How to Manage the BYOD Quandary

by John Lytle of ISG

Employees of large business enterprises are increasingly bringing iPads, iPhones, Android, and other devices to the office and using them for work-related purposes. This trend, the consumerization of IT or the bring your own device (BYOD) phenomenon, has CIOs concerned, and rightly so.

The proliferation of personal electronic devices in the workplace raises some immediate and urgent issues around corporate policy, infrastructure, and applications. While immediate action is essential, the best approach to BYOD may lie in the context of long-term strategy, one that turns the challenge into an opportunity to optimize the enterprise’s operational environment.

CIOs need to recognize the changing nature of the workplace; specifically, the evolution of the mobile worker into the virtual worker, for whom location is irrelevant. Whereas once, new employees were issued a laptop, and more recently a Blackberry, today the expectation is ubiquitous wireless access to any information, from any location, at any time. While that expectation creates a challenge, the upside is to encourage and enable that desire to work, and to allow employees to be far more productive and valuable.

Enterprise security, which is hard enough to get right without the added requirement of ubiquitous access, is probably the central overriding concern around the BYOD phenomenon. Corporate boards do not want critical IP being inadvertently made available to the wrong people. More specifically, no CXO wants to be on the front page of the Wall Street Journal explaining how their critical data got exposed.

Recognizing the potential risk, enterprises are investing significant resources in this area. Initiatives around defense-in-depth, identity management and multi-factor authentication are receiving highly specialized and qualified resourcing.

While the security challenge posed by BYOD can appear overwhelming, the key to success is to isolate and manage specific criteria such as identity, devices, and presence. For example:

  • Identity – From a policy perspective, the employee’s role within the organization, as well as the screening and oversight procedures associated with that role, dictates who is allowed access to what, in terms of applications, data, and network segmentation. Based on these criteria, user profiles can be defined.
  • Devices – CIOs must understand and address the different ways that a corporate asset, a smart device owned by the employee, and a public device will be used. Specifically, how will data be used and transmitted on each type of device?
    For example, if a user at an internet cafe accesses corporate systems on a publicly used PC (not a company asset), the policy may be that they cannot edit or download documents. Further, when that user is finished, the public PC must have its browser cache wiped of all session files, etc. A corporate asset would be handled differently, with more privileges, while a BYOD device that meets certain minimum protection levels would have a third set of privileges.
  • Presence – This involves managing the interplay between users, devices, and sessions. What is the employee’s user profile and what level of access is allowed? What kind of device is being used? Is the session being established within the secure network, or through an external connection?

Another set of considerations revolves around the question of support. If they haven’t been already, CIOs will be tasked with providing mobile access to company information. Support of mobile devices is much more difficult with character-based legacy applications rather than browser-based applications. Meanwhile, telling the folks in the boardroom that they can’t access sales figures on their “executive jewelry” devices isn’t a viable option.

The right approach

A successful strategy focuses on simplification and standardization; specifically, on reducing application access complexity to the lowest common denominator. For user devices, that lowest common denominator is a browser-based user interface be it Chrome, Firefox, IE, etc. This means that browser limiting applications may require the UI layer to be switched to a virtual Windows session simply to make the application available to any platform.

In terms of implementation, simplification is again the watchword. Start small, with “super users” or subsets of users to run pilots. Use email access to any platform as a starting point, and Web enable everything.

Another imperative is to rationalize the application development platform. Having fewer technologies in place for application development reduces costs in many ways, and significantly simplifies the user access issues.

The consumerization issue also affects infrastructure, and the network’s perimeter security is a particularly critical concern. The influx of mobile devices could impact the entire network strategy. CIOs need to consider the question in the context of how to manage “data in motion.”

CIOs are increasingly concerned about building their operational defense plan, about managing their legacy applications and rationalizing their portfolios. They’re looking for a good understanding of overall staffing and support costs, and how to pull together their shared services and sourcing strategies. Ultimately, they need to understand what they’re spending and what they’re getting.

In this larger context, the IT consumerization challenge can be a way to address the big picture tasks of IT operational strategy. So, rather than a putting out the fire exercise, the imperative to effectively support mobile devices can become part of a strategic plan to transition the enterprise from where is now to where it needs to be.

John Lytle, consulting director at Information Services Group (ISG) company Compass, a leading independent sourcing data and advisory firm. He has over 25 years of experience managing complex IT organizations for large multinational organizations. His areas of expertise include: IT Operational Effectiveness; Infrastructure architecture and standards (servers, LAN, WAN, TDM & VoIP voice and data centre); sourcing strategy and vendor management; business continuity and risk management; and emerging technologies.