In a Mobile First world, the role of IT shifts from being the sole arbiter of workplace technology to being a trusted advisor to executives, managers, and individual employees. The ease and ubiquity of mobile apps and cloud services have created a world in which anyone can source their own tools and it is increasingly individuals, ad hoc teams, and entire departments are doing so.
The phenomenon, dubbed shadow IT, presents challenges and opportunities. Addressing it requires the CIO and IT leadership to take on this new trusted advisor role. This new role will be required for IT success in the coming years and it is already redefining the relationship between lines of business and the IT department.
Being a trusted advisor requires trust. MobileIron’s 2015 Trust Gap survey indicates that while employees generally trust their employers or IT departments to keep personal data on their mobile devices private, there is still work to be done in building trust.
The survey found that 61% of workers trust that personal information on their devices will be kept private. It also found, however, that 30% of workers would leave their job if their employer could see personal information on their mobile devices.
Although the majority of workers trust their data will be kept private, there appears to be confusion about what IT can or cannot see on managed devices and what IT might do with specific pieces of information. These are areas that IT leaders can provide clarity and build a broader framework of trust and communication.
Ensuring employees understand how their privacy is protected
Absent clear understanding, it’s generally human nature to be skeptical. This is particularly true when IT has long been able to see anything on a user’s work PC. As a result many employees overestimate what IT can see on their devices.
The reality is that IT cannot actually see much personal data. On iOS, for example, a typical employer could potentially see carrier, country, device make and model, OS version, phone number, location, list of installed apps, and corporate email. But, even if they wanted to, employers could not see personal email, texts, photos, videos, voicemail, and web activity. The exception to this is data traffic that goes through the corporate network.
Many users don’t realize the limitations, however. They also may not recognize why IT needs to see or act on any of the data can be seen. This can create a sense of ambivalence or concern, particularly given that all devices are now mixed use, regardless of device ownership, and that they are storing increasingly personal data including key health metrics.
Communicating privacy is a major opportunity
As I’ve noted in several Rethink: CIO posts, many challenges that IT leaders face today are also major opportunities, though seeing them as such may require a slight change in mindset.
In this case, the opportunity is to dispel any potential distrust by communicating with employees directly about what IT can see and can’t see. Also important to communicate is what IT chooses to look at and why. Finally it means protecting employee privacy as fiercely as if it were corporate information and making sure that employees know that.
The first step in seizing this opportunity is to be completely clear with users about what IT can see. They should know without a doubt whether their personal emails or photos are visible. The same goes for app inventories, which recent iOS and Windows Phone versions filter to display only managed business apps.
As new and particularly sensitive features become standard on each platform, it’s important lead out and indicate whether or not IT has access to that data. The addition of reproductive health information to HealthKit is a great example. Although it might seem obvious that IT won’t be able to see it, this is intensely personal information and explicitly pointing out that it won’t be seen can go a long way towards building trust.
Next is what IT chooses to monitor and why. IT can monitor a fair number of things, including a user’s location and details about their device and it’s OS. There are many reasons that this is important. Knowing a user’s OS version let’s you determine if their device is vulnerable to an exploit. Knowing their location and carrier data can indicate if they are roaming internationally, which could get quite expensive.
Being able to monitor these types of information is hardly malicious. In many ways, they’re IT looking out for the user as much as for the corporate data on the device. Users need to understand that. They need to know the why as much as the what.
Communicating in ways that increase trust
There are many ways for IT to communicate this information to workers. It could include a detailed explanation on the device during and after enrollment (as in the Visual Privacy feature MobileIron announced during the Mobile First Conference last month). It could be via email. It could be during support calls. It could be through workplace wikis or social media. It could be through videos demonstrating what IT can do, will do, and why. It could be by inviting users to peek behind the curtain and spend time in the IT department.
Ideally, it should be a mix of these approaches. One approach isn’t likely to reach or resonate with everyone. The broader the approach, the better.
The Trust Gap survey results indicate that there is work to be in communicating about privacy with workers. Doing that work, however, can really pay off in establishing a better relationship between IT and the rest of an organization.