Consumerization of IT (CoIT) is rapidly giving way to Consumer-driven IT (CDIT), as tech-savvy consumers drive businesses to deliver increasingly innovative and satisfying technology experiences. As a result, consumer-driven development is focused heavily on delivering convenience, ease of use, mobility, low cost, rapid updates, and cool interfaces.
This disruptive approach is enabling exciting innovations, from mobile apps for securely sharing personal photos with friends, to cloud services that let developers rapidly build and deploy environments.
However, it also causes these same businesses to neglect some essential back-end requirements – like governance, security, and compliance.
Just this week we have seen two consumer-driven businesses apparently ignore important, if basic, governance prescriptions. According to news reports:
- The social photo sharing app, Snapchat, exposed 4.6 million user names and phone numbers through an exploit in its mobile API identified by Gibson Security months earlier. Snapchat shrugged off this advice even after detailed disclosure, before hackers used the exploit to publish a data dump of barely obfuscated personally identifiable information (PII).
- A leading IaaS cloud provider, DigitalOcean, exposed customer drive data when its API stopped scrubbing shared drives by default to improve performance, and they didn’t tell their users about the change. They immediately issued a mea culpa and reverted the code changes to reinstate scrubbing by default, but the damage was already done.
These ‘exploits’ were anything but complex; they were elementary failures of governance. Even basic governance establishes ‘known good practices’ like providing mechanisms for not sharing PII without consent; rapidly acknowledging and fixing known (especially published) exploits; conducting standardized penetration tests on new program code; establishing privacy controls at all layers, including hardware and physical access; and building data privacy into architecture and in code.
Unfortunately, this is not entirely unexpected. Because they are by definition inexperienced, new technology businesses often do not have institutional knowledge of such fundamental prescriptions. Being mostly unregulated, they may never have heard of the many best practices, standards, and laws that larger or older businesses are subject to every day. Prioritizing innovation and agility, they may simply not consider themselves constrained by ‘old-school’ requirements – and perhaps understandably.
But focusing solely on consumer requirements can create a governance black hole if it comes at the expense of standards, regulations, privacy, and other compliance constraints.
The question is, does it matter?
After quietly stealing entire contact lists for years, Path is no longer the darling of the iPhone set, but for every business that suffers, there seems to be dozens that cruise along. Twitter and Gmail have not suffered much after exposing 2 million passwords. Even though Facebook exposed user passwords for over a year, it is still doing okay.
According to some (rather breathless) sources 100% of the top 100 Android apps have been hacked (56% for iOS apps, FWIW). But we already knew that, because they basically told us exactly the same thing last year. Yet the mobile app economy continues to boom.
For now all that is certain is that consumers have rapidly changing – and frequently conflicting – demands from information providers, especially technology start-ups. They demand consumer-driven development; but rage against neglected governance. They demand free, fast, easy and anonymous services; yet they will trade deeply personal information to get them. They vocally demand services that are safe, private, and secure; but these may not really matter beyond a short-lived outcry.
This implies important tradeoffs not just for start-ups, but also for enterprises, governments, and consumers. Swing too far one way an you risk missing the opportunities of consumer-driven technology; too far the other and you risk vehement reactions. It is a tough balancing act for us all.