Bring Your Own Device (BYOD) has to be one of the most written about subjects in the history of corporate IT. Every day new articles are published about the benefits and risks associated with staff using their own devices at work, the need for detailed policies covering the use of personal equipment, how to manage security and support, device management, hidden costs and so on.
And there are regular warnings to CIOs and IT departments about the need to embrace and support BYOD or face being bypassed, becoming obsolete and ultimately facing extinction. Such warnings are of course alarmist, exaggerations designed to generate publicity for the author. But it is clear that CIOs have to do something both to facilitate the demand from their users (to the extent that it exists) and to protect their organisation’s data, applications and cost base. No wonder some CIOs are sending out distress calls for help in managing the BYOD trend.
If you have time to trawl through the hundreds of articles on the subject there is plenty of advice out there, some of it is conflicting whilst some is provided by vendors and therefore linked to their products or services. By its nature most of the advice is quite generic and much of it is based on assumptions about the nature of the IT environment, what devices are being used by staff and what they are using them for. The other problem with all this advice is that it assumes you have plenty of time to draft and agree detailed policies, redesign processes, select, buy and implement security and device management tools, etc. And whilst all those things are necessary and will need to be done, the reality is you don’t have that time; BYOD is already happening in your organisation and has quite probably been happening for some time. It needs to be controlled now to protect the organisation from data loss and to ensure that any benefits it may bring are not outweighed by hidden costs.
So what should a CIO do? Here are three steps that CIOs can take to start the journey and avoid a BYOD crisis:
- Embrace BYOD: don’t ignore it or try to fight it. It is happening and if it hasn’t started in your organisation it soon will (actually it probably already is happening and you just don’t know about it!). And it’s always easier to implement controls on something if you are leading and facilitating and not when you are playing catch-up or fighting against the change.
- Act now but focus on the basics: whether they’re allowed or not, your people are already using their devices for work so you need to get certain things in place now. The more detailed and comprehensive policies, security measures, etc, can follow later (see below). So start by drafting a one-page ‘policy’ that covers the basics in terms of what’s allowed and what’s not. Identify the minimum security measures that you need to have in place to support the policy. And most importantly, talk to your users, explain BYOD to them, explain what the policy means and why any limitations exist, help them understand the security risks and what they can do to mitigate these. Be mindful of the language you use and the attitude and approach of the IT department; you want to be seen to be facilitating BYOD, encouraging it even.
- Take a step back and develop your plan: you’ve bought yourself some time by getting the basics in place and you need to use it to work out what your long-term BYOD model needs to be. Start by talking with the rest of the business to identify which roles would benefit from BYOD, what data and systems they will need to access from their devices. From this you can determine what your detailed policies will need to cover, what additional security measures will be needed, whether data will be stored locally on devices or accessed virtually via the cloud and any changes to existing systems required to support the use of multiple mobile devices, etc. The resulting programme of work (and there will be a programme) can then be added to your project portfolio and implemented as part of your overall strategic programme. One point to note though is that BYOD may not right for your business. It may be that providing your staff with iPhones loaded with well-designed consumer-style apps will better meet your needs.
BYOD and the broader trend of consumerisation are changing enterprise IT. CIOs and IT departments need to embrace this change and lead from the front. Increased use of mobile devices (whether provided by the employee or the employer) exposes the organisation to more risk. IT departments have to accept this change and move from a model where security risks are avoided to one where they are evaluated and managed. Your attitude to risk needs to be reflected in your BYOD model and needs to be discussed and agreed with the rest of the business before you implement your longer-term solution.