Craig Roth

A member of the Gartner Blog Network

Craig Roth
Managing Vice President: Communication, Collaboration, and Content
4 years at Gartner
25 years IT industry

Craig Roth is a vice president and service director for Gartner Research, in Burton Group's Collaboration and Content Strategies service. Mr. Roth covers a wide range of knowledge and Web-related topics at the intersection of collaboration, content… Read Full Bio

Coverage Areas:

When Policy and Practice Diverge?

by Craig Roth  |  February 14, 2011  |  2 Comments

Does it matter if organizations have a policy about use of consumer technology at work?  When I talk to staff and mid-level IT employees (particularly those in the communication and collaboration departments) it’s clear that even if those policies exist they are often bunk. 

Our U.S. Symposium survey showed about three quarters of the 189 people that took the survey work in organizations that have a policy (90% of the time that policy is to disallow their use).  My question today, is what are the cultural impacts when there is an obvious disconnect between policy and practice in an organization?  There are many other impacts, such as opening up security holes and e-discovery vulnerability.  But I’ve seen a lot written on security and e-discovery risks of employees using consumer devices and websites for work.  I haven’t seen much on the cultural impacts:

  • It creates a new group of “haves” and “have nots”.  The “haves” are usually in two categories: techies and execs.  Techies possess the technical savvy to use devices or get to websites of their choice despite lack of assistance or blocks from IT.  Or sometimes they can declare them a “research” or a “pilot”.  Execs possess the authority to ignore the policy without fear of reprisal.
  • It creates a status marker.  By flashing around a forbidden iPad with full access to enterprise e-mail, the out-of-compliance employee is demonstrating that they are more technically savvy, have more authority (or immunity from rules), or are more fearless than the cowering masses around them.
  • It hampers the authority of other policies.  Other policies, from dress code to travel guidelines, may seem unrelated to use of iPhones or LinkedIn at work.  But open flaunting of technology use policies calls into question the need to comply with other policies as well.

My point is not that there should be iron-fisted enforcement.  First, I’m just thinking aloud about the cultural impact of consumer use policies and would like to know if others have observed the same.  If I’m right, then I’d argue organizations shouldn’t publish these policies if they don’t plan to enforce them because not having a policy may be less damaging than having one that is frequently and publicly flaunted.


Category: Organization Social software     Tags:

2 responses so far ↓

  • 1 Aaron   February 23, 2011 at 4:22 pm

    A rule of thumb I try to follow: Do not write a policy that you cannot enforce. The understanding is that there are policies that a company must formulate, and behavior that must be followed. But it must be consistent, relevant, pertinent and enforceable. The policy must clearly state the intent, as well as the penalties for non-compliance.

  • 2 Craig Roth   February 23, 2011 at 4:27 pm

    I agree Aaron. For those times where you know a policy can’t or won’t be enforced, maybe it’s better to reword them as “guidelines” or “tips”. You still get to point out correct behavior, but this was when you don’t enforce, it will not diminish the authority of future policies.