BYOD…….It’s Complicated

On June 29, 2007 the first iPhones were released to the general public. An enormous leap in consumer technology for sure, it also brought on an onslaught of disruptive technologies in business that continues to grow every day. The consumerization of mobile technology has been an epic game changer for business globally. In all my years working in IT (dating back to wiring plug boards on mainframe peripherals), I cannot remember any technology introduction that caused as much change and chaos in as short amount of time. The wave of change continues, not just in the technology, but corporate cultures, management opinions and a host of other factors making the mobile technology landscape difficult to define, much less traverse.

CIOs and other business executives struggle with how to control the influx of mobile devices, sanctioned or not. BYOD (Bring Your Own Device) in a very short time has gone from a mere topic of discussion to becoming a major, compelling force that must be addressed as clearly as any key IT or corporate strategy. Even if your company is one of the few remaining holdouts refusing to allow access from non-IT managed devices (less than 19% of recently surveyed companies), chances are very good that pressure from employees, markets and customers will eventually move you to implement some level of BYOD.

Security appears to be the most talked about issue surrounding mobile technology use and BYOD. Dealing with the risk of data leakage, lost or compromised data, and lost or stolen devices are causes of great concern for IT and business leaders alike. Applications and technology are providing new and improved security options at a rapid pace and many companies are beginning to feel they are getting a grip on security. Regardless of how tight security is however, you can’t always stop bad or stupid people from doing bad or stupid things.

iPass, who touts the world’s largest commercial Wi-Fi network and MobileIron, a leader in security and management for mobile technology and applications, recently published “The Enterprise Mobility Guide for IT Management and CIOs” which includes the results of a survey conducted in December 2012 and January 2013 with over 450 senior IT management respondents focused specifically on BYOD. What is interesting is that the survey shows security issues falling behind onboarding devices and support as the top issues around BYOD. The survey reveals just how complex the BYOD issue is and its far reaching impacts into the enterprise.

Rising costs and the inability to control them effectively is a growing concern in most organizations. Recently, Garter predicted the cost per employee for supporting BYOD will triple over the next 3 years reaching $300 per employee by 2016. However, according to the iPass and MobileIron survey results companies are moving the mobility budgets away from IT and into individual business units. Having a clear picture of those true costs and controlling them corporately is becoming yet another challenge companies are facing.  Another recent article suggests BYOD could even prompt employee lawsuits over privacy and overtime pay.

There are two things however CIOs and companies should be doing that surprisingly most are not: development or revision of an Enterprise Mobility Strategy and the development of clear BYOD policies. In a recent LinkedIn survey of the Information Security Group, less than 30% of the over 1,600 respondents had detailed BYOD policies in place. Many companies are relying on existing security policy to be sufficient.  Companies have most likely developed mobile strategies during the earlier days of cell phone technology followed by PDAs and the Blackberry invasion that all helped set productivity expectations of mobile technology. These strategies however are woefully outdated if they have not been revised to accommodate the influx of personal devices (authorized or not) into the workplace and need to be revised or rewritten.

When it comes to developing BYOD and acceptable use policies, most companies are struggling. Trying to create and enforce policy on technology use to protect corporate assets and reputations can be daunting when the device and application technology changes faster than policies can be written. Moore’s Law has seen at least a 50% reduction in its prediction of technology capability and release cycles when it comes to mobility.

In order to adopt policy around mobility in general and BYOD specifically enterprises should take a practical “Risk” viewpoint. By that I mean look at this the same way you would in developing business continuity (BCP) or disaster recovery (DR) plans. Start by performing a Risk Assessment that includes a Business Impact Analysis of sorts and answer why the policy is needed, what the desired business outcomes are, and takes into account all the corporate stakeholders’ input and concerns. Understanding the scope of risk and mitigation options is a critical first step in defining BYOD policy.

I mentioned looking at this as you would approach BCP or DR. However there is one difference to keep in mind. In the development of those plans you are usually trying to convince executive leadership to invest millions of dollars into something they hope will never be used.  With mobility and BYOD plans and policies however you want to motivate and enforce behavior needs that are 24 X 7 and extend far beyond the corporate walls. With BYOD in particular, those policies cross over into employees’ private lives when devices are being used for both personal and corporate business.

My next post will focus specifically on mobility and BYOD policy. As has been briefly discussed in this post, it is a very complicated subject, but one that is critical if companies are to manage and thrive with mobile technology.

Below are links to sources that are both informative and useful. Some of them were used and quoted in this post.  As always, please feel free to contact me with any questions or comments.

Links:
The iPass/Mobiltron Mobile Enterprise Report
Per-employee cost of BYOD will triple by 2016, predicts Gartner
LinkedIn’s Information Security Group BYOD and Mobile Security Survey Results
BYOD could prompt employee lawsuits