Good ITSM is the safety net
Security concerns are often raised as a barrier to more organisations embracing a broad-based BYOD strategy. According to Unisys’ Ward this is a legitimate argument.
“Most organisations are relying on passwords – a relatively primitive solution – to secure their mobile devices and applications,” Ward said. “A truly effective security approach requires a combination of strong policy and technology as well as the means to enforce both.
“Organisations have to think about security measures such as mandatory certificates, password, token and/or biometric locks as well as the use of secure VPN.”
Di Data’s Jansen said that a lot of planning is required to circumvent security risks.
“You have to put in place solutions to manage the security and risks while having these clearly defined in the BYOD policies,” he said. “Communication is also important. People need to understand how the corporation will behave to offset risk.
“The most important aspect is to remember that BYOD is a journey. As technologies and processes evolve they are able to increasingly offset existing, new and perceived risks. The BYOD approach can be adjusted over time to reflect a comfortable security posture.”
Macanta’s Ferris said that clearly “security and risk have been the biggest concerns of IT management since the advent of the BYOD trend” but added that this should not stop the progress.
“Issues around security are valid concerns,” Ferris said. “The biggest fear of CIOs is security particularly in regards to access to sensitive information and the chance of that information leaving the organisation.
“However, neither of these should be new concerns raised only by the advent of BYOD philosophies. Employees have had access to sensitive information for decades and the availability of CDs, USBs, email forwarding, phone cameras, photocopiers, pen and paper etc., has allowed this information to leave the organisation in the past. We have developed systems and processes to mitigate the risks and so it will be with BYOD.
“It is time to calm down about security and embrace the future. The technologies are now available to manage the risk. There is of course a cost but the cost of not embracing BYOD has to be evaluated against the cost and benefits of doing it.”
So where do you start?
Step one in formalising and taking control of BYOD adoption within an organisation is to define the boundaries of how and when personal devices can be used. Commonsense insists that any policy statement needs to be as short as possible and easy to understand so that it gets read and adhered to.
Macanta’s Ferris feels that the most important aspect of a BYOD policy is to ensure it is “clear and unambiguous”.
“It should outline the responsibility of the employee to have suitable technology available for work purposes at all times they are expected to work,” Ferris said. “It should define minimum specifications for hardware and operating systems and it should clarify who will pay for support of BYOD devices – the organisation or the employee.
“Any compensation for using your own device for work purposes should be specified along with what is and what isn’t supported. Meanwhile, security policies, levels of permissible data access, details about what will happen if a device is lost or stolen and what happens when an employee leaves the organisation also need to be covered.”
When drafting its BYOD policy, Dimension Data’s CIO said his organisation found it helpful to try and keep things “generic wherever possible”.
“People can be incredibly passionate about a particular device,” Jansen said. “Ensuring that you don’t have to re-write the policy each time a new piece of technology comes along is helpful. Our policy contains minimum generic requirements for smart phones, tablets and computers.
“We are mindful that the minimum requirements are a combination of the device type, model and OS version. It is the combination of these three aspects that determine the device meeting minimum corporate requirements.
What are the benefits?
Andrew Talbot, an ITSM specialist with enterprise software vendor, BMC Software believes the increases in productivity from BYOD are significant and obvious for organisations with mature ITSM programs.
“The key thing is to ensure that processes around service request and incident management are still followed,” Talbot said. “Mobility just provides easier access to effectively participate in those ITSM processes.
“Companies without in-depth ITSM practices will not realise the benefits of BYOD and it does have the potential to make communication less effective. Companies with ITSM best practices in place will be able to provide employees with accurate information will realise benefits, so BYOD is not a threat but when approached correctly is actually further justification for ITSM best practice.”
In 2011, Citrix Systems presented the results of their Bring-Your-Own (BYO) Index which revealed that 92 per cent of IT organisations are aware that employees are using their own devices in the workplace and 94 per cent intend to have a formal BYO policy in place by mid-2013.
Interestingly, the research found that attracting and retaining the highest quality talent, increased worker productivity and mobility and greater employee satisfaction, as well as reducing IT costs, are the primary drivers of BYO adoption.
Macanta’s Ferris, agreed with these survey results. She said forward thinking organisations have to allow good quality staff and new generation workers to work on the devices of their choosing.
“Students leaving school and university where they have been able to plug in their own devices are not going to be satisfied if they have to use equipment provided by the employer and that they are not allowed to connect their own devices,” Ferris said. “This will be seen as archaic, restrictive and unsatisfactory.”
While Dimension Data’s Jansen said that metrics around the benefits attainable through the adoption of formal BYOD policies and processes are hard to establish, he still thinks the anecdotal evidence is strong.
“BYOD in isolation will deliver few financial benefits to an organisation other than improved staff satisfaction,” Jansen said. “Most CFOs will argue that this is intangible. The effort, cost and complexities generally negate any of the capex savings that might be made.
“However, when BYOD is combined with mobility, the benefits magnify each other. It accelerates the adoption of mobility and removes inflexibility in a mobility strategy. Sometimes these benefits are thought of only in productivity terms, however we have found that there are many more.”
According to Jansen, Dimension Data saw benefits in flexibility of workplace and flexible work arrangements which saves costs in physical office space and reduces staff turnover with all its costs.
“IT service continuity and business continuity is improved because people can work anywhere and do anything in the event of natural and other disasters,” he said.
“There is better access to corporate information regardless of location and we believe that better decisions are being made as anything and everything is at anyone’s fingertips, at any time and on any device.
“Meanwhile, BYO and mobility are very visible to the business. IT can be seen contributing and helping the business and its people to be successful and productive. This improves the relationship with end users and increases the profile of IT.”
Gerard Norsa is publications editor at itSMF Australia. He can be reached at gerard.norsa@itsmf.org.au.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.