failing. Daily announcements about breaches confirm that criminals are winning. How can InfoSec reposition itself?
Build relationships with software publishers, evaluate various contracts and licensing models and choose what best suits your environment. All software publishers today have a solution for every stage of your business, says Yolynd Lobo, India Director, BSA.