Take any event,
survey or discussion with a vendor, or pick any IT magazine or newsletter, all
of them have something on mobility and integrally linked to that is BYOD.
Mobility has prominently featured in the top priorities in every survey. It has
become as discussed or more a subject as BITA (Business IT Alignment) was a
decade back. There are views and opinions on everything going mobile from
business process to commerce from company to consumer and everything in
between.
With number of
innovative as well as hair brained ideas vying for attention, there is little
to choose from for a CIO. Every one of these comes with a theory and hypothesis
to change the world or transform the way business is done and information
consumed. These range from recognizing your customers to agile delivery of
information to senior management or pushing alerts to the sales or distribution
teams. The need for instant approvals to various requests is no more a
proposition cutting ice.
When I met a
consultant from one of the big and respected IT and Management companies, the
dialogue soon veered towards what is happening in this space. Everyone is
talking about mobility and related challenges of managing the device, security
of information and the big issue of non-company owned devices that connect to
the corporate network. He went on to postulate that the future holds a lot of
pain for the CIO who has to manage the diversity with new devices mushrooming every
day.
So I challenged
him to illustrate what he has seen of the deployments across companies that he
has surveyed or CIOs met. What kind of applications are becoming mainstream ?
Beyond sales force automation, reporting and maybe order entry by field staff,
are there other use cases that have gained acceptance ? He mentioned insurance
agents and banking relationship managers using mobility to sell their services;
but these are corporate deployed and largely laptops with limited customer
information if at all.
Then, where is
the need for mobility ? Are CXOs demanding information on sales or other KPIs
real time or by the hour ? Are knowledge workers expecting to carry their work
from the desktop/laptop to their tablet or phone ? Is the shop floor crying for
a mobile device or a transactional worker like Finance or HR executive
expecting work enabled on a mobile device ? What information and process needs
the velocity that mobility enables ? And if none need it, then why is mobility
a big deal ?
Most mobile devices,
managed or unmanaged, are connected to the corporate network for email access
and to some extent on collaboration (read messenger or chat). Most
organizations stopped supplying phones a while back and very few have procured
tablets beyond the sales or field staff. The information the phones carry is
corporate email and almost all users have password protected their individual
or corporate device. Loss of phone gets the finder mostly an inoperable device
which could get unlocked only by luck, rarely by brute force.
Information
contained on tablets could have some value to the finder if again access can be
gained bypassing the security. MDM or Mobile Device Management solutions are an
insurance cover over and above protection that we all enable on our personal
devices. A disabled email id or active directory will anyway prevent email and
other information sync immediately. Security vendors whipping up paranoia would
like you to believe otherwise by painting a grimy picture of revenue and
reputation loss.
I am not
propagating that enterprises stop looking at mobility or mobile security; what
I believe is that review each case on the business value that can be
quantified. Do not base your decisions purely on the spread sheets that vendors
want you to use for TCO/ROI. Stop following the mobile information security
hype and deploy pragmatic solutions; you are not following your competitors to
pick up their lost device, likewise your competitors are not following your
people around. Take care !
Well thought thru and well put. Too much hype, euphoria around security, byod,.... blah blah.
ReplyDeleteDo it if there is a business case and not for the hype. however, one point needs to be taken into cognizance - field force are completely cut off from the Enterprise application. Unfortunately, is is so critical be it business development or services being carried out on the field it does provide for a good business case slowly but steadily. With mobility coupled with Cloud offerings do generate opportunities to connect the field force and hence it does make business sense. Be a wise mover rather than a first mover. Be grounded in business reality rather than hype - one can extract business value
I think that the risk is beyond device theft. For the specific case of device theft there are very easy methods which can be implemented like the ones you have suggested Arun. My submission here is also that anyone who steals the device is not likely to be interested in the information on the device anyways .. the first thing that most people do is switch off the device ( to prevent device tracking softwares to do any harm to them ) and reformat the whole device / OS. So device theft leading to information breaches is, in my humble opinion, a very remote possibility.
ReplyDeleteHowever, the risks go beyond just device theft. The risks in most cases are the employees / partners themselves. They are the "aware" users who know exactly which document / email to retain out of the millions and also how it can be used in future. In my opinion, the aware user represents the biggest risks of BYOD.
To me, device centric security, represents a method of replicating controls that have always existed in corporate owned and managed devices to personal devices. A method which is doomed because as an individual I dont like being monitored or controlled by "Big Brother" specially a device and connection on which I am spending my money !
Unfortunately that leaves very little choice to the enterprise. The two options are :
1. Application containers : These are applications ( email, collaboration, .... ) which are controlled by the enterprise. For example a "controlled" email application would centrally follow DLP like rules related to local storage, forwarding etc.
2. Information Rights Management : These applications implement controls on the data itself irrespective of the device or the application and control WHO can use the information, WHAT can he do, WHEN and from WHERE.
Have a look at :
http://www.informationweek.in/security/12-06-26/can_irm_solve_security_issues_related_to_byod.aspx
http://blog.seclore.com/2012/12/to-mdm-or-to-irm-byod-is-question.html#.UVQfbld-Kf0
Vishal