Does it matter if organizations have a policy about use of consumer technology at work? When I talk to staff and mid-level IT employees (particularly those in the communication and collaboration departments) it’s clear that even if those policies exist they are often bunk.
Our U.S. Symposium survey showed about three quarters of the 189 people that took the survey work in organizations that have a policy (90% of the time that policy is to disallow their use). My question today, is what are the cultural impacts when there is an obvious disconnect between policy and practice in an organization? There are many other impacts, such as opening up security holes and e-discovery vulnerability. But I’ve seen a lot written on security and e-discovery risks of employees using consumer devices and websites for work. I haven’t seen much on the cultural impacts:
- It creates a new group of “haves” and “have nots”. The “haves” are usually in two categories: techies and execs. Techies possess the technical savvy to use devices or get to websites of their choice despite lack of assistance or blocks from IT. Or sometimes they can declare them a “research” or a “pilot”. Execs possess the authority to ignore the policy without fear of reprisal.
- It creates a status marker. By flashing around a forbidden iPad with full access to enterprise e-mail, the out-of-compliance employee is demonstrating that they are more technically savvy, have more authority (or immunity from rules), or are more fearless than the cowering masses around them.
- It hampers the authority of other policies. Other policies, from dress code to travel guidelines, may seem unrelated to use of iPhones or LinkedIn at work. But open flaunting of technology use policies calls into question the need to comply with other policies as well.
My point is not that there should be iron-fisted enforcement. First, I’m just thinking aloud about the cultural impact of consumer use policies and would like to know if others have observed the same. If I’m right, then I’d argue organizations shouldn’t publish these policies if they don’t plan to enforce them because not having a policy may be less damaging than having one that is frequently and publicly flaunted.