BYOD, or bring your own device, is a reflection of another term-of-the-day, “the consumerization of IT.” While they aren’t 100% the same, the two terms are frequently used interchangeably. For clarity, here’s how we define the two:
Consumerization of IT
The junction of consumer-targeted computing devices and corporate requirements. An IT organization may choose to move its user base to more consumer-oriented devices while still retaining control over those devices. Corporate-owned mobile devices are an example of where IT has been “consumerized,” even though the business still dictates and likely owns the devices. The consumerization of IT may or may not include a BYOD component, and does address the paradigm of a user community that has more computing power at home than at work.
Users can literally choose their own device, be it a smartphone, tablet, pad, laptop, or hybrid, attach it to the corporate network, and access corporate information and applications while retaining personal ownership of the device. In most cases, we’ve found the term primarily used to reference the proliferation of smartphones and tablet devices, versus devices that traditionally stay on a desk. BYOD is a by-product of the consumerization of IT.
While we’d be unlikely to see a corporate policy around the consumerization of IT, organizations should have a policy around BYOD – even if that policy is not to allow it.
BYOD can be of great benefit to the organization – increasing employee engagement, enabling an empowered workforce, creating new opportunities for interaction, but can also increase IT complexity.
Which brings us to the first of four essential steps that are essential to building the right policy for your organization: Answering the question “Is the business “for it” or “again it?”
Step One: Make an Active Decision To Allow or Deny BYOD
This may seem obvious, yet we see many organizations whose BYOD strategy is to pretend it doesn’t exist, isn’t happening, and/or isn’t worth worrying about.
This is not a trend that will go away in a few months or years. In fact, according to Gartner, “every business needs a clearly articulated position on BYOD, even if a business chooses not to allow it.”
The short version is this: Reacting isn’t enough. Businesses need to either facilitate the conversation around BYOD or put a stop to it. Living in the middle poses too much risk to the business.
Here’s why we say “make an active decision.” If a business is allowing users to access their corporate email accounts through their smartphones, the business is already fostering BYOD. We find that, in most businesses, there are no policies in place to govern the use of that personally-owned smartphone. In fact, according to surveys done by 1,100 senior executives and managers by YouGov, Research Now, and Citrix, fully 67% don’t have any policies, procedures, or IT systems in place to manage the use of personal devices for business purposes, and 54% don’t even know all of the devices that their staff members are using for business purposes.
What About This Scenario?
A businessman gets out of a taxi, accidentally leaving his smartphone behind on the back seat. The next passenger into the taxi picks it up, turns it on, and, finding no pin number or password, has access to corporate emails, contact lists, corporate applications, and corporate data. In the ten minutes or ten hours until the businessman reports his phone as missing, and appropriate action is taken (like remote wiping of the phone), everything on that phone is essentially in the public domain.
A salesperson in the business is using a tablet device on all of his sales calls. He takes notes on the call, and also uses the device to share presentations with his clients and prospects. Unfortunately, this device won’t deliver a PowerPoint presentation except through PDF, and his note-taking software is not compatible with his corporate-provided CRM software. He forwards his notes via email to his inside rep, who then copy/pastes the information into the CRM record – when both of them remember to make this activity a priority.
Let me emphasize the point here: business likely has personal devices accessing corporate information, whether wanted or known. There is a risk here, accompanied by the potential for great reward. The business needs to make an active BYOD decision, backed by appropriate policy.
Step Two: Determine the Depth of the BYOD Policy
If the organization chooses not to allow users to use personal devices for business purposes, the organization will need to implement certain safeguards within the IT infrastructure, clearly, articulate the policy, and move on to enforcement.
If, however, like in many organizations, the concept of BYOD is embraced, then the task turns to creating a policy that is relevant, manageable, consumable, and reportable. What do we mean by that?
We routinely see organizations do one of three things:
- Not create a policy at all
- Create a policy that doesn’t get enforced because it is too complex to manage, too difficult to execute, or too hard to understand
- Create a policy that doesn’t address enough and exposes the organization to too much risk
In this case, the policy needs to land in the middle ground, guided by two things: usability requirements and assessment of risk and compliance requirements. Implementing a three-step authentication process, rights management, pin numbers, and passwords to access a PowerPoint presentation delivered last week is a bit of policy overkill, while those same processes and procedures might be exactly right if the business is going to expose the corporate KPI dashboard to all network-connected devices.
Step Three: Assess the Current and Future Landscape
As mentioned above, the creation of the BYOD policy should be guided by two things:
- What corporate assets, whether data or applications, need to be delivered?
- How do users need to interact with the corporate applications and information?
- Could the business be improved by extending applications to new devices?
- Can users interact with corporate applications from mobile devices, and, if so, will that increase productivity or give the business a competitive advantage?
- Should user profiles be device agnostic? In other words, should the user experience be the same on every device they use?
- What kind of support needs to be available to the user community, and what entity will provide it?
Risk Assessment / Compliance Requirements
- Are there compliance requirements for the treatment of information and data?
- Do personal applications installed on the device potentially compromise corporate integrity?
- What level of risk is associated with what type of information?
- What service level agreements should exist, and how will you report against them?
- Policy adherence – how will you know? Do you need specific systems in place to manage and monitor?
- Compliance requirements – do you need to, and how will the policy be defended to auditors?
Is there a problem/opportunity today? As part of this step in the process, understanding if and how users are currently interacting with corporate information using personally-owned devices is critical.
Step Four: Write the Policy
As mentioned above, it is important that the BYOD policy is appropriately balanced between the user experience and the level of risk associated with personally-chosen/owned devices. High risk and a potentially bad user experience or productivity losses may lead an organization to explicitly not allow non-corporate-dictated devices to connect to the corporate network. Low risk and high productivity gains would likewise cause a business to embrace BYOD.
Key Focus Areas
- Security & Protection: Is the device required to have a password or PIN number to unlock it? How will the device be authenticated to the corporate network? What network access control mechanisms need to be in place? What information can be stored in the device? How will the device be managed and monitored? Where is the device backed up, and does that backup scenario pose another level of risk to the business? What happens if the device is stolen, lost, or damaged? Where does data-at-rest reside?
- Device requirements: Whether the business is allowing any device or only specific devices, the policy should include clearly stated requirements and limitations, as well as any devices that are specifically not allowed. For example, is an in-home Internet TV going to meet any security requirements?
Additional Focus Areas
- Consumer cloud usage: Is the personal device backing itself up to a consumer cloud, or is the user able to save files to a consumer cloud? What level of risk does this pose to the business?
- Privacy: If the corporate information is on the device, does the business also have the right to see what else is on the device? Can the business act on inappropriate content, if discovered?
- Support: What level of support will be provided by the business? Are there service level agreements, or should there be? When does a user get support from the business versus the device manufacturer? Does a separate support policy need to be in place for each application, i.e. email or line-of-business application?
- Financial: Is the business providing a stipend to the user who is using a personally-owned device? Are there requirements in exchange for receiving the stipend e.g. “the business expects to be able to contact you at any time.”
The consumerization of IT and the increasing capabilities of personally-owned devices are issues that must be addressed proactively. The good news for businesses is that these devices can provide increased productivity, connectivity, teamwork, and a new way to connect the business to its various stakeholder groups – the user community as well as clients, vendors, partners, and purveyors.
Review our case studies and engagements where we helped companies just like yours solve a variety of business needs.
Since 1981, Oakwood has been helping companies of all sizes, across all industries, solve their business problems. We bring world-class consultants to architect, design and deploy technology solutions to move your company forward. Our proven approach guarantees better business outcomes. With flexible engagement options, your project is delivered on-time and on budget. 11,000 satisfied clients can’t be wrong.