Bring Your Own Device optimize

Bring Your Own Device: Risks and rewards

With BYOD, there is risk and reward, an ongoing conversation and a lot of running around with your hair on fire to get it to function at scale in the enterprise but it might just be worth it in the end.

The invasion has begun. In fact, it may already be over and you didn't even know. Personal mobile devices are already functioning within your organization, accessing email and calendar, using your wi-fi and harboring corporate data. The question isn't about allowing or denying access anymore, the question for today is about management.

One of the more popular concepts grabbing the enterprise around mobile management is Bring Your Own Device or BYOD. The BYOD "revolution" as it's called is only revolutionary for IT departments that have to grapple with an unknown quantity of devices literally penetrating the organization every morning. IT complexity is further driven by the variance in the security and conformity of those devices with established norms, if such norms even exist.

Users often have multiple devices and those devices rarely match any preconceived ideas about what a "standard" device might look like within the organization. Just one scenario from the infinite variety of possibilities looks like this: Devices can enter the enterprise jailbroken/rooted in an attempt to make the device more functional on a personal level. These devices can run myriad apps that IT can't even begin to keep up with. Rooted/jailbroken devices will attach to your network just as readily as "clean" devices. Enterprises everywhere are scrambling to keep up with changes this rapid.

Many organizations are choosing an open BYOD policy with varying results. Bring Your Own Device essentially means that organizations are allowing employees to utilize whatever personal mobile device they wish to accomplish work tasks. The attractiveness of BYOD is difficult to argue from a leadership perspective. It makes IT look like the hero-squad, it might cut costs and streamline spending on corporate mobile. And BYOD alluringly pretends to reduce support requests, which it doesn't. That is the proposed reward but what is the risk?

Perceived risks on the employee side of BYOD look something like this: shifting business costs to employees for mobile data, removal of existing stipends, the expectation of higher availability of employees after-hours, possibly a big-brother scenario with wiley managers monitoring angry-birds high scores and reduced support for devices when things aren't working properly. In reality the term "employee risk" is actually a misnomer and might be more rightly called "employee disquiet."

As with any corporate conspiracy there is always the faint scent of truth. There are cost savings to be had--studies do show that staff are more productive when allowed to use mobile devices to keep in touch with the office and support for a wider variety of personal devices may mean fewer tools to assist from an over-driven help desk, at least initially. As far as big brother goes, I'd be more worried about your carrier than your boss.

On the corporate side, risks associated with mobile are myriad. At the forefront is this sad fact - BYOD doesn't mean that the organization will be able to make any device work; there are limitations. There are limitations around OS functionality, security requirements and even compatibility of some core features like mail if corporate platforms don't utilize ActiveSync. The first and most unpaletable risk is how to say no in an open environment when it appears that "everyone else" has a phone that works fine. How do you tell your manager that you are very sorry but her particular phone just won't cut it in the office and there's nothing you can do?

Clear policies around mobility are the ultimate answer but policies can't cover every present and future variegation of platform, OS and compatibility in the market space. Policies tend to say, "Our organization supports the following mobile device platforms" when it should read something like a rolling history of the mobile phone. Such a granular policy is far too impractical to implement.

Take for example the fact that in the market right this very instant there are no less than seven versions of Android OS floating around in the pockets and purses of managers and employees alike. A policy statement that naively says that the enterprise "supports Android X and above" is already headed for trouble. As proof I enter into evidence the Kindle Fire with its proprietary version of Android and it's new Silk browser which is untested in the enterprise.

Corporate risk looks like a rather large additional load on wi-fi networks, tighter lines of defense around corporate commodities like e-mail and file servers and help desks suddenly being asked to play Genius Bar for problems that aren't directly related to office productivity. Then there is the greatest risk of all, the obvious trust that the organization is placing with the employee not to transition potentially sensitive corporate data out of the organization via mobile. This is just the beginning of the discussion points between the two parties.

I bring up the discussion of risk from these two perspectives because there is a conversation to be had here between the organization and its employee. The BYOD craze is ultimately about building a strong partnership between employer and employee to mutually agree to a way of doing business that may ultimately benefit both parties with better agility in the marketplace.

The employee assumes some risk and possibly some cost, if say using a personal data plan for work causes her to bump to the next tier on the carrier's plan. The organization may attempt to mitigate some of this by offering a stipend program but even this is a trade-off of for both sides. Stipends cost everyone in time and effort for submitting expenses and additional load for the business office in processing and validating each employee's mobile line items. All of this precedes the actual pay out of course.

The conversation needs to happen. This isn't a time for command-and-control from IT or fairy-tale deliverables from leadership. BYOD is ultimately an ongoing dialog between two partners in business and it needs to be viewed as such. The old way of looking at mobility has passed into digital history. The new conversation is about empowering as many people as possible to contribute to the business by being more responsive, more agile and more connected to one another and the work. This idyllic view can only be leveraged in the organization when the conversations happen.

Next steps then are to pull together groups, figure out needs and take a good hard look to see if BYOD is something that your organization wants to embrace. It's not for everyone and it is likely to bring more complexity than you bargained for at first. Many organizations that engaged BYOD early are backing away to a position of corporate liable devices. Others are embracing the savings and flexibility available to them with BYOD and trying to mitigate the additional risks, on both sides of the table. Ultimately there is risk and reward, an ongoing conversation and a lot of running around with your hair on fire to get BYOD to function at scale in the enterprise but it might just be worth it in the end.

8 comments
tmac9182
tmac9182

We have had these conversations before, (just substitute "personal laptop" for "personal mobile device", and the dialog is deja vu) Remember these beauties: "Why can't I use my Windows XP Home laptop on the corporate network? It has XP just like my desktop you gave me!" "What do you mean I can't use a personal Inkjet printer? It's not like you guys are paying for it! It is way more convenient to me that having to walk two cubicles down to the networked printer." I support a client that is using Multiple Android version smartphones, but the company is paying for them, and the controls are in place. If they were to use BYOD, the security policy would require an PIN Code to unlock, not just a swipe guesture, the device can be remotely wiped if need be and/or have certain features shutdown. I do agree with the author that wholesale denial by IT is not the answer, but I also agree that Leadership CANNOT be in charge of such a program, as most have no concept of what mobile security entails.

erainbolt
erainbolt

Joshua, agree with what you wrote - especially "Others are embracing the savings and flexibility available to them with BYOD and trying to mitigate the additional risks." This is the heart of Intel's new security strategy. We know BYOD has risks, but risk are higher if we force employees to "work around" the controls/policies, AND that BYOD make employees more productive, and increases business agility. This paper talks about our approach:http://www.intel.com/Assets/PDF/whitepaper/Rethinking_Information_Security_Improve_Business_Agility.pdf Elaine, ITIntelsme

MikeGall
MikeGall

But that doesn't imply IT has to make it work on the corporate WiFi or connect to email etc. Most companies have a webmail access for external email use. Since most phones have a browser if you really desperately want to use your gadget to view your mail use the existing mechanism. I agree a conversation/decision needs to be made. How much work are we willing to put in to support multiple mobile OS access to our systems? How much control do we want, ie are we going to require they be locked down? If so is there anyway for us to prevent/detect when the user takes the device home and jailbreaks it after they got us to connect it to our systems? To me there isn't much benefit to anyone for BYOD. Employees: likely not fully reimbursed, likely expected to be always available where as when the company had to pay for the phone only key people or oncall people were expected to answer work questions afterhours. Employers: complete crap, multiple devices to support which guarantees calls like "Bob has the same phone I do, he bought it only two months ago, his works mine doesn't", or if wifi isn't locked down on the network they use they end up using their devices as a way to stream content while at work, send sexual emails, etc. generally be idiots because "its my device I can do what I want to". Regardless, there was a reason why when a company was buying the phones they are all the same model: it is much easier to make work in your environment, letting people bring any piece of junk to work and then expect IT to support it is crazy.

OldHenry
OldHenry

While people have not exactly been bringing their own devices for years they have been taking (or emailing) work home for years. This may actually make the whole process safer and better managed. Of course as @Shon points out, it will save his employer money at his expense.

shonlh
shonlh

My company recently switched to a BYOM(Bring Your Own Mobile Device) I have mixed feelings about it. They are only reimbursing about 2/3 of my actual cost. But I have a better phone having switched to an Android from iPhone. I still receive my corporate mail on my phone but have set it to check every hour from the push as new mail comes before. I find I use my phone less since I no longer have unlimited minutes and data like I did with my previous phone. Verdict: Saves the company money at my expense Shon

CharlieSpencer
CharlieSpencer

"We know BYOD has risks, but risk are higher if we force employees to "work around" the controls/policies,..." How are employees 'forced' to 'work around' policies? Assuming the employee has been provided adequate equipment, how is he 'forced' to use something else? The only 'forcing' is you follow company policy or you'll be forced to look for another job.

MikeGall
MikeGall

If your employees can work around your controls than so can visitors, competitors etc. Presumably you have locked down exchange, network access etc to your devices. If your employees are circumventing that they are likely breaking the law not just corporate rules. If they are using personal email services to do corporate business they are likely breaking corporate rules and acting in a less than ethical manner. Either way just because they want to or might already be doing something doesn't mean that a company has to enable and condone the behaviour. I'd love to know where the "more productive" comes from. Is using your iPhone instead of the corporate blackberry really that more convenient? Are normal business uses: calling and email really that much easier if you get to use your own device? If you mean that more people have devices that they can be expected to be reachable at even if the company doesn't deem them important enough to warrant a phone that they pay for than I wouldn't say that is a good thing. If you aren't willing to pay $40 a month to be able to reach me and I'm not willing to work on my own time for free so I won't answer the phone if its work calling unless I'm compensated.

MikeGall
MikeGall

Especially in sensitive industries. I work in healthcare. We have a strange mix between privacy requirements and soon freedom of information requests so data needs to be centralized and very controlled so things that are private remain private and things that the public has the right to know can be made available to them. Regardless tight control != "use what you want will figure out how to make it work". It is hard enough to keep of with security on known devices try keeping track of a particular version of android that you only see when someone brings it to your office for the 5 minute configuration to use vpn/email etc. Not going to work.