By 2008, 10 percent of companies will require employee-purchased notebooks.

This prediction may seem bold to most IT managers, who will find it hard to see how they can give up control safely. On the other hand, just 10 percent of companies moving to this over three years isn't really a revolution, and perhaps we have left the question of any eventual tipping point ambiguous.

Submit a Comment | Permalink

We don't believe this will be an attractive option for everyone. However, it is a radical step for IT organizations, especially given current concerns over accountability and compliance. We believe reaching a tipping point will require general availability of user-focused support and maintenance services, so employees can ensure minimum acceptable levels of availability of a suitable machine. Until we see that market develop, any indications of when such a tipping point could arrive would be purely speculative.

One of the gating factors on the timing of this prediction is replacement cycles. Large enterprises tend to refresh their notebooks every three years. We are completing a major notebook replacement cycle right now, and the next one is anticipated in 2008. After that, we won't see one until the end of the decade.

It should also be noted that with smaller businesses, the adoption rate of employee-owned notebooks will be much higher. We are already seeing small to midsize businesses that require notebook ownership as a term of employment. Just as many mechanics and carpenters are expected to bring their own tools to the job, knowledge workers will be expected to do the same in these smaller companies.

We believe that this trend will follow a pattern of slow introduction, rapid ascendance and slow final penetration. It is always difficult to predict exactly when the period of rapid ascendance will begin. We believe that it will start somewhere between 2008 and 2010, and take two to four years to affect half of the market. In selecting 2008 and 10 percent of companies, we are identifying the initial year in which the phenomenon will first be observed in mainstream markets.

Presumably, the management culture of the first 10 percent is somehow different so they can overcome traditional control needs. Maybe the early adopters have common traits.

We are already seeing early adopters, who have re-engineered user processes and applications to make working with privately owned devices practical. The cultural changes required to do this demand a willingness to "let go" of the physical asset and are often accompanied by a more general desire to redeploy IT resources toward "value-add" rather than maintenance functions. None of this is possible unless the organization is willing and able to effectively distinguish its own responsibilities from those of the user. A shift in general approach from "protecting users from themselves" toward "enabling users" is a crucial first step.

These are also companies that are willing to totally rethink their security and application delivery strategies. They have recognized that the old concept of perimeter security (i.e., making the enterprise a fortress surrounded by a security moat that keeps out all the bad guys - and only the safe "good" guys are inside) is now seriously compromised. The perimeter has become more porous as contractors, customers, partners and mobile workers have gained free access to the corporate network and corporate data. Once a company accepts that it needs to put the control at the network level (e.g., moving sensitive applications and data off local hard drives, using scan and block techniques to restrict network access), there is less need to control local users.

These more-forward-looking companies will also be early adopters of PC virtualization and use it as a strong enabler for employee ownership of notebooks. Companies will use this technology to strongly enforce policies covering notebook use for company purposes in one virtual machine (VM) or partition, while allowing the user total flexibility for personal use in another.
The point is that these companies are not satisfied with "business as usual" or the status quo.

This "own your own kit" concept has not dominated corporate cellular telephony - despite the fact that handsets are inherently more secure. What makes PCs different?

PCs are heavily exposed to the steady encroachment of user-owned data and applications. Unless these can be separated from enterprise functions, the cost and complexity of managing the enterprise "PC footprint" will continue to grow, even if no new enterprise applications are deployed.

First of all, many people do buy and own their cell phones but expense the monthly service. With notebooks, we are also seeing a huge level of personalization. In addition to corporate data and applications, family photos, MP3 files and personal income tax records are just a few examples of the wide range of personal data. Increasingly, notebooks are also being used as personal entertainment devices. Many traveling workers routinely bring DVDs to watch on airplane trips or in hotel rooms. Each person has different requirements and usage patterns, and would like more choice in the type of hardware available.
We are also starting to see a shift in the workforce. Younger workers, especially, are likely to have their own notebooks already.

Most people have personal phones; corporate phones are relatively rare compared to private phones. Company cars are also slowly disappearing. Cell phones are also small. It isn't too unreasonable to carry two cell phones, but carrying two PCs is pretty much impossible.

This prediction is about laptops - is it not true for desktops, too?

Enterprise-owned desktop PCs usually reside only within enterprise premises. They are easier to lock down to combat the encroachment of user data and applications. More importantly, we see very little incentive for users to want to own their work desktop PC. For the notebook, it's different - it's a much more personal device, will likely be only intermittently directly connected to enterprise networks, and is much more exposed to encroachment of personal "stuff."

Once you give staff an inch, they will take a mile. Won't people immediately play the edges of this? For example, someone might suggest they can buy themselves an Archos media player with company money, because it can be used for storing files and showing presentations. I can imagine IT departments ending up with reams of lists and rules about what is and what is not acceptable.

The key change we are highlighting here is a shift in enterprise policy. Rather than closing their eyes to exceptions, organizations will define new policies for how they work with those exceptions. The most important policy will define "minimum availability of a suitable machine." The word "suitable" is crucial - if it can be made to look like a PC to enterprise software and is sufficiently performant and reliable enough to meet availability needs, then that is all that functionally matters. Company-car schemes provide a good analogy here: Sports cars, vans and pickups are not allowed. Remember that the IT department will no longer take responsibility for the physical asset, so the user must be allowed choice - provided the notebook they choose is still up to the job. In practice, we expect enterprises to sign deals with suppliers to steer user preferences toward certain models.

Anarchy does not have to prevail. There are several best practices to apply.
Partner with a PC vendor to provide "preferred" models at discounted prices. Make discounted support available with those machines. These are strong incentives for buyers.
Establish three levels of support:
• Fully supported standard or preferred models, which receive full support and access privileges
• Data interface support only, which is for devices that can be connected to enterprise information sources to retrieve information through controlled ports, but for which only "best effort" support is provided
• Nonsupported, which is for devices that appear in such low volume or that are so consumer-oriented that the PC group cannot provide support

Just saying "no" currently doesn't work to keep nonstandard devices out of the enterprise. As a result, it is always better to provide incentives for compliance. The idea is to make the standard devices or preferred models as richly supported as possible. The second category is supported on a "best effort" basis but will not get application support, training or intense help desk support. It is only realistically possible to create the list of unsupported items by being flexible with the first two categories.

By the time I set up bulk buying deals, constantly update and police complex rules for permissible equipment choices, manage financial administration of the stipends, create Web app versions of key software for universal access, manage the PC virtualization technologies required for safe operation, and so on, won't I be spending just as much time and effort as managing standard equipment directly?

No. Much of the complexity and effort of managing the PC will pass to users and their support providers. The virtualized, thinner image installed on user-owned devices will be significantly more standardized and easier to manage. Moreover, the steady bloating of enterprise management responsibilities caused by encroachment of user "stuff" will be contained. There is also another key issue to consider: Consumerization of PCs is happening anyway. This approach will allow organizations to manage and harness the trend to advantage, rather than simply denying its existence.

Are the gains so great? Can we trust people to make better choices for themselves and their jobs than IT experts? What sort of choices might they make that corporate IT groups would usually think to support? Perhaps this is a "long tail" thing.

Whether users will make better choices or not is irrelevant. They increasingly want that choice anyway. In a knowledge-based economy, it is increasingly difficult to tell skilled and valuable employees exactly how they can and can't use their notebook PC. If they deliver high value to your organization and want to consolidate their personal usage requirements onto the device they use for work, it will be hard to say "no." But yes, this will be a long-tail thing: Being able to define a clear line between the enterprise and the user on a device requires clarity on the enterprise side, and few organizations truly have that today.

Frankly, I don't think this prediction is realistic. The trend towards security improvements especially end device hardening and so on can not be ignored. Maybe the prediction becomes more realistic when applied to mobile phones, handhelds, blackberries or similar which are becoming more and more "Mini-PC" like and personalised.

Regards,
Christiane Kesper

New hardware virtualization technology will help here. IT organizations will be able to deploy a secure “software appliance” that is a complete Windows environment in a hardened capsule that runs in a virtual machine. So the notebook may be unmanaged, but the corporate IT appliance is more tightly managed – and more secure - than m ost notebooks today. Corporate IT has lockdown control of its piece and the user has flexibility for personal use.

So organizations push responsibility for buying and maintaining laptops (also PDAs, cell phones and other personal electronics?) onto employees. It gets around the increasingly expensive and untenable prospect of trying to track, manage and control mobile assets. Hardware virtualization takes care of security. And this is already starting for small companies. But for larger organizations and the public sector, wouldn't legal and liability concerns trump savings? Should they? On those companies that are doing this, any figures on incidence of damage or loss to employee-owned machines?

Back in 2001 or so we predicted that SSL VPNs would show strong growth, because so many enterprises needed/wanted to allow employees to do work from home PCs, kiosks, PCs owned by other companies, etc. This has happened in a very big way over the past three years - this has been the first wave of "bring your own PC to work."

What Gartner said was needed to do this securely we now call "Network Access Control" - the ability to check anything connecting to the network and determin if it is "safe":

1. Is password capture installed on this machine, meaning it isn't even safe to let the user enter their corporate access password?
2. Is malicious software installed that will harm the network or other PCs or servers on the network?
3. Is it safe to allow sensitive information to be sent to this PC?

There are large vendors, like Checkpoint and Cisco and Symantec, as well as many small vendors that sell this capability now and more coming. This is an absolutely required capability before any real business can do the "bring your own PC to work" kind of thing. It will be several years before hardware virtualization is stable and ubiquitous to play a major role here.

This problem pattern already exists in other areas: cellphones for communications, IM identity addresses for instant communications and even driver licenses for delivery industries.
Unless the company's business and back office operations are clearly re-designed to move from (access) based device security to transport layer security (not dependent on device), I do not see it happenning. I agree with Joe P that while this security technology (IP Sec VPN, etc), the business applications have to be re-thought within the constraints of this model (leave no sensitive data on accessing device) for this to work.

Another key trend that would impact this would be the Compliance and Corporate Governance regulations.

So what happens when an Employee Purchased Laptop (EPL) has problems (and now the employee can not work?) Does the company dispatch technical people to attempt a fix on the EPL or is the employee responsible to fix it by whatever means? What about intellectual property that may be copied to the EPL? There are an easy 20-30 more issues around EPL. Yes, one could implement a myriad of technologies, processes and procedures to overcome most of the issues but why bother? Spend the $1,500 for the Company Purchased Laptop (CPL) with a 3 year warranty, lay down a standardized image and you are done.

IMHO

In the discussion, in my opinion, should be included many factors:
- the entrance in workforce of "playstation" generation with the need of using multiple devices (smartphone,laptop,i-pod) and at the same time having task continuity
- the maturity of the convergence of wireless and wireline technologies
- the definition of workplace : working in ubiquity (office, home, "on the road") will be a must
- the employment contracts: more temporary jobs and as consequence more rotations on job

These factors will bring up on the list of IS organizations the need of having:
- a proactive security strategy (more education, formation than perimeter closing)
- a well defined management paltform (security control access, identity management, remote distribution, remote support) that must address multiple devices (smartphone, pda, company-laptop, personal-laptop)
- a "copernican revolution2 of the role of corporate IT: more support organization and less in control

Of course there are risks associated but how often in the past IT was struggling behind the rapid changes in business/social environment ?