Over the past few years, I’ve worked with a few organisations that rely heavily on an “associates” model. This type of organisation seems to be becoming more prevalent.
What appears to happen is that an organisation will form around a certain “domain” capability where the individuals doing the work tend to be high performers, in particular high performers who a) want to be self-employed, and b) demand decent pay packets. So rather than being an organisation with employees and a lot of infrastructure, you end up with a small infrastructure piece in the middle and a collection of self-employed associates doing the delivery.
A very common model for this is management consultancy where the members doing the delivery have enough experience and skills to demand a working model that works for them. Also with those organisations, you tend to see sophisticated sales and marketing functions retained as core within the organisation because – for example – management consultants tend to suck at sales and marketing.
To summarise then, you have a small membership organisation, with very light-touch infrastructure, strong sales and marketing, and a bunch of (usually) non-technical individuals doing service delivery.
What these organisations then tend to is run into is problems with IT governance. Computers are required to support delivery, and these associates need to look like members of a larger organisation and so have email addresses that represent them as being a full-fledged member of the organisation (as well as making the organisation look bigger than it really is). They also need access to a file server and other resources.
In a normal organisation, the IT team will (quite aggressively) manage those resources, e.g. locking down the laptops, putting mobile device management on the phones, etc. However, in an associates organisation management of the IT stops at the cloud, and the associates use their own devices. A very common problem that occurs is that associates will use laptops that do not have encryption enabled. (In my experience, virtually all non-technical people have a significant blind-spot around encryption. In my IT support business, encryption is a conversation I have more than any other.) This does create a horrendous risk exposure where any one of the associates can cause real problems for the whole organisation.
Other problems include poor malware protection (for example, flat out using fake antivirus products that are malware presenting as security products), poor password hygiene, or taking a laissez-faire attitude towards updates.
Where this problem gets compounded is that management of these sort of organisations also tend not to see IT as an important discipline either. These organisations are often founded by non-technical people who happen to be good at sales and marketing and collect capable peer individuals under the umbrella in order to achieve some sort of scale. As a result, there tends to be no top-down push at all around IT governance.
What should ideally happen is that the infrastructure the organisation provides should extend to IT infrastructure as well. The easiest way to do this is to buy laptops and phones and give them to associates, and have your outsourced IT support provider (MSP). A laptop that is more than adequate for management consultant-type activities should cost no more than £600+VAT – a sum that’s very easy to cover if you’re trying to bill over a £1k per diems. However, for whatever reason, this almost never happens because of the lack of appetite and/or awareness about the need for IT governance even in this sort of organisation. Specifically, this sort of organisation wants to keep the complexity around the IT provision with the associates.