Smartphones at work

As more workers want to bring in their own devices to use at work, CIOs need to put a strong BYO policy in placePhoto: Shutterstock

The days when the IT department decided which devices workers could use in the office are coming to an end.

The future of the IT department is one that supports the tablets, smartphones and laptops bought and chosen by the end user, as the consumerisation of IT becomes a real issue for businesses.

Already CIOs are getting ready for this future: 94 per cent of CIOs plan to have a bring-your-own (BYO) computer policy in place by 2013, according to a Citrix survey. And with the potential for BYO tech to generate hidden costs and security risks, getting the BYO policy right is essential.

To help organisations manage devices brought from home, silicon.com has put together a list of the 10 things CIOs need to take into account when developing a BYO policy.

1. Don’t think one size fits all

CIOs should not assume the same BYO policies will work in different organisations, or even within different departments of the same organisation. Instead, they should carefully tailor their BYO policy to their specific organisation, according to Nick Jones, research VP and distinguished analyst at Gartner.

Jones said existing BYO policies range from the hands-off approach, where the enterprise simply provides money for the kit and nothing else, to more intermediate models where the employee owns the device but the enterprise has management rights on it.

BYO policies should also be flexible to accommodate new products, according to Clive Longbottom, service director at Quocirca.

“Any policy and approach must be able to embrace new devices coming through, with new operating systems and architectures – abstraction is the key,” Longbottom said.

He also warned that CIOs should be flexible in supporting devices that may have to work in different environments.

“Be aware of context – a device being used in the middle of Moscow through public wi-fi will have more problems than one coming in through a wired connection within a company’s own property,” Longbottom said.

2. Identify motivations for BYO and balance goals

There is likely to be a range of motivations driving the implementation of a BYO policy, and Gartner’s Jones said CIOs should make sure they are aware of each of these areas.

“You should really try to balance social goals, business goals, financial goals and risk management,” he said.

If CIOs don’t do this and end up prioritising one motivation more than the rest, Jones argues the BYO policy could “get it amazingly right in one area and compromise another”.

For instance, if the main aim of a BYO policy is around staff retention…

 

…CIOs risk finding themselves supporting gadgets that aren’t appropriate for business needs.

3. Set a base level of capabilities

As a result, while CIOs should avoid dictating which device workers use, they should determine a minimum set of capabilities that a device must have to be used at work.

By avoiding naming specific brands or device types to be used, CIOs ensure the end user can – within reason – get the device they want as well as allowing the policy to accommodate new devices entering the market.

4. Determine potential costs and savings for the business

Debates surrounding BYO tech often contain assertions that BYO could either save money or incur additional costs. Either way, CIOs should draw up a table of expected savings and costs so that the financial repercussions of BYO can be figured out and any potential extra costs minimised.

“Many people are trying to save money by this – why buy a smartphone when your employee already has one? But you can get into issues like what do you do about data roaming in Europe,” said Gartner’s Jones.

CIOs should sit down with the finance department and work out what device-related expenses employees should be able to claim back and what the employee will be expected to pay for themselves.

5. Examine the impact on business processes

After the financial liabilities have been decided, CIOs should then review the impact this is likely to have on business processes, as the way people use their device in the business could change if end users are suddenly expected to pay for something they previously got for free.

“Conceptually, the IT organisation thinks it can roll out applications whenever it likes and give whatever it likes to people, but in a BYO world you can’t because if I’m on a personal data contract and you deliver some sort of video app I may blow my monthly limit,” said Jones.

CIOs therefore need to consult other areas of the business to see how BYO could affect workers, and attempt to identify any potential issues early on.

6. Segregate company data

A substantial concern many businesses have with BYO is that company data and company systems could be put at greater risk than if workers had a business-only device.

Moreover, while enterprise devices prioritise security, consumer devices – and they way they are used – are seen as less secure and riskier.

CIOs should therefore…

 

…focus on securing the data not the device, according to Quocirca’s Longbottom.

“By creating a sandboxed environment for the applications and actual desktop with no bidirectional cut-and-paste, the device itself can be as riddled with viruses as possible, yet the corporate environment can be kept safe,” Longbottom said.

Smartphones in the business

CIOs need to put in place a support strategy so that the IT department is not expected to fix any problem on any devicePhoto: gail

7. Develop a strategy for support

Putting in place a strategy for supporting BYO tech is key if IT departments are to avoid being expected to fix problems with many different devices and platforms.

“If you are the CIO, what you can’t do is incur an unlimited support liability by agreeing to solve any problem on any device that anyone brings through the door,” said Gartner’s Jones.

However, Jones added that the IT department should avoid being seen as the department that just says no. Instead, CIOs should approach IT support in new ways, such as time-limited support.

“So the CIO says, ‘OK we’ll try and fix any problem on any device for an hour. After that it’s your problem or we’ll charge your department for it if you really want us to keep looking’,” he said.

“Harnessing social networks for peer support and community support is also pretty important,” Jones added.

Quocirca’s Longbottom also said CIOs should encourage users to share experiences so examples of best practice can be pooled and recurring issues can be identified.

“Look at what are common issues and see if IT can help in getting rid of those issues,” he said.

8. Plan for departures

CIOs must make sure that any BYO policy deals with the issue of what happens to the device and the data if employees leave the company.

Since the device will go with a person when they leave, Longbottom said companies need to make sure nothing belonging to the organisation is stored on the device.

Longbottom also said that if means of accessing the corporate servers are contained on the device, all access to corporate systems must be severed as part of the leaving process.

9. Talk to company lawyers

BYO tech can generate a number of legal issues that are not yet clearly defined, so CIOs should sit down with the organisation’s lawyers to make sure the legal implications of the BYO policy are resolved.

Gartner’s Jones said a common BYO scheme being trialled by companies at the moment is where…

 

… the employee owns the device, but the company has management rights on the device and this can create complications when the company wants to wipe data on the phone.

“Some companies will wipe the device unilaterally. They watch the device behaviour on the network and if they think it’s doing something funny – like it normally appears every day and it hasn’t for three days – they’ll just wipe it when they next see it as a precaution in case it has been stolen,” Jones said.

“On the other hand, some people have been told by their lawyers that you shouldn’t do this even if the employee signs a bit of paper that says you can wipe it because you don’t know how much value you’re wiping. You don’t know how much he has spent on iTunes or if he’s got irreplaceable pictures of his kids on there or something like that.

“Those sorts of issues need to be worked through because if you get them wrong you could end up in court,” he added.

Insurance companies may also need to be contacted as Jones said some insurers may feel the organisation is more open to risk if workers are using their own devices.

10. Set out responsibilities

Finally, all stakeholders should be aware of their responsibilities towards the device and the data kept on it.

“It is important for everyone to understand their responsibilities in the sense that all device management is a bargain between the employee and the enterprise – everybody gets something and everybody concedes something,” said Jones.

“It’s a good idea to have some sort of written contract with the employees so the employees understand what their rights are,” he said.

“[Employees should know] if they’re responsible for backing up the device, if they’re responsible for obtaining the device in such a way that if it breaks or if it’s stolen they can get another one within a couple of days so the business process isn’t compromised.”