Tom Charles Davis, CTO, LANDESK Software
At this point, it’s inevitable that employees will bring personal devices to work–whether your organization has a BYOD policy or not. Users want the ability to use their own phones, tablets and laptops at work, without losing ownership or control, but this should raise some red flags for your company. Concerns with BYOD go beyond basic user-privacy issues; there are serious security and compliance matters that need to be addressed to ensure IT ecosystems are not breached.
There’s not a quick fix or one-size-fits-all solution to best tackle BYOD, but because the challenge isn’t going away anytime soon, it’s important to adopt a strategy. 74 percent of companies are either already using, or adopting, BYOD policies. Ultimately, the best solutions will account for, and be driven by, the needs of both employees and IT–serving as a compromise between the two.
As organizations evolve to keep up in the Digital Age and appeal to the next generation of employees, we will likely see a shift in the prevalence and acceptance of BYOD policies. To better understand the current state of BYOD and predict where we’re headed, we can explore three common approaches companies are taking to handle BYOD:
Let’s face it, just because an employee got a new iPhone for his/her birthday doesn’t mean IT received another $30 to buy a product to manage it. As a result, sometimes it’s easier for IT to just pretend the new phone doesn’t exist. But make no mistake–ignorance isn’t always bliss. We all have heard the scary stories about mobile devices being used to breach a network. With such a high risk, it’s understandable IT doesn’t want to pop its head up and become responsible, to some degree, for the device and network security.
For other IT members, it’s not a question of wanting to be involved, but whether they have the authority to do so. Mobile devices are embedded in our personal lives, and as a result, employees can be sensitive about IT having access to them. Even when IT wants to enforce a policy and properly manage a device, it’s not easy with unclear ownership. In the past, either the employee or the company would purchase the service, data and device, creating a clear distinction. Now, the employee may own the device but there can be ownership divisions at the application and data layer, which only complicates things for IT.
When I first started at LANDESK four years ago, I gave 150 engineers the option to pick a mobile device from a list and I would buy it for them. A year later, when we wanted to introduce an elective mobile device management (MDM) solution, the same engineers were hesitant to enroll, even though LANDESK had purchased the devices for them. Why? Because they had personalized the devices with photos, texts and notes from their personal life and they didn’t want IT to have control.
For some IT teams, that would be enough to stick their heads back into the sand, despite the fact that these devices are typically connected to the corporate network and have access to corporate email services.
Cro Magnon Approach
Companies that subscribe to the Cro Magnon approach are typically the most cautious about BYOD. In essence, their goal is to remove the ‘Y’ and the ‘O’ from ‘bring your own device.’ Cro Magnon organizations are often prescriptive with their IT and device management policies; outlining which devices they support and making clear distinctions between corporate and personal assets.
In highly regulated environments, however, some organizations go as far as to just say no to BYOD altogether. While this is a well-defined stance, it can alienate users and is difficult to enforce. In some cases, users will go around the regulations and connect unauthorized devices to the network, opening the proverbial Pandora’s Box of security and compliance issues.
Typically, the strongest force behind the Cro Magnon approach is security. Often times you’ll see organizations in more regulated industries adopt rigid BYOD policies in an effort to be compliant and adhere to policy. It’s also not uncommon for companies that have previously had security breaches lean towards this policy.
In theory, this strategy should make IT easier, but in some cases, it just creates a stop-gap solution; requiring a different set of policies to manage mobile and other user devices and PCs. As a result, IT needs two sets of toolsets and solutions that aren’t linked together in order to get their job done and providing a unified experience to the end user remains elusive.
BYOD has its risks, but ultimately, enabling it is based on a real business need. It provides valuable benefits to both users and organizations. For employees, BYOD enables them to use the devices they want and encourages IT self-sufficiency. By adopting this BYOD strategy, organizations can expect to see productivity gains, cost savings and increased employee satisfaction.
Still, for IT, BYOD can be a nightmare. In order to navigate this, standardization is key.
Standardization is one of the best strategies IT can employ to ensure it delivers high quality service and protects the company and its assets. Standardization of policies is critical in having a well defined and auditable strategy for how IT is going to support and offer services to these devices is key. Additionally, taking a “user” approach is essential since the user is the common denominator linking all of the devices for which IT is responsible to secure and deliver services.
One of the biggest challenges IT faces with BYOD is the issue of unique devices. Because each individual manufacturer wants to differentiate their products, each device requires different tools and applications. For IT, this is a time-consuming and frustrating process. Plus, with all of the devices that enter the marketplace, it’s practically impossible to stay up to date on the latest versions.
As a result, in the future, we can expect to see many organizations opt for CYOD, or choose your own device. With CYOD, users have the ability to select a device from a list that the organization can support and manage. In doing so, some organizations have found it easier to outline ownership distinctions and expectations for users and the IT department. Truly enlightened organizations, with the right tools, allow users to choose any device, and select a toolset that supports a wide variety of device types.
In order to implement the best strategy, IT shops are going to need a unification of toolsets that allow for the management of the different classes of devices by users. Simple MDM capabilities are not sufficient for enterprises wanting to manage PCs in all of their forms. Perhaps years from now, when sandboxed operating systems are ubiquitous, we may be closer. Meanwhile, IT shops need to search for tools that provide that level of integration and support customers need or stich together the integration themselves.