I was reading Larry Dignan’s ZDNet article (link at the end) on the security implications of Bring Your Own Device (BYOD), and thought I’d take it a bit further. For a while now I’ve been thinking that BYOD has some serious issues in general, and is specifically a symptom of the ongoing war between risk-averse IT and personal productivity in the enterprise.
1. A company still has to provide computing equipment to everybody who doesn’t BYOD.
Lots of people aren’t going to bring their own device, because they don’t have one, or aren’t paid enough to buy one. As such, a company is going to have to provide them one anyhow.
2. Everybody is going to buy all sorts of different equipment, nullifying all standardization.
If you let everybody buy their own equipment, or force them to, everybody is going to buy different stuff. You’ll get every screen resolution imaginable, every hard disk size, every keyboard layout, every network card, every OS. Try having your support staff explain to someone how to connect to the wireless network – there will be 87 different ways to do that. That app window your sales person can’t find? Yeah, it’s because their screen is too small. The list is endless.
And if you try to standardize, what’s the point of BYOD then? Just do it for them. Besides, there’s a comparative advantage in letting an IT staffer do this work. Your sales guys are good at selling, not picking out a new computer. Let someone who is good at picking out computers do that, while the rest of the employees do the jobs they were hired for.
3. All the different equipment is going to have different lifespans and warranties.
A company is going to have to maintain a fleet of loaner devices anyhow, to cover employees for the six weeks it takes for the device to be mailed to the manufacturer for a repair.
4. Your corporate IT staff will now be supporting people’s home computers.
If the device they bring is a mobile one, it’s likely to be their home PC, too. I can just imagine the case of “Farmville doesn’t work right anymore,” though. No matter how dumb that situation seems, it’s important to the user, and you’ll have to deal with it professionally and expediently.
5. Very few people in an enterprise can effectively support their own device.
Enterprises are built on people who might be good at their jobs but whose home computers are infected with spyware, who have 4 toolbars installed in each browser, and who haven’t run Windows Update in years. Why is it a good idea to trust the corporate network to these people?
And, like the other points, if you’re going to manage it for them why even BYOD?
6. There are all manner of security problems with these devices.
Desktop virtualization and other means of smoothing out the differences between devices are still susceptible to problems like keystroke loggers. Knowing how poorly IT staff do with keeping up with patches on servers, and securing sensitive data in general, I’d be very afraid if people were bringing their own devices inside the corporate firewall. It also means that you might not get a chance to remove things from their PC before an employee quits (or loses the device).
7. Who owns the device? If the company gave me money for it does it belong to them? Do I have to give it back when I leave? Can I do whatever I want with it? If it’s mine why can’t I have administrator rights on it? Whose responsibility is it to back it up? What if I want to attach a device to it?
Aside from all those questions, I can see a whole slew of lawsuits over search histories, personal photos, music, etc. I don’t want corporate IT knowing what I’m doing with my PC off-hours. It’s none of their business, but they will make it their business if I bring that PC to work with me, or if they provided the funds or a loan for it.
“I know it’s your laptop, but we noticed that in your search history you viewed pages concerning Chinese human rights violations two nights ago. We can’t have you jeopardizing our relationships with our suppliers – you’re fired.”
8. The whole reason people started the BYOD trend is not because of the device, it’s because of what corporate IT does to devices, making them slow and horrible.
If they’re going to take my awesome i7 laptop, lock me out of it, and turn it into a 486 with their typically horrible enterprise management software, I’d rather they give me one of their own that’s pre-crapified and leave mine alone.
Now that I’ve said all that, I do think devices like iPads and iPhones can really improve productivity for folks, even if it’s just enabling iOS-friendly mail & calendar services. Thing is, you end up having to trust your users at some point, and that’s the tough part for risk-averse organizations. But, if you pick the right users, educate them, and trust them but hold them responsible, they’ll be happier and more productive. This isn’t the first grade, and just because one responsible employee can do something doesn’t mean you have to let everyone else do it. Pick the right people, set some guidelines for security & access, and let them earn your trust.
Seems to me that, overall, BYOD is just a symptom of other problems. I think most companies facing a BYOD situation might try quashing it by showing more concern for the user experience on their corporate desktops and laptops. When is the last time an IT person asked a user what they thought of their desktop? Perhaps it would help to just ask the employee why, exactly, they want to bring their iPad in, and then actually listen to the answer, even if it hurts. To some, BYOD might just mean being able to choose a better email client, play Angry Birds over lunch, or, God forbid, to be able to change their wallpaper.
Users who don’t have to fight their PCs to get work done, and are treated with a little respect and trust, might actually be happier and more productive. I don’t see how that’s a bad thing.
- Bring your own device trend spooks enterprise security folks. – ZDNet
- Bring your own device to work is finally here – Fortune
- Comparative Advantage – Library of Economics and Liberty
Can a lot of these issues
be at least partially addressed by BYOD,
but IT provide a standardized virtual image
they can run (via VMWARE PLAYER, Virtual Box, Microsoft Virtuial PC
etc).
There is some interoperability with these virtualisation tools,
so the user should be able to run the ‘corporate image’
whether using a OSX, Linux or Windows native OS on their Own Device
Yes, that addresses some of the issues, but not a lot of the security problems inherent in having an underlying, unmaintained OS.
There is one potential way around some of these BYOD issues and that is to implement client hypervisors such as NxTop (http://www.nxtop.co.uk). With this, the company can set a requirement that any equipment purchased must match a compatibility standard from the HCL or by running a check tool before purchase. The hypervisor is placed in a dual-boot scenario so that the corporate image works on completely standardised virtualised hardware and is maintained completely separately from the user’s on personal OS. This could happen in a couple of ways, it could be the user gets a personal OS running on the hypervisor kept separate from the work OS, or it is a locally installed OS and when at work they boot into the work hypervisor and standard build.
With backup, encryption, remote updates and the standardisation across hardware that it provides, for those that do want to go down the BYOD route, it is an ideal way to overcome many issues.
The company cannot mandate its employees to buy their own personal computers following a set of enterprise requirements. This BYOD idea is ridiculous and I’m not overstating that.
I never said I was a fan or that companies should mandate this. For me it is more for those employees that want to do this or those companies that feel they want to offer the option to their employees. Nothing wrong in offering the options but putting a few parameters around your ability to support that model. We aren’t a million miles away here from a company car policy where a car allowance is offered where you can buy any car you please as long as it meets the base requirements for work as well as being suitable for the personal usage you would like to use it for too. Why should someone be for forced to have two of something because work refuses to let them use the company provided one for any kind of personal use?
With the solution I proposed via http://www.nxtop.co.uk you had two options; a personal workspace that the company allows you free rein over and/or a personal use laptop with a controlled and separate work environment. Some organisations will do this whatever your personal opinions on it, these are simply options to help this be achieved in a way that is most beneficial.
The BYOD concept can be insulting to IT in that it belittles the knowledge and experience that IT is there to provide as a benefit to the company. The root idea (to give people more freedom and control in the workplace) is a good idea, but allowing people to use whatever device desired is too liberal of an approach in my opinion. As you’ve pointed out, such an approach also blurs quite a few lines and policies, which creates conflict and overhead which is detrimental to the business in a soft cost sort of way.
Just as you don’t want your IT department leading sales calls, I don’t think it’s wise to have your sales guy deciding his computing resources. Give the sales person a say and listen to him, sure, but not BYOD.
This post resonated with me as I got a call the other day asking what our “enterprise ipad strategy” was…. Sheesh…
There are some valid points here. As a fan and user of BYOD I do think that this is looking at it through the lens of the current user base. When I look at my 3 teenage children I see a very different world. They (and the majority of their friends) do have personal devices, they know how to connect them to every conceivable wireless network, including the ones they are not meant too, they would never consider asking some help desk about connecting, they would look for a youtube video on it first.
Yes, IT are going to still need to provide machines for some (especially us legacy workers). Also in the future we are going to be working more across entities rather than for single ones, so the device been more user associated then corporate will become wider.
As applications and interfaces become more standardised the compatibility issues will hopefully become less.
Great topic though. I suspect my children won’t be discussing it though, they will just find a employer who lets them BYOD over one that does not. To them, its a lifestyle choice thats a decision maker.
Rodos
Hi Bob,
I think that you’re points are extremely biased, assuming the BYOD trend is an all-or-nothing debate. It’s not, there will be many gray areas in and between full corporate control / ownership versus complete BYOD. Many of the issues that you have presented are not even valid. For instance, does equipment standardization even matter if the organization takes a strategic approach to provision cross-platform web applications? Probably not. Many of your other points assume the organization takes responsibility for the BYOD device, which is not usually the case; organizations usually pursue BYOD programs to offload responsibility to the employee, as well as attract and retain tech-savvy talent.
Mobile device management, mobile application management, network access controls, device provisioning (either by corporate or self-provisioning), thin-applications, web applications, VDI, and many other technologies will form a complex environment allowing corporations to pick and choose what makes the most sense based on their business processes and operations.
I would like to recommend this article from the EMF for a great perspective on this topic.
http://theemf.org/2011/05/20/inside-looking-out-an-executive-view-on-enterprise-mobility-with-bob-tinker-revisited/
Great discussion on this topic. Thanks for writing about it and fostering the conversation. Many organizations are trying to evaluate these exact concerns and this is a very relevant topic.
Cheers,
Andrew vonNagy
@revolutionwifi (Twitter)
My points are extremely biased, mainly because a lot of the BYOD coverage (especially early coverage) talks about what a panacea it is to offload this responsibility to employees. I was pretty shocked to see big companies talking about, or actually doing, the whole desktop as BYOD, rather than just dealing with mobile devices (which is what I’ve always considered as part of BYOD). While I wanted to represent an opposing viewpoint, I also didn’t want to take the “sky is falling” attitude that tech journalists constantly take. Perhaps I went a bit far one way, but if it gets people talking…
I do think a company that has a blanket BYOD policy is making a mistake, purely because most organizations are not filled with tech-savvy people. Permitting this for those capable individuals is a great starting point, and I think companies should be looking at it from that point of view. Enabling those employees that are capable of being enabled is a good thing. Foisting the responsibility of purchasing and managing a device on someone who isn’t capable of doing it well is a costly mistake.
I guess I’m not disagreeing with you as much as you might think. It fits nicely into my constant recommendations for rolling out virtualization and other technologies: start small and go slow until you know what you’re doing. That also gives IT time to become more flexible, accommodate more mobile devices, and get used to the idea that an IT solution for one employee doesn’t need to fit another employee.