A consumer enterprise

As end-users become increasingly savvy, more consumer technology will find its way into enterprises and force IT departments to think differently about endpoints.
A consumer enterprise
By Sathya Ashok
Mon 21 Apr 2008 04:00 AM

As end-users become increasingly savvy, more consumer technology will find its way into enterprises and force IT departments to think differently about endpoints.

NME met Mark Bregman, CTO of Symantec to discuss how the modern-day CIO can prepare himself for the shift.

What does consumerisation of enterprises mean for companies and CIOs?

The CIO has been given the responsibility of protecting and managing the company’s assets. And now you have an employee who is saying I am going to do it my way. Well, how can the CIO allow that?

The idea of consumerisation in the enterprise is something that we have been thinking about for sometime. Symantec has both a big consumer business and a big enterprise business. In the past we always thought of them separately.

But one of the things that we have noticed is that increasingly the things that we do and the expectations that we have as consumers are starting to be brought back into the workplace. When I started in the business world, in my first job, they told me here's how to use the computer, here's how to use the IT system - it was all defined and decided by IT.

Today when you hire a new employee they already have an expectation, they have used computers and had them around since they were born. They come into the workplace and they already have a point of view on how to use technology. That is the fundamental underpinning of enterprise consumerisation.

Technology itself has triggered this. Technology has changed the way we think about work. With increasing mobility, the boundary between work and personal life is very blurred. That is the origin of this whole trend.

Now this leads to some very interesting challenges for the CIO. The CIO has been given the responsibility of protecting and managing the company's assets. And now you have an employee who is saying I am going to do it my way. Well, how can the CIO allow that? The traditional solution is that the CIO locks down the systems. You know, here is your company laptop, you can only use it for company reasons because I have to protect the information.

Well, how many employees have a company laptop or mobile phone that actually has no personal information on it? Zero - let's be honest. No one does it. This is not realistic any more. So the challenge from a technology point of view, something that we worry about in our company, and a challenge for the CIO is can we use technology to make this happen in a way that allows the employee to do things but allows the company to control it as well?

Let me give you a concrete example. Say, I have a policy that this is the company laptop and you can only use it for company activity. Instead what if I had a policy that said use whatever laptop you want? Now as the CIO I need technology that allows me to protect the company from things that you have on your laptop, because you might not be careful.

If I am going to back-up data from the laptop, I don't want to back-up your personal information because that would be a privacy problem. So I need that technology. And those are starting to be feasible. They weren't a few years ago but with virtualisation at the end-point, data classification and data protection, you can start to see examples of the leading companies who are experimenting with this.

That is part of what is happening with consumerisation in the enterprise. And it is fundamentally changing the way the IT department thinks about the endpoint.

Is this restricted to mobility or is it relevant across other solutions?

Absolutely it is. Take applications. You are familiar with the term mashups. They started with consumers who said I could take some information from this real estate company and Google Maps and I can combine them so that I can see all the houses for sale. That's a great app.

What is happening now inside a company you get somebody who has that kind of web 2.0 thinking and they say I don't want to go to the IT department to have them build me a new report - I want to do it myself. I am going to take some data from the sales and marketing department and I am going to do a mashup myself.

That is not a mobility issue, it is the way apps are built. As soon as you start to do that the IT department is very nervous, they are losing control, they can't control it anymore, because it is non-IT personnel who are building it. That is going to change the way they think about it.

How do you see the geographic spread of this trend?

I see them in a lot of places. It is driven by the age demographics. In a mature company that is not hiring a lot of people every year because they are not growing it is not going to happen as quickly since they have an older population of people who are used to the old model.

In a company that is growing very quickly, they are hiring lots of new graduates, it is happening very quickly. And that is independent of the geography.

There is also the issue of recruiting and retaining good employees. If someone comes into my company and they don't like the environment, they don't think they can get the job done because the tools aren't provided, then they are going to leave. So if I want to recruit people and I want to retain the best, then I have to change. And that is the thing that is driving it more than region by region.

I am less familiar with the Middle East since this is my first visit to Dubai but I think we see the same thing happening here. As you hire new people and many of these economies are growing very quickly the companies are growing quickly, they are bringing in a lot of people and a lot of them who are coming in are younger and they are coming with a set of expectations.
And part of those is that if there is a shortage of labour and you want me to come and work for your company you better provide an environment where I can be productive and I can use my tools - those are the dynamics.

What is Symantec doing to increase best practices for storage and disaster recovery among enterprises globally?

Let me start with basic storage. One of the things that we try to tell people is whatever you decide to do you need a storage strategy which is very adaptable.

What is often not understood in disaster recovery is that when you look at risk there are two factors – what is the probability of that bad event and what is the impact.

The company may decide to pick a single vendor and that is going to be the way to standardise, but with the growth of all of our businesses the probability is that the firm will merge with or acquire another company and they will have a different choice.

And then you are not going to have a uniform or homogeneous solution anymore. The idea of simplifying with a single vendor is naïve. Overtime you can't avoid combinations because even if it is not an acquisition other vendors are going to come with better offers.

It is very important to try and standardise on a set of tools that allow you to manage an environment which has a lot of variety in vendors. That will be the first step.

The second thing is that if you do that it also allows you to train your staff with one set of tools - so you save on training costs and you save on staff because now they can be shared among different tasks more effectively. We believe this whole idea of standardisation at the software layer is very critical.

If you have a set of standardised tools that allow you to manage not just different vendors but different tiers of storage, you can't avoid getting started with the problem but you can avoid having to live with it.

At a certain point you can say we have these silos of storage, they are not structured correctly, we should put our less important data on the less costly storage and the more critical data on the more costly, high availability, higher performance storage.

These tools allow you to do that. Standardise because there is going to be multiple platforms in your environment; but also pick a set of tools that can withstand and deliver all the needs of your storage management.

The next stage is not just active or online storage, but also offline storage - the simplest stage of which is back-up. Looking for a way where you can manage, back-up in a systematic way across the datacentre and the branch offices, the servers and the desktops, that vendor agnostic approach is even more important.

What is often not understood in disaster recovery is that when you look at risk there are two factors - what is the probability of that bad event and what is the impact. Often companies do not evaluate that very correctly.

They say "well, the likelihood of a disaster is very small so we won't worry." But when you go through the assessment you say "yes, the probability is small, but that will put you out of business" - you won't just lose money, you will be out of business. With that big an impact I would do something.

Having a systematic assessment is the first step in disaster recovery and that's an area we can help with because we have people in our consulting practice who understand that. It is not a simple IT problem, it is more a business problem. An outage can have a huge impact on reputation and damage the entire business.

Most companies do not think that way - they think of disaster recovery as an IT problem. It is a business problem and that is what they need to start thinking about.

What do you believe are the biggest trends likely to affect datacentres in the near future?

We are at the cusp of a big change. If you go back to early 90s, the mainframe was the centre and Unix was starting to come into it. The perception was that the mainframe was the real computer and the Unix stuff was temporary. Here we are fifteen years later and Unix is the mainframe. The mainframe did not go away but it never made the transition to the new applications.

The traditional big Unix system that is in the datacentre is the legacy platform, in my opinion, and we are about to see a transition to a different model which is the next generation platform and it is more like what Google has.

It is masses of low-cost systems and enterprises won't care if they fail because they would have built software to avoid and manage around that. It is a different model than the hardcore transaction systems that we have today. It is more the web transaction model. And the apps are built differently.

Web 2.0 is the new model and we are going to see that transition. It is not going to happen overnight, the old one is not going to go away, but, maybe two years from now, certainly five years from now, the new apps will be built on that platform.
The old apps are not going to move - we are not going to move SAP to that new platform, just like we never moved the back office systems from the mainframe. But the new apps are going to be on that new platform and that is going to change the way we think about things in the datacentre. It is going to be driven by several factors, power and cooling among others.

Recently, a Wall Street company set up a thin building where all the computing power has been moved from the desktop to the datacentre. They have a specially tuned network and multiple IP networks, some optimised for latency and others for throughput.

This region might not be at the cutting edge, although I think some of the companies are, but they are catching up very quickly. My impressions are that there is a great desire to take advantage of best practices.

They did that for power reasons. When they did the initial sizing, they realised that they could not afford the power if they put high performance work stations at every trader's desk. It is very interesting how power considerations are driving IT.

It is having a fundamental impact on how we are thinking of managing systems as well. Their traders can now move easily between systems. That is more the web model - if I think of a web app I can use your computer as well as mine. The whole model is changing.

How and where do you think enterprises can start with security best practices and policies?

I think compliance is a good place to start. Usually in the US when we say compliance we mean regulatory compliance - Sarbanes Oxley or HIPAA or something like that - and that is one dimension of compliance. Another dimension is how to comply with a set of policies. We could have the executive team sit in the boardroom and make a decision about protecting the data and having some rules.

But in fact they are not implemented and there is no way of knowing that. The tools that are becoming available to help companies manage compliance also become a way to adopt best practices because most of those tools come with a starter kit of templates which are based on best practices.

Take security for example - if you deploy some compliance tools to verify that you are secure the first thing you will notice when you pull it out of the box is the starter kit template. You could have these settings for firewalls, this rule for passwords, this procedure - some of the compliance issues are not purely technical.

When an employee leaves the company there is several things that should be done and best practices encompass all of these. Certainly you should change their access to the IT accounts, take their badge so they can't come back to the building - simple things like that which are handled across different departments in the company and so are difficult to co-ordinate.

However, a good compliance tool will cover all of that. And just by looking as you deploy that compliance tool at the procedure and process, companies can start to build best practices around the basic security items, even if they are not worried about regulatory compliance or more sophisticated aspects of corporate governance.

What are going to be the biggest trends affecting enterprises in the near future?

We spoke about two trends - consumerisation and the next generation of datacentres. The third one that I think about is basically that the boundaries between enterprises are breaking down. There is a kind of outsourcing that is normally not counted as outsourcing but is happening now because we are building the apps for it.

Our own company, we outsource our payroll. We have employment records and we give certain information to an outside company so that they can process the paycheques.

The information we give includes name, address, social security number, bank account - very private information. As an employee I have given that to Symantec, I expect Symantec to protect it. Symantec has given that to another company for business- but how do you ensure the other company is doing the right things to protect it?

The way it is done today is by contract. When that deal was made, we made up a contract that says you must follow these policies and here is what happens if you violate them. How do we know they violate them? If there is a failure and we have some remedies or maybe if we do an audit. Neither one of those is very helpful, I want to know before it can cause a problem.

I think there is going to be a change in the way we think about policy so that we can extend it beyond the boundaries of our enterprise and I mean not just on paper but in terms of electronic monitoring.

When that company makes a change to their back-up strategy, if it violates my policy I need to know. We are going to see more and more technology that spans the boundaries. SOA is an example.

It's a great idea to have SOA architecture - it's a great idea to have web services - but how do I actually manage them and unless I have a distributed policy management approach I cannot manage them. That is the other big thing there is a change in the way we manage IT to systematically manage these boundary-less organisations.

This region might not be at the cutting edge, although I think some of the companies are, but they are catching up very quickly. My impressions are that there is a great desire to take advantage of best practices.

That is an area that we are excited about because that is a big growth area. There is a willingness and interest in adopting new technologies and practices.

And adopting the best solutions that is going to be a big opportunity for us, as a supplier of technology and services and for the customer who has the ability to - leapfrog is not quite the word because I don't believe they want to be on the bleeding edge - but certainly be very close in implementing the best practices.

For all the latest tech news from the UAE and Gulf countries, follow us on Twitter and Linkedin, like us on Facebook and subscribe to our YouTube page, which is updated daily.

Subscribe to our Newsletter

Subscribe to Arabian Business' newsletter to receive the latest breaking news and business stories in Dubai,the UAE and the GCC straight to your inbox.