Does governance really matter?

Does governance really matter?

Summary: Does cloud governance really matter? I'm not convinced - at least not at this stage of proceedings.


RIM's latest attempt at revitalising its business in the shape of managing security around not only its own but also Android and iPhone devices caught my eye for several reasons. From the piece by IDG:

The growing number of corporate and employee-owned mobile devices poses a challenge for enterprises that want to let employees choose their own devices, while making sure sensitive data remains secure and business applications uncorrupted...

Because of its long enterprise experience and reputation for security, RIM may be better suited than its mobile OS rivals to dive into mobile management as a business. But the company also is strongly motivated to make its customers happy, as sales of its smartphones decline and shipping dates for some products slip.

I'm not so interested in whether RIM makes a strong play, although I wish them well. Rather I wonder whether it matters. At last week's SAP UK & Ireland User Group conference, Ray Wang, CEO Constellation Research (disclosure: I am on the board of advisors), asked how many attendees carried more than one mobile device. A good number of hands went up. Maybe 25-30%. Only a few (like Ray and I) carry three or more. What he didn't ask was why?

Anecdotally, we hear that many people habitually bring their own devices and laptops into their place of work, largely to get things done when the office systems fall over. I don't see IT going balls out to stop those behaviors. I expect line of business leaders would have much to say on that topic, pushing back hard if it means people twiddling their thumbs. Or worse still, playing Farmville over 3G.

The more important point is whether it matters in the first place. Hands up all those who know about employee group behavior that is wreaking havoc inside the enterprise as a result of bringing in unauthorised iPhones? I haven't heard of such a case. I doubt we would except a long time after the event. At least not in a way that could be readily discussed in the public domain. It's too embarrassing.

It begs the question: what constitutes valuable information? I've long argued that details held in a general ledger somewhere are of almost no intrinsic value in and of themselves. The same goes for many forms of row and column data. Email is valuable, if only because so many of us have the habit of being indiscrete both in form and style.

Rather than letting corporate secrets out the bag, I suspect that email management and security is more to do with ensuring the world doesn't see how irreverent and profane the workforce can be. As if that was likely to be a shock to anyone in the first place.

If that sounds flippant and offensive to the security diehards among the readers then I would like to know the extent to which they believe security has truly been compromised by the use of people's choice of device whether sanctioned or otherwise? I mean facts, not opinions about the potential.

Before anyone castigates me on this one, consider what Tom Raftery said the other month when addressing a group of utility executives. On the question of allowing social media into the workplace, he said that 75% of companies are still against the idea, despite evidence to show that potential employees are shunning those organisations that ban use of social media.

Am I not correct in stating that the setting of guidelines at places like IBM has been enough for people to understand where the sometimes blurry boundaries lay? If that's the case then why would we actively govern a non-standard issue mobile device?

Some will make the apples and oranges argument saying my comparisons are not correct but I don't see it that way when weighed against the fundamental principles underpinning notions of governance.

Moving on, I see that Phil Wainewright is beating the 'cloud chaos' drum. Is this any more of a concern than mobile device management? Phil thinks so arguing last August that:

Very few enterprises that are adopting cloud applications and infrastructure are giving enough thought to governance. The result is a mish-mash of SaaS silos and cloud islands, with very little attention paid to data consistency and integration, and even less to policy management and oversight.

I don't see it. At least not yet. The apps that are getting the greatest traction are email - in the shape of Google Mail, CRM, often from and elements of HR from a variety of SuccessFactors, Taleo and increasingly Workday.

There is plenty of evidence to suggest that GMail passes muster, even if reports from the Police Dept in LA suggest a confusing picture. Appirio among others makes a handsome living from integrating GMail into landscapes. I don't hear anyone complaining. But then CRM and HR are not exactly business critical applications. They are potentially part of a suite, which is where I think Phil is attempting to go, but that's a long haul play which has years to run. Even those early Workday adopters which have not only taken HR but are moving to financials don't flag up governance as a major consideration. These are IT people and you'd expect there to be an issue here. But it doesn't register as a perceptible problem.

Even if you accept part of Phil's argument I come back to the same question: does it really matter? Phil goes further by declaring the problem is 'well and truly here.' Is it? Where? Simply because some random vendor drips the latest scare mongering words in a receptive ear doesn't make it a fact.

As Phil knows, IT history doesn't always repeat though it has a habit of echoing loudly. I'd be far more impressed if I saw a message that says we're going to have to live with (alleged) chaos while the winners emerge rather than trying to layer cake for something that has yet to be self evident among the research.

We are far from reaching that point. At least in the apps space. But then the good ship Non-Governance may have already sailed out of reach. Just as I am finishing this post I see Marc Benioff, CEO is tweeting availabillty of the free Viewer for Salesforce on iPad is now generally available in the iTunes store.

Topics: BlackBerry, Mobility, Security

Dennis Howlett

About Dennis Howlett

Dennis Howlett is a 40 year veteran in enterprise IT, working with companies large and small across many industries. He endeavors to inform buyers in a no-nonsense manner and spares no vendor that comes under his microscope.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RE: Does governance really matter?


    I must say that, personally, I am convinced that IT governance really matters (aligning to corporate strategy, measuring efficiency, supporting decission making...) and organizations cannot afford having unmanaged silos out of control. We have had in the past the experience of needing to recapture control over the departamental IT, with more than a headache and a nightmare, to know that the sooner you manage you cloud services (provided or/and received) under control, the better. And if we talk about public cloud services, even more. Can you even think of having a customer data security incident out of control in public cloud? Brrrr! It really makes my hair stand on end.

    Regards, Eduardo
  • RE: Does governance really matter?

    Actually, governance does matter as a process of balancing risk and cost. So one can both agree and disagree with the article depending on the level of risk of to the company, which really depends on the industry, type of data and processes involved.

    In many ways this conversation comes about whenever there is a new technology platform hitting the market. We saw this with PCs in the 80, local area networks, laptops in the 90s, etc. There is no one set answer as the risks of data loss (not GL information, but private financial and personal data passed between groups on smart devices) vary depending on industries. Most companies have likely not actually considered the impact of lost personal smart devices. Consider the impact when an federal employee had their laptop stolen containing thousands of vetern's records. It would be interesting to understand is folks have actual considered what is on devices.

    As to the comment about facts vs posibilities; well ins't Governance all about managing posibilities to hopefully avoid the 'fact' at a reasonable cost.
  • RE: Does governance really matter?

    Winners and losers come from those who put out the right products at the right price and the consumer doesn't care how. havancourt is right that it depends on your industry and risk tolerance. Defense industry? Risk is to high and the electronic attacks are daily. Industry with over 100 active litigations each day? You will have more control due to producing evidence. Easy to forget that what you create/receive from conducting business is the property of the business and every agency in every country will hold the company responsible.
  • RE: Does governance really matter?
  • RE: Does governance really matter?

    Of course governance matters, as does data security, and I don't think that these are the points Dennis is making. My take is that as with the Stanford Prisoner Experiment (, all too often the pople in charge of governance over-play the risks to increase their authority and control to the point of hampering business. There is an opportinity cost associated with governance that is all too often ignored in the risk/reward analysis.

    Dennis Gaughan and Jim Shepherd at Gartner has written about Pace Layering which promotes the idea that there are 3 classes of applications in an organzations:

    1 - Systems of Record
    2 - Systems of Differentiation
    3 - Systems of Innovation

    The issue is that the same governance model is applied to all 3 layers. Undoubtedly there needs to be a great deal of governance placed on Systems of Record, perhaps more than Dennis sugegsts, but what I see all too often is that the Systems of Differentiation and Systems of Innovation are stifled by the governance model applied to Systems of Record, and this is a real opportunity cost to the organization with tangile and measurable long term effects.
    Trevor Miles