A little chat about BYOD

We need to talk about BYOD. Step into my office please.

Now I know it is a changing world, and you now carry fabulous power and productivity in your pocket. And I know that at work you want to use the platform you control and are familiar with and have configured to your tastes. I can see that. I feel the same way.

What you need to bear in mind is that we are running a business here and the first priority of that business is to stay in business, not to maximise your personal experience of being here. When you come in here - whether as employee or consultant or client or vsitor - you play by our rules.

Those rules have been adopted to strike a balance between protecting the company's existing value and taking the company forward. It is a tradeoff of risk versus new returns.

In that context, this company makes certain decisions one way or the other. New opportunities present themselves to save or improve or grow, and this company - the governors and managers - makes a decision on whether to take the risks invoved in those new opportunties or not. You don't, not unilaterally.

So if the company decides that the risks of BYOD to our organisation exceed the benefits (at least for now), you are expected to abide by that decision like any other. In different organisations the balance will be different and they may embrace BYOD right now with open arms. Good on them. We can't, not without unacceptable risk to the existing business. We have high sensitivity of our data; we are vulnerable to negative PR right now; and we have complex legacy systems that are taking some untangling to virtualise and to expose them to the web. We play the cards we are dealt.

There is no point throwing a tantrum and saying you want your iPad. You can't have it ... for now. And don't be threatening to go work somewhere else. If your only interest is what personal toys you are allowed rather than how we can work together for mutual benefit within the conditions that exist here and now - if your perspective is so self-centred that you would leave over an issue like BYOD - then you'd be better off someplace else for sure.
Photo © Canstockphoto.com

We'd love to adopt BYOD but that isn't going to happen until we have four things in place

  • Adequate protection of our existing data assets, especially against viruses and hacking
  • Adequate control over BYOD devices, especially the ability to trace and disable them when you lose them> this needs to be available across the breadth of all supported BYOD (which means pretty much everything if it is really BYOD), at least to the same standard as the company's existing mobile desktops and possibly more since the proliferation of devices will increase the risk.
  • Virtual desktop. This is the biggie: if we can't deploy our apps to a wide range of devices then BYOD is of much less value.
  • and finally clear well-considered policy: standards, rules, bounds, expectations.

No this isn't IT's fault. This isn't IT's decision either, just as it isn't yours. This question has been escalated to the highest levels in the company, to those authorised to make the call, based on the advise of IT, HR and the lines of business. So stop blaming IT if you don't get BYOD.

You aren't allowed to bring unauthorised visitors onsite; to share company information without approval; or to speak on the comapny's behalf. I want you to be very clear when you walk back out that door that it is equally unacceptable to connect an unauthorsied and uncontrolled device to the network. We aren't going to waste resources trying to make it impossible for you to do that: we expect you to behave in a professional manner as part of the company's community. Just because you can make it work technically does NOT mean you have permission, any more than the fact that you can open the doors means you can bring in who you like.

Equally you should understand we are not stupid (I'd appreciate it if you desisted with observations to the contrary). We undertand the benefits of BYOD. We understand that the biggest benefit is to improve your experience and productivity. We're not denying you that because we like to, but because we have to for now. Accept that: it is part of the rules of working here. And accept that IT are working as fast as they can within the conflicting constraints we put on them of reduced funding and high expectations. They know they have to deliver to BYOD. You need to be patient.

In the meantime IT can do certain things to give you "partial BYOD", such as the new internet-only WiFi. But we know that's not what you want.

Photo © Canstockphoto.com

BYOD is a great thing, and we'll get there. If only business could change as fast as the home consumer experience eh? But it doesn't. Stop trying to equate the two. You're at work now, not playing.

Hey, but keep asking. BYOD is important, and you have a good business case: there are benefits to this business as well as to you. Just don't expect the world to change in a day ok? It might at home but it doesn't here.

This post was inspired by some brisk debate on and around a twitterchat for itSMF Australia: thanks to all the participants.


I ran out of room of twitter

I ran out of room of twitter trying to explain my perspective on BYOD. The 'device' is a red herring here - what matters is does the business need it, and if so how will IT deliver it?

The business has to front up the costs to implement governance, processes etc. around BYOD and accept any risks. It might mean other projects are dropped or delayed, but that's a prioritisation issue.

I remember when wireless first came out - the business wanted it, IT was twitchy about security, compromises were made.

I worked for one org where an over-zealous IT person disabled 'out of office' functionality on the email service. He'd heard people got burgled if they put a response on to say they were on holiday. The business wanted it - the business accepted the risk - the business got it.

In many orgs the business is forging ahead and bringing devices and it's being accepted - but the first major security breach will change that quickly.

BYOD is happening, it is here, now businesses need to find out if they need it, and if so how it will work for them.


proper Enterprise Governance of IT

Thanks Claire

You are saying pretty much the same as me, except i really want to bring out one key point:

It's not IT's decision. Over zealaous email administrators turning off out-of-office is wrong: who the hell do they think they are? And "over-twitchy" security admins killing initiatives is equally wrong: I recently had a client security guy play the security 'trump card' in a bank to (temporarily) kill a wifi initiative. The wifi will get through eventually because it makes sense but what an ass to over-play the risk card: crying wolf only weakens the message when there REALLy is a serious risk in future.

But that's not my key point. It is not "the business's" decision either, in the sense of IT peers in lines of business. Lines of business don't have the right to accept risk and cost on behalf of the whole organisation, by for example issuing iPads to all of their team against organisational policy. Having a marketing manager say "oh sure we'll accept support responsibility ourselves, it won't be on IT" is like my son saying "If we get a puppy I promise I'll pick up all the poos". Yeah right.

The key point is that proper Enterprise Governance of IT means that the decision is taken at a sufficiently senior level to balance the viewpoints of the customer and the provider, and then to make a balanced decision of risk/cost against value/enablement.

That's simply not happening in many organisations. Either pouting whiney users get their way, or truculent grumpy techs get theirs. Either way its dysfunctional.

It is true the IT

It is true the IT infrastructure of many organisations dates from 2002. They don't have the capability to approve BYOD without major risk and cost. That is the whole point of the post.
The need for BYOD cannot be addressed everywhere within the current crippling economy. We must make do with dated infrastructure. It's a fact. Deal with it.

whether BYOD is possible

To be clear: my point is not debating whether BYOD is possible. Please don't engage me in debate on what we "have to do". We all know what we have to do, we all know BYOD is inevitable.

The problem is that if a technology exists somewhere or someone can imagine a process, then people think it has to magically blink into existence in an instant right now in real organisations just because they say it should. The world doesn't work that way.

In the real world, companies must consider existing risk right now. In the real world companies must allocate resources to competing projects. Many companies are NOT ready for BYOD now. And many have more important things to deal with now.

Throwing the toys out of the cot doesn't change that.

BYOD: the device is "irrelevant"

I disagree with a comment I saw that the device is "irrelevant". It is only irrelevant when our security and management systems mature to the point where it is irrelevant. I know next to nothing about security but I believe that is a long way off in most organisations. I know more about support and I know there is a lot of thought required to create the capability to support an unconstrained range of devices.


Interesting post on Google+ from Chris Dancy, at least partly in response to this post.

It is my belief you can look at this topics as:

1. Someone who wants to SIDE with business
2. Someone who wants to SIDE with humanity

Personally, I will not enable the jobs program anymore for IT...

To protect the asset, you can't start by acting like there is a MAGIC policy or HR action that will make this go away. You can’t build WALLS to stop, keep or start information in 2012.

That wall can be a policy, a BYOD ban, blocking access to the outside world.

The walls we think we are helping build do nothing but prolong a problem with “THE ASSET” itself.

It is the BUSINESSES position to PROTECT THE ASSET at the asset level.

Which means, SECURE the information.

Great examples of this are: Remote wipe, Encryption, Geo Tracking.

These examples actually protect the business...

The business can't control my superior memory (THE DEVICE) where I see and remember all "THE ASSETS". The business can only treat me well and hire me knowing my ethics are sound...

for the world of IT "professionals" to now "invent" a problem that needs control, while quaint, seems a bit based in fear.

Are we as IT professionals so lost for actual skills that we need to use fear to generate business?

Read Chris's full remarks here. I'll share with you what my response was:

I think the analogy to a smoking ban is a good one: you cant BYOD if it outs your fellow employees at risk, you don't have the right.
The analogy breaks of course because smoking puts others in danger everywhere and BYOD puts others at risk only in those organisations that are not prepared for it.

It is a management and possibly governance decision as to whether the benefits of BYOD exceeds the risks and costs of adopting it. that decision would be under constant review as the organisational readiness improved.

Yes much of that readiness comes down to InfoSec within IT, but you are laying the blame for any ban on BYOD at InfoSec's door which shows you haven't understood my post. The business makes (or should make) the risk/value call like it does for any other.

Emotional appeals to data liberation or whatever are not rational or useful. A business makes its decisions based on the current state it finds itself in. Bra-burning demands to set the desktop free will not instantly roll out adequate information security (or virtual desktop, or device policy - the other requirements I listed which you have ignored). It takes time and resources to get to the point where that can happen.

IT (and others) work with finite time and resources to address many competing demands, of which BYOD is one. If a particular organisation is not currently in a position to say they are ready for BYOD right now, then that is an organisational decision. If you ignored that decision I'd discipline you just as if you ignored any other decision made by your employer.

I love the tone...

....of both Rob's original post and Chris's .

I wish more corporate communication was so d**n real rather than being couched in language we think sounds official and authoritative.

Reading them both though I did find myself wondering if they both fall foul of the inherent breadth of meaning being loaded on to the BYOD acronym.

There are sites I go to, typically TCS ones from which we provide services to clients, where the policy is absolute; nothing that might compromise comment security is allowed past reception,, whether it is a smartphone, a camera a USB stick or a laptop. LYOAH.

At the other extreme is the move, more protestant in the USA, I feel, for users to provide all their own IT equipment, especially if they are homeworkers or road warriors.

Then there is the middle ground. Those who bring smartphones in to work with no intention to connect to the corporate network, but might still integrate the use of the device with business activities, perhaps using them to access websites that are blocked by the corporate firewall - like my blog, for example .

The corporate communication needs to give clear guidance on what is an isn't acceptable use of BYOD.

Defining BYOD

Good point. Like all debates this one thrives on lack of definition of terms.

I can see how BYOD can be widened to mean "bringing something digital onto the premises" but that dilutes the term to the point of uselessness (something we are good at in IT).

To me BYOD at a minimum is one or more but not necessarily all of:

  • Having a copy of corporate data on the device, e.g emails, spreadsheets
  • Accessing the network behind the firewall (More than internet-only access) including
    • VPN access
    • intranet-only browser-based systems
    • virtual desktop
  • Running application clients

BYOD by accident

I suspect going by those definitions some organisations have enabled BYOD without realising it. In fact I cant think of at least one whose solution that was intended only to allow access to the corporate network for users of company laptops which actually allowed access from any device (though with the need for an RSA token)

Many supplier organisations also have to allow users on customer site wto access their own corporate systems via machines belonging to the client - raising a security issue for both parties.

Perhaps that offers a lateral thinking solution:

"We would love to let you connect you smartphone with all your important personal information on it, like your on line banking details, to our corporate system, but the truth is we just can't guarantee our corporate system is secure and we would hate you to find your precious personal data corrupted or compromised"

Another catch with BYOD...

...is that some of us clearly find typing on smartphones a challenge, and shouldn't trust predictive typing.

Among other typos "At the other extreme is the move, more protestant in the USA" should of course read

"At the other extreme is the move, more prevalent in the USA"

"protestant" scanned

"protestant" scanned perfectly for me

A lovely, well-reasoned speech

And also utterly ineffective. IT could not prevent end-user technology initiatives even back in the days when it had 100% control of all hardware on the premises. Now that most users are carrying around more computing power in their pocket than they had on their desks circa-2000, the battle is lost. Fighting it is just going to take time and resources that might be more productively spent addressing your four preliminary conditions.

It's no use lecturing the users, they either know better or think they know better and are going to do what they can get away with to make their own jobs easier. Until IT understands that it has utterly lost the initiative and starts thinking about how it can get ahead of the trend-line, it is going to be viewed as just another bureaucratic obstacle and will be routed around by users with more creativity and initiative and personal or professional incentives to use their own tools on the job. Executives with a similar view of IT's role and capabilities are equally likely to be disappointed.

I'm not suggesting this is right or proper, but simply that it is true. Incentives are the ultimate control. Successful organizations will provide, rather than attempt to deny, them.

isn't from IT, it is from an executive

I think you missed the point of my post. The lecture isn't from IT, it is from an executive. IT is in the third person. BYOD isn't an IT issue.

If a company can't get control of its own employees then it has deeper issues than BYOD.

If you read the post more closely you will see that I explicitly say IT shouldn't "fight" BYOD, that is indeed a waste of resources.

let me explain it again.

This is a business decision. If the risks are high enough (or opinions conflicted) in an organisation then it may need to go all the way to the Board for a decision.

If a company decides that BYOD is the way to go, then it needs to adequately resource IT to support and enable that, and IT must honour the decision and deliver BYOD.

if the company decides the risk (or costs) are too high, then an executive decision has been made and the employees should ****ing honour that like they do any other policy in the company. They can't unilaterally decide to smoke, harass workmates or BYOD.

Unilaterial business decisions

I like it and totally agree - BYOD needs to be decided outside of IT, with IT supporting the decision. Which *might* mean supporting staff use of their own devices, if that is the decision, but may also mean enforcing a ban.

If you want to make unilateral decisions about how a company operates - create your own company, or become management / director.

Ross & Weill wrote an excellent article back in 2002 "Six IT Decisions Your IT People Shouldn’t Make". I think this would be a seventh (google it - its an HBR article - well worth reading).

It's NOT ok to moan to and bully colleagues in the IT department who are charged with carrying out the executive decisions.

If you want to sneak around and undermine governance decisions - than that's not OK either, but apart from reporting incidents, any action that follows isn't an IT issue either, it's an employment one.

BYOD is already there

Hi Skep,

I partly disagree, and you are right if it is about my new iOS or Android Device shall replace my standard desktop.

But what is so appealing about the new class of devices coming up? Let's stay one second in home user computing. I can read my E-Mail, update Facebook and listen to my Music using a phone. But replaces it my desktop at home? No. The final thesis, formal letters and so one will be produced there.

Now switch to business environment. BYOD technology is there already there. Most companies offer partner gateways, starting from simple HTTPS-Portals up to high sophisticated collaboration platforms. And yes the business partner will bring his own device. Maybe not a fancy one :-) And also your IT will not control their devices.

As an employee it is about doing E-Mail, amending last words in a document, updating a project plan, using eBook-reader for documentation, checking reports on a tablet. And I tell you, if the report application is 100 year old MS Access one and I have to start a virtual desktop or streaming client for this, forget it.

The most important question that is in most companies not solved is, get control about you content. Split it in domain and open a new "employee device". I know lot of security policies talking lengthly about it, but in real life thee is noting in place. It is a matter of establishing this in the culture.

Best Regards


hahahahaha. you obviously dont do any work while at work and qualify to be fired. If all you do is "amend" words then you should be fired now.

Syndicate content