Just when they thought they had a handle on employee demand for mobility through BYOD policies, CIOs are now being asked to tackle the latest consumerisation curve ball: Bring-your-own applications (BYOA).
Thanks to an explosion of mobile apps on smartphones, employees today have a range of software options for use in the workplace, whether their organisation approves of them or not.
Many of these, including note-taking app, Evernote, and file-syncing app, Dropbox, cost little to nothing and present a low barrier to entry for consumers. However, such public cloud apps are raising significant concerns in organisations seeking to keep their data secure.
While it’s still early days for many Australian organisations in writing a BYOA policy, the CIOs of several groups, including Coca-Cola Amatil and the Civil Aviation Safety Authority (CASA), are exploring how BYOA can drive business productivity.
“When people embrace a technology they use, they typically become more productive,” claims CASA CIO, John Forrest.
Coca-Cola Amatil Group CIO, Barry Simpson, agrees. “You’re better off harnessing the energy than trying to fight it. A better strategy than banning BYOA is generating an environment where your customers have access to the apps they need and at scale.”
Making it personal
While BYOD focused on using personal hardware in the workplace, BYOA is all about the personal software running on the device.
“Rather than an IT department making all the decisions regarding the software tools that people will be using to be productive in a working environment, [workers] are essentially being given the latitude to make some decisions on the stuff that they believe is going to make them productive,” explains Gartner analyst, Brian Prentice.
“Organisations are recognising there is an element of control they were once able to exert over the corporate computing environment, which doesn’t exist anymore. That doesn’t mean there is no control, but there is a shifting landscape.”
Simpson has chosen not to ban personal apps on iPads used by the Coca-Cola Amatil sales force, and instead sees the apps as a source of new ideas to bring into the business.
“If you’re not going to provide the capability in the company, then people will find another way,” he says. “If that’s how the world works, then you need to be trying to provide better platforms and making your technology easy to consume, then embracing people’s ideas and innovations as part of your core business.”
Forrest has seen high demand from CASA staff for personal productivity apps and predicts BYOA could one day be an important part of its mobility strategy.
“It drives the business users to actually look at what is available out there [and discover] what technologies can make them work more effectively and more efficiently,” he says.
The CIO should not fear this potential source of productivity, he says. “At the end of the day, the technology needs to work for the business. It’s not about IT deploying a technology; it’s about a tool for business.
“Mobility has been and will be a very disruptive technology for IT. Good organisations will actually look at how to leverage that technology for the benefit of the organisation. The deployment and the management of these devices is really about balancing risk and security and looking at how we can maximise investment.”
Block and tackle
Neither Coca-Cola Amatil nor CASA has adopted a formal BYOA policy as yet, and both use enterprise app stores to take greater control of the apps used by employees. Several other organisations do not allow BYOA at all.
One of these is White Retail Group, the managed service provider for Terry White Chemists and several medical centres across Australia’s east coast. The company’s IT manager, Darryl Roberts, says the security risks of BYOA are too high for a company in the healthcare sector.
He describes the company’s BYOA policy as a battle of “trying to convince our users not to install Google Chrome”. “What they do at home, they try and come in and do inside the network,” he says.
To combat this, Roberts has set up automated alerts that detect executable changes on PCs and notify IT what has been installed, at what time and on what PC.
Other responses to BYOA allow only specific apps, or situate personal apps on a designated network. The Therapeutic Good Administration (TGA) restricts what apps can be used on its network with “comprehensive whitelisting” using mobile device management (MDM) software from Good Technology, says CIO, Peter Bickerton.
However, the agency has a separate Wi-Fi network that staff can use for personal apps. Users seeking to access webmail, for example, can do so only on the wireless network.
Security is important to TGA because as a government agency it possesses commercially sensitive data, says Bickerton. “The last thing that we would want is a loss of reputation because there’s been a leakage of sensitive information.”
However, the CIO acknowledges it’s impossible to enforce a complete ban on personal apps in the workplace. “The horse has bolted on that one.”
Responding to BYOA
Whatever the challenges, BYOA is not a lost race, says Telsyte analyst, Rodney Gedda. But he does admit enforcing a BYOA ban is unsustainable.
“For most CIOs in the general government and corporate space, it’s prudent to have BYOA as part of your mobility strategy and not to ignore it,” he advises.
Telsyte’s Australian Enterprise Mobility Market Study 2014, a survey of 460 CIOs and ICT decision makers, reported 27 per cent of Australian organisations allow employees to use personal apps with no restrictions, while 25 per cent allow BYOA from an approved catalogue of apps.
The study also found 34 per cent of Australian organisations enforce a ban on BYOA. However, another 14 per cent disallowing BYOA admitted they knew their employees downloaded applications anyway.
“There may be prudent reasons for organisations to put a stop to it, but I recommend communicating those rather than banning it outright,” says Gedda. “You can ban Gmail if you want to, but you have to ask why people are using it in the first place.”
Several CIOs agree communication about acceptable use of mobile apps is important. The TGA uses daily messaging, brown bag lunches and one-on-one sessions to explain its policies and how to use available mobile tools, Bickerton says. In addition, the government agency has a small, informal user group that discusses ways to be more productive in the workplace, including app recommendations.
Forrest says communication with mobile users is critical to keeping CASA data secure.
“We’ve tried to be as open as we possibly can in trying to engage with the relevant mobile users to understand their needs and to educate them on the risk that are taken in terms of downloading apps on the personal side of the device that they might want to use for CASA purposes,” he says.
Prentice advises against a “default/deny” method that bans everything except apps on an approved whitelist. A better approach is to blacklist a small set of apps and allow the rest.
“You’re granting your employees rights to be able to do these things, you connect it with responsibilities, and what you do is you monitor and you audit to make sure those are being adhered to,” he says.
Prentice warns organisations exerting too much control over what apps can be used risk angering employees, while Forrest says banning certain apps and allowing others misses the point.
“The best way to enable BYOA would be to allow it in full,” says the CIO. “If you have a blacklist or a whitelist, then that really takes away from the innovation BYOA is trying to bring.”
Enterprise app store
Several organisations have set up enterprise app stores to take control of the software downloaded and installed on users’ mobile devices. This self-service model allows employees to download a select list of apps chosen by the organisation.
Coca-Cola Amatil has set up an app store featuring both internally developed apps and a selection of recommended personal apps. The store is now about one year-old.
“We don’t lock anything down on the tablet devices out in the field, so people can choose,” Simpson says. “But what we find is, by having that central app store with recommended apps based on feedback from the people in the business, most people will adopt those as best practice.”
Coca-Cola Amatil is still perfecting the feedback process used to determine what new apps to recommend. “We can get a lot better on that, but I think as we leverage more and more crowdsourcing on the support side and have our vendors actively involved in that crowdsourcing support, we will get better feedback and get far more tailored in best practice usage of the apps,” Simpson says.
CASA has had an enterprise app store based on Citrix XenMobile software in full production since the end of June. “People can actually download apps as they need to, at their own discretion, to be used for work purposes,” says Forrest.
The apps are primarily focused on aviation. CASA engages with people using the mobile devices and collects feedback on what apps are in demand. If it determines the app will be useful and is unlike anything currently available, the organisation investigates whether it can deploy the app in its enterprise app store.
“The view is to be proactive in that space. If we don’t, then people will download it and they’ll install it and they’ll use it anyway,” Forrest says.
Licensing can be a challenge to adding apps people want to the app store, he says. “We’ve had a look at a few apps where they are free on the app store, and requested by CASA staff members, [but] when we’ve had a look at the licensing requirements it becomes quite expensive.”
Gartner has fielded an increasing number of questions from clients about enterprise app stores, “but there is a lot of daylight between people asking questions and actually implementing enterprise app stores,” says Prentice. “At the moment, it’s a tyre-kicking activity.”
One of the challenges is organisations incorrectly see app stores as an extension of traditional desktop management practices. “So the app store comes along and they say, ‘This is great. It’s exactly the same thing but it gives people the illusion of choice’,” he says.
But there is a difference, in that employees using their own devices can elect to ignore the app store set up by their employer, Prentice says.
“The key issue with an enterprise app store is supply: How do you get enough stuff in the app store so that people want to bother going back a second time?” he asks.
Productivity versus security
While allowing personal apps in the workplace can raise security concerns, CIOs must balance this risk against possible gains in productivity.
“Security is getting more complicated to manage, but I don’t see it as an inhibitor,” Simpson comments. “It’s just something you need to actively manage. We will protect company data wherever it is, whatever it’s on.”
That requires the business to manage devices, encrypt data and understand where company data is stored. “All of those kinds of principles apply anyway,” Simpson says.
In the end, the business might not have a choice whether to support BYOA, he adds.
“The consumer’s deciding. The Internet’s not going away. Mobility has won. This is where the world is going, and as IT technologists we have to help the business find a path there.”
Snapshot: BYOA’s infiltration of the enterprise
- Two-thirds of Australian businesses have employees that use bring-your-own-apps
- Only 27 per cent of organisations allow unrestricted use
- Just over one-third do not allow BYOA at all and enforce this restriction with tactical approaches, such as management tools
- 14 per cent of those disallowing BYOA know their employees downloaded apps anyway
- Within companies that do allow the use of BYOA, 30 per cent of staff actively use their own apps for work
Source: Australian enterprise mobility market study 2014, Telsyte
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.