Consumerisation of IT has been a popular recent discussion point, and it is the encroachment of consumer mobile devices – in particular smartphones and tablets – that appears to be causing most passion. The pro argument generally starts with one of the following; employees are already used to better tools in their personal life, we have to do this to recruit younger workforce, our brand will suffer if we’re not seen as leading edge, or it’s cheaper.
Whatever the reality or merits of the first three, the last point deserves closer investigation along with the impacts on organizational security. The problem is that allowing employees to pick, choose, buy and bring their own mobile tools into the workplace seems like a simple outsourcing of a particular procurement issue to someone who cares more passionately about it. However, it brings a lot more complex baggage than the neat little black or white cardboard box the hardware arrives in and aligns into three significant aspects to mobile consumerisation – device, contract, content.
Device is the part that most focus on, and why not? It’s the shiny gadget that has become cool and desirable. It taps into people’s feelings about self-esteem and status as well as any social needs for connection or geeky desire for the latest toy. These devices are expensive, and so on the face of it encouraging employees to BYOD (bring/buy your own device) saves money.
However there are bigger costs and risks at stake elsewhere for the organisation. Mobile devices typically need network contracts, unless relying on pay-as-you-go or free Wi-Fi for connection. All-embracing corporate contracts come with many financial economies of scale that a chaotic collection of independent employee ones will lack. Quocirca has explored this challenging issue more fully in its recent free to download report “Carrying the can”.
The third area, content, is equally complex, as whoever owns and pays for a mobile device - employee or employer - its use is likely to straddle personal and business activities. In addition to communications tools and access for business applications there will always be a mass of consumer content. For smartphones and tablets, “content” includes both software and data. The line is often blurred, and despite many technical and religious discussions along the lines of “app or browser”, the underlying issues of enterprise control of costs and risks apply either way.
The convergence of work and personal content on one device, no matter who purchased the hardware or pays for the connection, raises the issues of content security, suitability and diligence.
For most organisations mobile security is a major concern, and rightly so, as it is not only malicious acts such as theft and hacking or the careless loss of a device that might lead to breaches of security. Simply cutting corners for the sake of ‘expediency’ will not do. Two doctors were recently overheard on the train discussing how their operation lists were being downloaded to their iPhones. They found it useful, but wondered if it might not really be good practice, although they ‘presumed’ there was insufficient detail to indentify patients.
Whether this procedure was instigated by the users trying to make their lives simpler or someone in IT wanting to appear useful, is irrelevant. Mobile security needs to be seen to be taken seriously as well as actually being addressed through suitable on-device software, content access practices and services from providers. All too often it appears that there has been only a limited mobile security risk assessment or insufficient user training. These aspects may lack the intellectual pizzazz of security software, VPNs and all things prefixed ‘cyber’, but the social or human elements are critical for addressing the weakest link – the user.
For mobile devices, even the technical aspects of security are rarely completely understood in IT departments, and the more complex issues involving the diligence of checking suitability of use can really only be answered by those responsible for business processes. What is the right usage of any given application on a mobile device? It might depend on the individual role or department, work needs, employee location at the moment of access and actual device in use at the time. This is a complex mix of business and social requirements that need suitable policies and tools for enforcement.
Employees should know where they stand, what is acceptable and what is not. There are a number of mobile device management tools vendors that have stepped into this adjacent area of monitoring, directing and curtailing user behaviours. While this might seem a bit ‘big brother’ to some, many organisations will need audit trails to show they have sufficient safeguards in place to protect sensitive data. If the details of someone’s operation was found on the train, the health authority or employer would be where blame would be cast first, not the employee.
With BYOD these management tools now have the more difficult task of projecting the need for organisational control onto the personal device of an individual. They need to do this without compromising the integrity of business activities or violating the individual’s personal content or device. It is a fine line, and an easier way to tackle it would be to have one device for work, one for home - as many do now - but ultimately a portfolio of functions or personalities will need to reside on a single device.
The wave of virtualisation that hit the datacenter is already travelling through the network as virtual private networks and virtual desktop infrastructures. These offer an insight into how businesses might secure BYOD, and may extend virtualisation further into multiple virtual personalities (and operating systems) on the mobile devices at the edge.
All of this has cost implications, and these content considerations as well as the contract issues need taking into account when organisations consider the savings of allowing employees to acquire their own devices. ‘Consumerisation’ is looking as simple and pain free as ‘convergence’.