Tuesday, March 26, 2013

The mobility conundrum


Take any event, survey or discussion with a vendor, or pick any IT magazine or newsletter, all of them have something on mobility and integrally linked to that is BYOD. Mobility has prominently featured in the top priorities in every survey. It has become as discussed or more a subject as BITA (Business IT Alignment) was a decade back. There are views and opinions on everything going mobile from business process to commerce from company to consumer and everything in between.

With number of innovative as well as hair brained ideas vying for attention, there is little to choose from for a CIO. Every one of these comes with a theory and hypothesis to change the world or transform the way business is done and information consumed. These range from recognizing your customers to agile delivery of information to senior management or pushing alerts to the sales or distribution teams. The need for instant approvals to various requests is no more a proposition cutting ice.

When I met a consultant from one of the big and respected IT and Management companies, the dialogue soon veered towards what is happening in this space. Everyone is talking about mobility and related challenges of managing the device, security of information and the big issue of non-company owned devices that connect to the corporate network. He went on to postulate that the future holds a lot of pain for the CIO who has to manage the diversity with new devices mushrooming every day.

So I challenged him to illustrate what he has seen of the deployments across companies that he has surveyed or CIOs met. What kind of applications are becoming mainstream ? Beyond sales force automation, reporting and maybe order entry by field staff, are there other use cases that have gained acceptance ? He mentioned insurance agents and banking relationship managers using mobility to sell their services; but these are corporate deployed and largely laptops with limited customer information if at all.

Then, where is the need for mobility ? Are CXOs demanding information on sales or other KPIs real time or by the hour ? Are knowledge workers expecting to carry their work from the desktop/laptop to their tablet or phone ? Is the shop floor crying for a mobile device or a transactional worker like Finance or HR executive expecting work enabled on a mobile device ? What information and process needs the velocity that mobility enables ? And if none need it, then why is mobility a big deal ?

Most mobile devices, managed or unmanaged, are connected to the corporate network for email access and to some extent on collaboration (read messenger or chat). Most organizations stopped supplying phones a while back and very few have procured tablets beyond the sales or field staff. The information the phones carry is corporate email and almost all users have password protected their individual or corporate device. Loss of phone gets the finder mostly an inoperable device which could get unlocked only by luck, rarely by brute force.

Information contained on tablets could have some value to the finder if again access can be gained bypassing the security. MDM or Mobile Device Management solutions are an insurance cover over and above protection that we all enable on our personal devices. A disabled email id or active directory will anyway prevent email and other information sync immediately. Security vendors whipping up paranoia would like you to believe otherwise by painting a grimy picture of revenue and reputation loss.

I am not propagating that enterprises stop looking at mobility or mobile security; what I believe is that review each case on the business value that can be quantified. Do not base your decisions purely on the spread sheets that vendors want you to use for TCO/ROI. Stop following the mobile information security hype and deploy pragmatic solutions; you are not following your competitors to pick up their lost device, likewise your competitors are not following your people around. Take care !

2 comments:

  1. Well thought thru and well put. Too much hype, euphoria around security, byod,.... blah blah.
    Do it if there is a business case and not for the hype. however, one point needs to be taken into cognizance - field force are completely cut off from the Enterprise application. Unfortunately, is is so critical be it business development or services being carried out on the field it does provide for a good business case slowly but steadily. With mobility coupled with Cloud offerings do generate opportunities to connect the field force and hence it does make business sense. Be a wise mover rather than a first mover. Be grounded in business reality rather than hype - one can extract business value

    ReplyDelete
  2. I think that the risk is beyond device theft. For the specific case of device theft there are very easy methods which can be implemented like the ones you have suggested Arun. My submission here is also that anyone who steals the device is not likely to be interested in the information on the device anyways .. the first thing that most people do is switch off the device ( to prevent device tracking softwares to do any harm to them ) and reformat the whole device / OS. So device theft leading to information breaches is, in my humble opinion, a very remote possibility.

    However, the risks go beyond just device theft. The risks in most cases are the employees / partners themselves. They are the "aware" users who know exactly which document / email to retain out of the millions and also how it can be used in future. In my opinion, the aware user represents the biggest risks of BYOD.

    To me, device centric security, represents a method of replicating controls that have always existed in corporate owned and managed devices to personal devices. A method which is doomed because as an individual I dont like being monitored or controlled by "Big Brother" specially a device and connection on which I am spending my money !

    Unfortunately that leaves very little choice to the enterprise. The two options are :
    1. Application containers : These are applications ( email, collaboration, .... ) which are controlled by the enterprise. For example a "controlled" email application would centrally follow DLP like rules related to local storage, forwarding etc.
    2. Information Rights Management : These applications implement controls on the data itself irrespective of the device or the application and control WHO can use the information, WHAT can he do, WHEN and from WHERE.

    Have a look at :

    http://www.informationweek.in/security/12-06-26/can_irm_solve_security_issues_related_to_byod.aspx

    http://blog.seclore.com/2012/12/to-mdm-or-to-irm-byod-is-question.html#.UVQfbld-Kf0

    Vishal

    ReplyDelete