Where networking and knowledge intersect.
Srikanth Ravindran, Rajat Sadana and Deepa Baranwal
The latest trends in IT are endeavoring to make it a remote, agile, flexible and scalable resource. With the advent of cloud, virtualization, remote infrastructures and an increasingly mobile workforce, the world of IT is increasingly becoming consumer-driven.
Consumerization has brought with it a path-breaking yet potentially disruptive concept—bring your own device (BYOD). BYOD allows IT’s customers to use their own devices, such as tablets, smartphones and laptops, and mobile applications to enable business services. It enables the organization’s staff members (operations/field staff and business users) to connect to the organization’s network and access official data on their personal devices.
While organizations view this initiative as a strategy for cost reduction and productivity enhancement, IT departments and security gurus argue that it poses a potential threat to the organization’s control over its data, making it highly vulnerable to security threats, and drastically increases the scope of support due to the vast expanse of devices, platforms and applications that are used. Thus, it is important to bring consensus and adopt a hybrid approach for framing an effective BYOD policy with minimal and clearly documented risks.
This article provides insights on BYOD, its implication to IT and how organizations need to approach and adopt it.
Widespread BYOD adoption is fueled primarily by technology trends and advancements, such as the proliferation of smartphones and tablets, newer platforms (e.g., Windows Metro, iOS, Android), app stores, app streaming and storage in the cloud, desktop and application virtualization, and changing employee preferences (those who find it more convenient to use their private devices for personal as well as professional use). Gartner has predicted that by 2014, approximately 1 billion smartphones and tablets will be sold globally and 90 percent of organizations will support corporate applications on personal devices.1, 2 In a recent report, Forrester revealed that around 60 percent of organizations in the US already permit BYOD.3 Aruba interviewed IT professionals working for 130 hospitals and found that 85 percent of hospitals are providing access to physicians and staff through personal mobile devices.4 Good Technology, in a survey of companies in different segments, found that, among the total number of organizations surveyed across industries, 72 percent of organizations currently support BYOD (figure 1), and across the industries surveyed, the finance/insurance industry has the highest rates of BYOD adoption at 35 percent (figure 2).5
These studies show that organizations across various industry domains are adopting BYOD, albeit at different levels. It is too early to predict what key factors are driving the levels of BYOD adoption. Organizational strategy, budgets, type of IT infrastructure in place, business growth, field user levels, technical support capabilities, resource scalability and business confidence in IT are some of the common considerations to BYOD adoption, irrespective of the industry.
BYOD envisages a win-win situation for organizations as well as employees, given a policy is framed carefully addressing critical success factors and risk. BYOD offers numerous advantages over traditional IT including:
There are also environmental benefits to BYOD: optimum hardware utilization and a reduced carbon footprint by usage of the same device for personal and work use.
Chief information officers (CIOs) face a number of challenges around device control, data security, consistency of delivery, platform/device selection and support creep in a BYOD environment. The catch is to ensure that user experience is unaffected while addressing the following challenges.
Security and ComplianceBYOD may expose the organization’s data to misuse, theft and vulnerabilities. Due to the ability of devices to interconnect and share resources, access to the corporate network is possible for a nonauthenticated device tethered to an authenticated device. Data breaches may also happen if the device gets stolen or lost. It is also possible that data can be transferred or shared through social media, local or personal file and cloud storage, webmail, instant messaging, and other communication channels. This puts confidential data at risk if device usage is not monitored.
Since a BYOD environment offers more flexibility to employees in terms of how the device is used, which apps and software are installed, when to install new updates and so forth, this practice may lead to devices being more vulnerable to attacks compared to organization-owned devices, on which the organization may put restricted policies on all the previously mentioned activities.
BYOD opens up doors to virus and malware injection into the corporate network. An infected user device that was previously connected to an insecure network may expose the corporate network to unexpected security attacks. Thus, firewalls and intrusion-prevention techniques are essential for smartphones and every other device that connects to the corporate network.
Regulations and standards such as the Payment Card Industry Data Security Standard (PCI DSS), the US Health Insurance Portability and Accountability Act (HIPAA) or the US Gramm-Leach-Bliley Act (GLBA), which mandate safeguarding of data and specify certain rules pertaining to information usage and security, have to be considered before implementing BYOD. According to the requirements of PCI DSS, all devices used in processing payment card transactions must implement encryption and passcode protection. Similarly, the US Health Information Technology for Economic and Clinical Health (HITECH) Act states that health care organizations are accountable for:
Network/Support Capability and Platform CompatibilityBYOD can result in a plethora of additional devices being supported by the IT infrastructure and staff. If BYOD is implemented without having enough staff with the required skill sets and clearly defined boundaries for scope in place, BYOD adoption levels, user satisfaction and user productivity will decrease. New skill sets will also be required for the service desk, application development and maintenance teams because they will no longer be developing apps for a single environment. Applications and their security must be customized to support different platforms across diverse devices. Mobile device management (MDM) is an essential component of BYOD operations, but there are no commercial off-the-shelf (COTS) solutions for MDM that work on every platform. Network upgrades may be needed to support the increased number of devices.
FinancialsA BYOD setup appears to be cost-effective initially as capital expenditure (CAPEX) costs are reduced because of user ownership of the device. However, it may be neutralized by the cost involved in other areas such as planning, implementation, operations and scalability. Hence, realization of cost benefits should be expected over a longer term.
Operational expenditure (OPEX) may increase as users may prefer individual data plans that may be more expensive than company-provided plans, which have the benefit of corporate leases in bulk for telecom services. Also, in the case of company-owned devices, organizations can leverage volume discounts from device manufacturers. BYOD negates those benefits as well.
OPEX may also be higher due to the requirement of telecom expense management (TEM) to track investment and costs in the mobility space. In an organization, non-BYOD setup TEM is addressed by the telecom service providers.
Another consideration for financials is additional support costs, as development of capabilities on newer platforms and technology will require training and skill upgradation. Additionally, employee awareness programs, program/project management, compliance and infrastructure upgrades are other prominent items on BYOD expense sheets.
Employee PrivacyThe IT department’s level of control over a privately owned device may conflict with the employee’s user experience. Defining the boundaries of corporate control over the data residing on personal devices is a major issue. There may be cases where the employee’s personal information is lost due to remote wiping.
In a survey conducted by Trend Micro, 91 percent of employees did not want employers to control their devices in order to access corporate applications, while nearly 80 percent of organizations believed in their need to have authority or control over devices through MDM mechanisms.10
There are also legal aspects regarding device usage in case of a shared environment, such as BYOD, where usage is hybrid with a mix of work-related and personal activities. For example, an employee can install an unlicensed application or access objectionable content that would not have been accessible on an organization-provided device. Such risk factors mandate that an agreement be signed between the employee and the organization to cover the liabilities pertaining to ownership and activities.
An effective BYOD program should strike a balance between user-centric and device-centric strategies. Stakeholders, including customers, organizational functions (such as IT, human resources, sales, legal and marketing), leadership and the executive board, have to be involved in policy framing to avoid loopholes and ambiguity.
In the interest of the previously mentioned stakeholders, the keys to success include:
In a world where sustainable success is increasingly elusive, focusing on increasing productivity through BYOD may be a profitable strategy. That said, integration of BYOD into the existing IT infrastructure is not an easy task. To reap the core benefits of BYOD, organizations need to carry out an initial assessment to verify BYOD readiness, and security and support gaps need to be filled to implement BYOD with acceptable risk levels. A comprehensive approach is essential for BYOD adoption, resulting in IT becoming user-centric, as opposed to its earlier support-centric stance. Capability development and constant knowledge/skill upgrades are key differentiators in providing a superior user experience.
Before implementing, organizations need to consider whether high operational costs may even negate the cost savings that BYOD can bring in the near term. With security policies and employee awareness programs in place, BYOD can bring benefits in the form of user experience, increased productivity, user satisfaction, mobility and reduced CAPEX. Further, data resource management (DRM) can be used so the actions on data can be specified in advance.
BYOD is not a project or a program. It is a commitment to adopting technology and innovation, and as with all other tech initiatives the IT department should be at the center of it fueling business need and advancement.
Though user experience is a key objective of BYOD, the organization’s stakeholders (e.g., its customers and shareholders) are also of primary importance. A breach or misuse of sensitive, customer or financial data could be detrimental to the success of BYOD. Hence, an organization’s BYOD implementation should be based on an effective strategy aligned to its business objectives (e.g., growth, productivity, mobility, faster time to market) with an effective support structure in place, monitored by MDM and data privacy policies since security and support are paramount to its success and scalability.
1 Bradford Networks, “Ten Steps to Secure BYOD,” 2012, www.bradfordnetworks.com/ten-steps-to-secure-byod2 Network World, “Managing Your Employee’s Device,” Special Report, February 2012, www.networkworld.com3 Werth, Whitney W.; “Bitzer Mobile Solves BYOD Security and Usability Clash for Enterprise Mobility,” March 2012, www.bitzermobile.com/press-release-9/4 Op cit, Network World5 IT World, Good Technology State of BYOD Report, white paper, January 2011, www.itworld.com/mobile-wireless/247888/good-technology-state-byod-report6 Joch, Alan; “BYOD: A Cost Saver or a Curse?,” April 2012, www.biztechmagazine.com/article/2012/04/byod-cost-saver-or-curse7 Gourley, Bob; Alexander Olesker; “The Current State of BYOD,” May 2012, http://ctolabs.com/2012/05/currentstateofbyod/8 Op cit, Network World 9 Unisys Corp., “Unisys Empowers Employees With Anytime, Anywhere Access to Mission-critical Applications,” 2012, www.unisys.com/unisys/common/download.jsp;jsessionid=D686D96891546594833F030CCA056305?d_id=1120000970022510165&backurl=/unisys/ri/cs/detail.jsp&id=112000097002251016510 Trend Micro, “Bring ‘em on!”—The Consumerization of Enterprise Mobility, white paper, 2011, www.trendmicro.com/cloud-content/us/pdfs/about/wp_bring-em-on-the-consumerization-of-ent-mobility.pdf11 Op cit, Unisys 12 Cobb, Stephen; “BYOD Infographic: For Security It’s Not a Pretty Picture,” 4 April 2012, http://blog.eset.com/2012/04/04/byod-infographic-for-security-not-a-pretty-picture13 Op cit, Network World14 Dimensional Research, “Consumerization of IT Survey 2011,” September 2011, www.kace.com/~/media/Files/Resources/Analyst-Reports/Consumerization-of-IT-Survey-2011.ashx
Srikanth Ravindran is a service management/ information security consultant and ITIL practitioner with Infosys Ltd. Ravindran has the ITIL v3 Intermediate and COBIT 4.1 Foundation certificates. He can be contacted at firstname.lastname@example.org.
Rajat Sadana is a process consultant with Infosys Ltd. He is an ITIL expert and holds the ITIL v3 Intermediates, ITIL v2 Practitioner and COBIT 4.1 Foundation certificates. Sadana can be contacted at email@example.com.
Deepa Baranwal is an associate process consultant with Infosys Ltd. and holds the ITIL v3 Foundation Certificate. She can be contacted at firstname.lastname@example.org.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2013 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.