The BYOD trend has introduced a variety of security issues to the enterprise -- but IT has a lot more to worry about than security.
Consumerization of end-user devices in companies is here to stay. This means freedom of device choice for business users and a boatload of security worries for CIOs. But let's not talk about security for a change. What else should you be thinking about if you are IT and must support this avalanche of devices? Here are 10 concerns to keep in mind.
1: Long-range vendor plans
The producers of consumer-grade devices develop their products based on the consumer market. This means that products may not necessarily line up well with enterprise technology planning and integration needs. It is best to support end-user devices from companies that also serve the enterprise market, because these companies understand the requirements and are more likely to develop products that work well in enterprises.
2: Lost devices
Thirty billion dollars worth of mobile phones were lost in the U.S. alone last year. Many companies have rigorous security procedures for mobile devices but forget to enact a lockdown procedure when mobile devices with vital data are lost in the field. Your procedures for mobile devices should include lockdown.
3: Personal and professional use of mobile devices and other technology
A few years ago as a CIO, I found myself in a three-hour board meeting, with the board of directors debating whether the laptop computers they were given and that were purchased by the company should be used only for company-related work -- or whether they could upgrade these devices on their own, let their kids use them, and even secure their own local service providers (paid for by the company, of course).
The meeting caught me by surprise. As a CIO, it seemed natural to me that a board member would understand the importance of keeping company equipment secure and dedicated to company business. Instead, this meeting proved to be a wakeup call. I learned that trying to set policy on personal versus professional use of tech gear can be a real sand trap, especially if your users are board members and C-level executives.
4: Maintenance and procurement
It's important to have proven vendors that you purchase from and maintain technology with. Traditionally, IT certifies vendors based on performance. So when you are opening up your company for a plethora of consumer device options, you should also have a list of vendor purchase and service options that cover the devices and the areas of geographical service within your IT footprint -- and an easy procedure for end users to follow when they purchase or need to maintain a device.
5: Application deployment
As more enterprise IT departments develop applications for mobile devices, they must also test and certify the apps with each device they want to deploy the app on. It's wasteful for the business to repeat this test-and-certify process with an endless list of devices and vendors. IT needs to collaborate with the business so that a short list of acceptable device choices that will run corporate apps can be agreed upon.
6: Patches and updates
With all those diverse devices in the field, it is likely left to IT to ensure that current software is on each one -- and that all devices using specific software are using the same version of that software. Centralized network management software allows for automatic downloadable updates that sync all devices to the correct version of software when they dock onto the network -- and it should be standard equipment on the corporate network.
7: Data ownership
Data ownership is in the same discussion as personal versus professional use of an end device. Data responsibilities should be addressed early in the discussion of end devices and how they will be used within the company. If you haven't already done this, it should be addressed immediately. For the protection of intellectual property and also for purposes of security, governance, and data stewardship, corporate data residing on mobile devices should be safeguarded -- and there should be ways to retrieve it. It is not good policy to store corporate data with pictures of family reunions. This issue of keeping data segregated (along with the risks if you don't do this) needs to be addressed head on with other business executives so you know if you have their unequivocal support.
8: Ruggedized devices
It never fails. You have an employee who works out in the warehouse yard and drops an iPhone on the pavement where it shatters. Or someone goes into a refrigerated storage area and tries to use a consumer-grade device to monitor temperatures and send data back into a centralized warehouse system. Or you get a law enforcement officer who thinks that a standard consumer-grade notebook is good enough for him to use in his squad car.
Unfortunately, there are industrial-strength environments out there where consumer-grade technology just won't stand up. A laptop in a squad car must be custom-built and ruggedized for squad car use. If employees are working in areas where it is likely they could drop a device on the concrete or if they require a device to monitor temperature in a cold environment like a freezer, they will need a special handheld device designed for these tasks. In these cases, IT has to put its foot down.
9: Corporate end-user device policy
To control the propagation of end user devices coming into the enterprise, IT departments that have BYOD policies usually set limits on the devices they will accept and support. This is done by publishing a "choice list" of approved devices that end users must select from. Working with HR, IT also needs to establish the do's and don'ts for data allowable on these devices, personal security practices, who may use the devices, etc.
10: Support of C-level executives
Most important, IT should ensure that key executives in the business firmly and consistently back user BYOD policy. If these executives bring in their devices and blatantly disregard corporate policy, it's going to be hard to enforce the policy at the staff level.