BYOD strategy: Why it's not about devices

Businesses that think they'll save money just by saying, "BYOD? We're cool with that", are setting themselves up for a fall.

Organisations seem to be tripping over themselves trying to sort out strategies for bring your own device (BYOD), now that they realise employees expect to use their favourite consumer gadgets for work.

The impetus for many appears to be more about not wanting to be left behind, or appearing old-fashioned or unappealing to the generation Ys and digital natives heading into the workforce.

This is the latest business trend. The Californians are doing it, the media has been talking about and it features in nearly every IT supplier's marketing messages - whether relevant or not. So everyone wants to be seen to be doing something.

Of course under-pressure CIOs and IT managers want to be seen as supportive too, especially when the demands come from iPad-toting execs, and having a BYOD strategy goes down well.

The questions IT needs to answer come thick and fast. Which devices? Do we include tablets? Fully employee owned or on some sort of company car-like lease with employee contributions?

All good questions, but they largely miss the point. BYOD isn't really about devices, but something much more important - their use.

Sure, employees will argue that one type of hardware makes them more productive than another, and perhaps to a certain extent it might. Meeting personal preferences generally leads to faster adoption or acceptance of any tool, especially when it involves the user interface. Some individuals get on better with real keyboards, while others need large screens.

The real payback for BYOD

However the real payback to the employer comes from how the device interfaces not just to the individual carrying it, but to everything and everyone else in the organisation.

This issue is about connection and communication, not the hardware itself. The benefits that arise from getting this point right all arise from the standard considerations - reduction of cost and risk plus value creation.

Organisations that believe they have saved money just by saying, "BYOD? We're cool with that", are really setting themselves up for a fall. The risks and potential savings are in the BYOCs - contract, content, cloud and collaboration - and the impact these have on cost, interoperability, security and productivity.

First, contracts. This is a difficult one, which most keenly affects devices connected to the cellular networks, especially if they are going to be used to make phone calls.

The reasons are simple: unlicensed networks tend to have all-you-can-eat models and all traffic is seen as just data. But cellular networks discriminate by the minute and megabyte and the discrimination is worse when roaming or going off net to communicate with a different carrier.

Enterprises get big benefits from going to a single carrier - in plan calls, large discounts and support. All these advantages disappear if employees' mobile contracts fragment into individual tariffs.

Issues relating to content are better understood but still rightly feared. Rogue applications, insecure data, and devices vulnerable to loss or theft send shivers down the spine of CIOs.

If employees use their own devices, what safeguards does the organisation have for the sensitive data that might end up on that personal hardware and what can it do to ensure that personal device choices will support all the business apps that staff need to do their job?

Using the same end-point protection software on employee-owned devices that is used on corporate hardware is fraught with issues. For example, what happens when a remote lock and wipe destroys, say, personal photos?

Better approaches are to project a virtual business presence that disappears after use or to deploy the business into its own insulated sandbox. The advantage of both is that they also work well for contract employees and third-party partner companies, both of which are integral to the way many organisations work.

Beyond the device and into the cloud

The increasing use of cloud-based storage for file-sharing and convenience extends the content issue beyond the device and into the public internet or cloud, even further from the control of the IT department.

This practice is impossible to stop, and it is no longer realistic to assume employees can be educated to behave more responsibly. The safest approach is to try to stem the use of wide-open consumer tools with business alternatives that are still flexible and easy for the employee, but provide enterprise controls.

Employees now have more collaboration options than ever before, but unlike the formal, enterprise-deployed unified communications tools, these options are informal and social.

Just as many security and compliance issues were caused by the early adoption of instant messaging. Now a similar risk comes from employee use of public social media for sharing business information.

Individuals have grown accustomed to using it online, but are now increasingly taking advantage of access on their mobile devices. Sharing information has never been easier, increasing the risks to the organisation.

Organisations are right to plan for and adapt to the change in working practices that consumer technologies and BYOD bring, but strategies that do little to encompass the wider BYOC issues will fail to deliver on the expected benefits.

Worse still, they will introduce unanticipated costs and risks, which with a bit more planning and effort could have been avoided.


Rob Bamforth is a principal analyst at user-facing analyst house Quocirca. As part of the Quocirca team, which focuses on technology and its business implications, Bamforth specialises in communication, collaboration and convergence.

Ian Frazer
Ian Frazer

Can you suggest some BYOD policy examples? Perhaps along the lines of the ISO 27001 framework?


Rob, great points here. BYOC is a big headache for IT when it comes to BYOD, putting pressure on IT in businesses large and small. The need to meet employee demand for productivity and access while ensuring security and compliance is a familiar dilemma. The reactions of CIOs fall into two schools of thought: (1) allow the use of these services and trust employees to exercise caution, or take a hard-stance and block all access to unsanctioned applications. Neither are the right answers. What IT really wants to do is to push their employees to a sanctioned alternative that allows them to be productive while maintaining the security and control driven by their business and compliance demands. 2011 was the year of mobile device management (MDM), and 2012 we???ll see vendors focus on solutions for extending a new level of protection to the actual applications and data on all devices, whether personal or corporate-issued. ??? Anthony Kennada, Symantec


Intriguing statement. This would solve many problems, but can it be done in a secure fashion? A virtual machine that takes over your iP* or Android phone or tablet during working hours but then reverts to your personal device when you clock out? That would be a lot slicker than carrying two of each device, but where is this application available from?


You have some good points but I think you are overlooking the most important issue in that critical and important company information is not really in their control on their equipment. To me security of information is more important and must be maintained on equipment with proper safeguards and not too easily obtained by third parties (their competition).

Ian Frazer
Ian Frazer

Works like a charm on most smart(-er) BYOD devices, netbooks, notebooks, loptops.

Editor's Picks