Generation X has experienced Technology revolution and probably next generation, Gen-Y will be seeing both evolution and revolution. For some orthodox IT Managers, BYOx is not so good revolution and so is the debate whether BYOx can be embraced in their eco-system or not!
Actually, to-be or not to-be is not a question anymore. It has already crossed those suspicious boundaries and now the question is around how organizations can embrace BYOx in more secure, efficient and accurate way. By 2025, world’s workforce will have around 75 percent Millennials which will be technology savvy and dependent on personalized choice of devices, applications, technologies and cloud services. CIOs already have a challenge bringing in new talent and they are continuously looking for new means to attract Millennials. Freedom and flexibility to bring in personalized Digital Eco-system to the workplace is becoming reality. IT consumerization has already started taking place.
Bring Your Own Device was initially opposed and now being adopted by both orthodox and brave business organizations. While businesses are getting accustomed to BYOD, other concepts around ‘Bring Your Own Applications – BYOA’ (Example, Mail – Google Mail, Social Medial – Facebook, Communication – Skype, etc), ‘Bring Your Own Cloud – BYOC’ (Example, File sharing – Dropbox, Box, Googld drive, etc), Bring Your Own Software (Example, Cloud based office document authoring, editing and storage tools like Google docs), ‘Bring Your Own Servers’ – BYOS (Example, your own accounts at Amazon infrastructure services), etc are knocking business organization’s doors. Today’s organizations are realizing that they cannot detach today’s workforce from Mobile Devices, Social Media and Cloud.
They say, by providing flexibility and freedom to let employees use devices and technologies of their own choice, organizations achieve greater employee engagement, satisfaction, improved efficiency and productivity. In recent survey carried out by Blue Coat Systems across 1900 business and IT leaders (Ref: http://goo.gl/pzWGBN) estimated that empowering employees would increase revenue by 27 percent and profits by 26 percent. According to Intel CIO, Intel achieved annual productivity gains of around five million hours through BYOD program through 23,500 mobile devices and 41 mobile applications (Ref: http://goo.gl/S1Y7sX). The recorded saving of 57 minutes per employee workday was gain in the productivity but not an impact on cost savings though.
While all this is true, the CIOs and CSOs are having nightmares due to potential security violations and data breaches due to all this BYOx concepts and possible threats to the business models they have built over so many decades. Regulatory measures and compliances are hard to implement and follow with so many inside and outside access points due BYOD. Critical data is not safe within corporate boundaries any more due to personal BYOA based storage mechanisms. Organizational application eco-system is not uniform and integrated with defined proved policies due to BYOA.
Most of the organizations have adopted Mobile Device Management and Mobile Applications Management solutions along with traditional security measures around network boundaries but risk of information and data breaches is not completely addressed. Or it cannot be addressed at all in near future.
In an independently conducted survey by Ponemon Institute (sponsored by WatchDox) (Ref: http://goo.gl/kDQwSn ), they found that an average of 63 percent of employees use mobile devices such as laptops, tablets and smart phones to access and use data in the workplace. An average of 50 percent of employees uses these devices to access regulated data. They also found that 45 percent organization understands the risk of having regulated data on mobile devices. Moreover, 75 percent say it is difficult to stop employees from using insecure mobile devices to access regulated data and 72 percent say it is difficult to detect such actions.
As BYOD matures and BYOA, BYOS, etc starts becoming reality, corporates need to be really careful about what they are entering into. Though hardware and software based security measures are around to bring in required control and constraints around information / data breaches, they would have to protect their weakest link in this chain – their employees.
BYOx policies will have to be defined for tech savvy, dependents and ignorant ones uniformly. Associated risks will have to be communicated and educated from day one. BYOx will have to be conveyed to employees as privilege and not a right!
Here are few commonsense thoughts around how BYOx can be made successful by addressing the weakest link.
#1: Educate all
Once the BYOx charter and policy is in place, no matter how aware and educated the person is, it should be made mandatory for him/her to go through the education program on BYOx what / why and how. This way, nobody will get an excuse around what is expected to be responsible employee of organization’s BYOx program.
#2: Make them Accountable
MDM and MAM (and other measures) measures will have capabilities and limitations. Actions matter a lot and each employee must be made accountable for what they store and share across corporate boundaries. Once information leaves their digital device they will not have control how and who will have access to it. They being responsible, they must take appropriate measures around what they do and don’t. Make them accountable for all their actions and inactions.
#3: Give them options as much as possible than complete freedom
You would still need to consider options versus freedom. When there is freedom, employees would probably consider software / hardware choice of their individual and solving segment of one issue would be very difficult. Though they would probably consider top 2-3 choices of hardware devices or software services, if that number grows there will be manageability challenges. Corporate security group and network services group should evaluate each piece from security and remote manageability perspective and give limited options to employees. Though this would hamper true BYOx, while considering cost of data breaches this compromise will be fine.
#4: Align with latest trends
While you expect employees to follow organization BYOx policies, these policies around choices of allowed devices, technologies, and services should be always latest with industry trends. If those are not keeping pace with what industry is offering, employees will find different ways to bypass your policies. Update your policy every alternate quarter or so and communicate it to all.
#5: Regular assessments and audits
Think of carrying out surprise audits on the devices and make sure your assessment findings are acted upon by division heads and non-compliance is appropriately addressed. Actions through warnings and punishments to non-compliant ones would spread the message that you are serious about BYOx but business comes first.
#6: Be consistent with your rules
Do no change any of the above mentioned rules (with respect to choices, assessments and audits, etc) for different designations and categories of groups and hierarchies within organization. That may dilute seriousness of the program. Be consistent with your audit processes; be consistent how you update the policies and how you address compliance and non-compliance issues.
#7: Strict authorization policies
Though authorization will be managed through user credentials and specific roles defined, in many cases the authorization policies get manipulated as part of responsibility delegation or to cover supervisor’s absence. This may hamper the access to specific device, application, cloud service, etc and bring in vulnerability issue. Strict actions must be in place not to change authorization policies for any individual in any case.
#8: Continuous awareness program
Preparation of BYOx charter and awareness of the program is not a one-time activity. On regular basis every individual must be made aware of any information / data breach incidence within organization due to BYOx program. Also if there are any similar incidences outside the organization, those should be conveyed for general awareness.
Every individual must know benefits of this program. Though they get flexibility through consumerization of IT, they must know what benefits organization is getting through this program as well.
BYOx is here and is meant for Gen-Y as well as Gen-X (if they adjust themselves with this paradigm shift soon) and more responsibly they embrace it, more they and organizations will get benefited by it.
What you think?
Note: All these blog posts and views mentioned in my personal blog are my own and NOT of my current and previous employers. I am NOT representing any of my organizations through this blog. This blog is just for sharing my findings based on publicly available information related to interesting things happening in Technology area.