Building “Bring-Your-Own-Device” (BYOD) Strategies
This is the first part in a series designed to help organizations develop their “BYOD” (bring-your-own-device) strategies for personally-owned smartphones and tablets. This chapter provides an overview of eight components that our customers have found to be the foundation of a secure and scalable BYOD program. Many organizations are considering personally-owned mobile devices for business apps. Their goal is to drive employee satisfaction and productivity through the use of new technologies, while simultaneously reducing mobile expenses. This BYOD trend is one of the more dramatic results of the consumerization of IT, in which consumer preference, not corporate initiative, drives the adoption of technologies in the enterprise. However, many of these technologies were not built with enterprise requirements in mind, so IT teams often feel uncomfortable about security and supportability. Within the MobileIron customer base, we have seen a broad spectrum of BYOD approaches, ranging from top- of-the-pyramid, where a small set of executives or technical staff get to use their own devices, to broad-scale, where BYOD is opened up to a larger percentage of the employee base. In many organizations, employees are now offered a choice between a corporate-funded BlackBerry or a personally-funded iOS, Android or other new-generation device. In her Spring 2011 presentation, “Bring Your Own Mobility: Planning for Innovation and Risk Management,” Monica Basso, Research VP at Gartner, Inc., predicted that by 2014 “90% of organizations will support corporate applications on personal devices.” As a result, IT teams are preparing for a mixed-ownership mobile environment. But BYOD is more than just shifting ownership of the device to the employee. It has many complex and hidden implications for which a strategy needs to be defined in advance of implementation. Based on the experience of our customers, this paper outlines eight major components for successful BYOD strategies: Sustainability Liability Economics Device choice User experience and privacy Internal marketing Trust model App design and governance
Sustainability BYOD is new to most organizations and, as a result, best practices for implementation are just now being developed. One of the traps many fall into is establishing a rigid set of BYOD policies that is not sustainable over the long term. To be sustainable, BYOD policies must meet the needs of both IT and employees for: Securing corporate data Minimizing cost of implementation and enforcement Preserving the native user experience Staying up-to-date with user preferences and technology innovations
We see organizations focusing the majority of their time and resources on the first two requirements. But the latter two are much more important for sustainability in the long term. If the BYOD implementation damages user experience or quickly becomes dated, employees will either find a way to circumvent policy or end their participation in the program. In both instances, the needs of neither the employee nor the company are met – either security is compromised or business value is lost. User experience is the litmus test for policy sustainability. If it breaks, so does the program.
Device Choice The primary catalyst for BYOD is that employees have personal preferences for devices other than those that the enterprise has traditionally provided them. The most common example is an employee who has a corporate-owned BlackBerry for work, but a personal iPhone or Android device at home, and would prefer to carry one device instead of two. However, in a world where consumer preferences shift annually, or even quarterly, and the mobile device and apps landscape itself evolves constantly, defining how much choice to allow employees is difficult. Building a policy around device choice requires: Analyzing employee preference and understanding which devices they have already bought: A BYOD program that doesn’t support current and intended purchases will have limited appeal. Defining an acceptance baseline of what security and supportability features a BYOD device should support: The goal is to include all employees’ desired mobile platforms in the program, without creating security gaps or support headaches. The acceptance baseline generally includes asset management, encryption, password policy, remote lock/wipe, and email/Wi-Fi/VPN configuration. Without these fundamentals, the mobile platform is not viable for the enterprise. The more advanced list generally focuses on app-related functionality and advanced security such as certificate-based authentication. The device platforms that match the advanced list get access to a higher level of enterprise functionality in the BYOD program. Understanding the operating system, hardware, and regional variances around that baseline: On Android especially, similar devices may actually support very different capabilities based on the ...