How BYOD will change IT’s job

How BYOD will change IT’s job

Summary: IT used to dictate the image, configuration, and delivery model of technology for employees, but no more. Now it's time for the employees to take over.

SHARE:
9

Commentary -The equilibrium between employees and the enterprise IT department has fundamentally shifted. Enterprise computing may once have been a command-and-control environment, in which IT dictated the image, configuration, and delivery model of technology for employees, but no more. Employee-owned smartphones and tablets in the workplace have fundamentally changed the balance of power. IT departments have to rewrite the rulebook as consumer technology permeates the workplace, one swipe at a time.

The Bring Your Own Device (BYOD) phenomenon, in which employees do company work on personal devices, is well underway at leading global enterprises. It’s now common to hear phrases such as “employee-liable” and “corporate-liable” in connection with BYOD. These terms are misleading, as they apply only to the mobile device itself. In fact, IT and employees are jointly liable for corporate data protection. It’s a hard pill for end users to swallow, but there is no chance of mitigating risk without their cooperation. That is why a solid partnership between IT and the employees they support is quintessential, and that partnership must be struck before personal devices enter the scene—call it the “zero-day preventative measure.”

BYOD will change your life here’s how
The New Deal for IT and the employee: The new contract between employees and IT needs to sound something like this: “The employee can do anything they want with their personal data and applications on their iPhone, iPad, Android or BlackBerry devices, but IT reserves the right to stop access to proprietary applications or information if the device is out of compliance. That can mean wiping the device or placing it in detention until it is in compliance. Please sign this End User License Agreement.” When users understand that wide-ranging privileges come with a few responsibilities that can be managed with a high degree of autonomy, they are more likely to be cooperative.

IT becomes the Department of Motor Vehicles (no, really)
The Department of Motor Vehicles (DMV) issues licenses and checks paperwork, but the police enforces the use (or abuse) of those privileges, such as ticketing speeding drivers.

In the past IT has had to serve both roles as the enabler and the heavy hand of the law. In the new model, IT only needs to facilitate compliance (like the DMV), but relies on automation to enforce compliance (like the police).

IT simply can’t do it all anymore—the price for untethering information from corporate controlled devices is that IT must respond to non-compliance in minutes not hours. With BYOD, IT must become a rapid-reaction force at the device, application, data, and network levels to instantly respond to a new device entering the corporate realm, armed with a rational combination of policy and technology. Does the device meet security standards? If so, what applications are allowed? If not, does it need to be quarantined or issued a security policy? If it does, ideally that will be done wirelessly and automatically with minimal effort from the employee and from IT. Think of it as the DMV without the lines.

Detection & prevention
IT’s One-Two Punch: There are two basic sets of mechanisms available to the BYOD rapid-reaction force: detection and prevention.

Detection refers to IT’s monitoring of potentially troublesome activities or applications that are not actively malevolent—such as Angry Birds or Dropbox or a data plan about to cross an expense threshold due to video traffic. In this case, IT’s job is to let line of business accountants know that their cost allowance is close to the limit, leaving the decision about how to manage that situation in the business units’ hands.

Prevention refers to automated, proactive responses to dangerous conditions. Imagine a board-book app on a jailbroken phone poised to receive next quarter’s sales projections. In this case, detection will not suffice; immediate action is necessary.

Vigilance will only take you so far!
It seems like every week new updates for iOS or Android are being made available. With each new update an exponentially larger set of questions about vulnerabilities are added to the pile. The equation becomes even more complex, given the heterogeneity of device types and manufacturers. Once BYOD enters your business, change is the only constant one can expect. The enlightened IT leader understands that no policy will completely protect the organization, and no policy lasts forever. While IT leaders are vigilant, the management of mobile devices is a secondary or even tertiary responsibility–updates will fall through the cracks. Dynamic policy shifts rule the day. Vigilance about the risks of new applications, new data, and new devices is a job requirement for IT in the BYOD era. A cloud-based mobile device management service will help IT leaders deal with the onslaught of patches, upgrades, and possible malicious apps– ensuring compliance and increased end-user uptime. The speed of the cloud will allow the IT department to focus on policy updates and not maintenance windows.

Three rings to rule them all
As BYOD becomes a central part of the enterprise, the IT leader will need to become the Lord of the Three Rings for device protection and data security:

  • Ring 1: Mobile device management best practices At minimum, the organization needs mobile device management best practices including: password enforcement, the ability to lock and wipe rogue devices, and over-the-air configuration of productivity services (email, WiFI, VPN, business apps, and important documents). This is as basic to enterprise mobility as air and water are to human survival.
  • Ring 2: Policy enforcement The next level is a carefully written (yet dynamic) policy that relies on specific security capabilities. Take the staggering number of devices and multiply by the myriad of ways each employee requires specific and specialized access. This is requires more than dynamism; only a superhero would be able to keep track of so many moving parts without the ability to set granular level policies and continuously monitor devices.
  • Ring 3: Advanced capabilities At the high end of the capability scale are comprehensive certificate management and event-based security. This way the devices themselves can automatically enforce policies based on time and geography as an example. Geo-sensing can shut off certain capabilities, such as the phone’s camera or email if a user takes a phone into an unsecured WiFI zone, a particular country, or a room with sensitive prototypes.
IT Dove & Hawk
In the face of change IT must be a like a dove, taking a Zen-like stance of peaceful observation, but must also be prepared to swoop in like a bird of prey, ready to snatch rogue devices from the network if necessary. Ultimately, in the age of mobile consumerization, cooperation is key. As long as employees understand the agreement and can use their own tools, with help from IT to keep corporate data secure, peaceful coexistence can prevail.

biography
Chris Clark is president and COO at Fiberlink – a mobile device management company that manages more than one million endpoints globally.

Topics: CXO, Mobility, IT Employment

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

9 comments
Log in or register to join the discussion
  • Data governance is only one part

    No one seems to talk about the issues BYOD brings related to HR policies for acceptable usage (if there are any) nor compensation under BYOD. It's nice to think employees wish to be as ultra productive as possible but reality is they want to use their devices for things you likely already block at work:

    - Public IM, Twitter, social networking / sexting
    - Gambling
    - Gaming
    - Video streaming

    There has been no evidence BYOD drives employee productivity, if anything it likely is a distraction. It's not a corporate thing to govern so the cat is out of the bag so to speak, the pursuit of leisure has now crept into the workplace and days of an employee being online "shopping / slacking off" for an hour at lunch are nothing in the constantly connected wireless world.

    Employees want privacy to do as they please and have little to no regard for corporate policy or data protection.
    MobileAdmin
    • "issues BYOD brings related to HR policies"

      Yep - pr0n wallpapper comes to mind...
      vgrig
    • HR issues

      I agree. One situation comes to mind that happened a few years ago when a consultant was blogging about company practices at their desk with their own device detailing confidential information. We found him and removed him from the network, but we were unsure if we had the authority to confiscate the device in order to do any forensics work on it. It became a big debate for a while, but I think it came down to the fact that he was physically attached to our network and therefore a company asset during that time. Not sure whatever transpired after that because I think it went to legal and out of my hands.
      darthmongo
    • Not all employees are bad - locking it down will hurt recruiting long term

      While you're always going to have issues with employees doing stuff they shouldn't do - shutting down on BYOD can cost you talent and it's only going to get more costly. Your top performers don't want a specific device so they can look at porn and reddit all day, they want a device they are comfortable with the same way a chef has his personal set of knives or a mechanic has a personal set of tools.

      http://networkingexchangeblog.att.com/small-business/from-my-cold-dead-hands-why-byod-will-become-a-must-for-knowledge-workers/
      davidegger
  • And the privacy of the employee's personal information...?

    Say a company decides to access the device and sees that the employee is doing something -- anything -- that the senior leadership does not approve. Sexual preferences, religious beliefs, troubled relationships for example.

    And the employer does not like what they see, so they decide to make the employee's life difficult by way of passed over promotions, favoritism, lack of pay upgrades and unusually large amounts of work; just to get the employee to quit rather than seek legal help and/or file a claim for unemployment.

    Is there anything included in these policies that will help protect the employee from unethical employers who seem to 'walk the line' when it comes to accessing personal information on an employee's device?
    jakesteeley
  • @Author

    This sounds very relaxed and vague, compared to the situation over here in Europe.

    For European businesses, the directors and head of IT, among others, are directly responsible for data misuse - including the data leaking out through stolen devices etc. So, although the employee has some responsibility, the liability lays with the CEO, CIO etc. in the form of prison sentences and large fines if personal data (customer names and addresses, employee information etc.) is leaked to third parties.

    That would mean, effectively, that a BYOD device would become part of the company infrastructure and, for example, the employee could no longer share their iPad with their spouse, children, friends etc.

    This is in addition to having to have it locked down and enter a security code on wake-up etc.

    Is the situation in the USA really so lax?
    wright_is
    • Usage in the US is "being defined"

      Many corporations in the US are just really looking at BYOD. The businesses where there are very strict regulations on personal information like the medical industry have very strict laws to follow and have policies in place.

      Other groups have a hodge-podge of laws that do not cover this question directly.

      The biggest part of all of this is what compliance will be required, where will data sit and once the BYOD device connects to the corporate infrastructure who really owns it now?

      There are also a myriad of questions about items like legal discovery or how will a device be validated corporate information free when someone leaves the corporation as examples.

      No one has a good list of what all this entails, the risks associated with BYOD or much less a list cross-referenced by industry of data protection requirements impact to BYOD.

      The one thing I keep hearing is BYOD will "save money." Everything I've seen is BYOD will tripple or more the cost.
      pjboyles
  • Where are the real figures for BYOD use?

    BYOD phones are easy to use alongside corporate IT, as they do not actually interact directly with it. However, you are unlikly to be allowed to directly hook into the corporate email or file systems.

    For that, you will usually be given a coprorate phone. At my last contract, I used my own phone, having listed its number in the corporate directory and redirected all incoming calls on the Cisco phone to it (probably could because it was no hooked into the rest of IT enough to block non-company mobiles).

    VPN might be allowed, though.

    Recently iOS devices were approved for use in Australian government departments, but their use is restricted so much that you would not be able to used a BYOD for personnel stuff, which sort of defeats BYOD.


    As for tablets, while I see some bring their own and some execs and managers have company ones, they are not integrally tied into the IT infrastructure, if they talk to it at all.
    Patanjali
  • Usage in the US is "being defined"

    Many corporations in the US are just really looking at BYOD. The businesses where there are very strict regulations on personal information like the medical industry have very strict laws to follow and have policies in place.

    Other groups have a hodge-podge of laws that do not cover this question directly.

    The biggest part of all of this is what compliance will be required, where will data sit and once the BYOD device connects to the corporate infrastructure who really owns it now?

    There are also a myriad of questions about items like legal discovery or how will a device be validated corporate information free when someone leaves the corporation as examples.

    No one has a good list of what all this entails, the risks associated with BYOD or much less a list cross-referenced by industry of data protection requirements impact to BYOD.

    The one thing I keep hearing is BYOD will "save money." Everything I've seen is BYOD will tripple or more the cost.
    pjboyles