To B.Y.O.D. (Bring Your Own Device) or not to B.Y.O.D.? That is the question, which technology risk professionals are searching for an answer.
As Blackberry (formerly known as Research In Motion) is trying to rediscover their role in the enterprise marketplace, CTOs/CIOs/CSOs are trying to find a mobile device solution that will provide enough governance and flexibility for their associates. To complicate matters, IT departments are being requested to support multiple smart phones (e.g. iPhones, Androids) in the corporate workplace and provide email access to associates' personal smart phones. If information security or data loss were not important, this would be a simple project for any technology team.
The playbook is simple:
1. Upgrade the email server or utilize a managed email service provider that provides push email technology (e.g. Exchange-ActiveSync).
2. Test and pilot a few mobile devices with the push technology (e.g. iPhone and a Samsung Galaxy smartphone).
3. Build a simple and repeatable program. Document the request of service, work with a vendor to build a procurement of device process, define the activation of device and enable the user account to retrieve emails, and finally, train the user.
With state, federal and industry-specific regulations, technology departments are going to have to deploy a mobile device management solution that prescribes security measures to ensure the protection of information and data loss.
Thoughts for the business sponsors, IT, Security and Compliance
Before going out to the marketplace and playing with the latest and greatest mobile device management solutions, the organization will need to develop an understanding of a few important business requirements.
Regulations
Does the organization need to adhere to any regulation (e.g. H.I.P.A.A., G.L.B.A. or Massachusetts Privacy Act)? This will immediately impact the vendor selection process, which will require organizations to ask the vendors some difficult questions. Most organizations should be familiar with their applicable regulations and understand the importance of documenting and verifying that all regulations are incorporated into the mobile device policy and management solution. When organizations are pre-screening their mobile device management vendors, this should be the first topic on their agenda. Do not sacrifice a regulatory requirement for a management feature. I cannot stress enough the importance of meeting all regulatory requirements for the organization's mobile device management road map.
Policies
Is the organization's current mobile device policy robust enough to handle smartphones, tablets and B.Y.O.D.? Are the acceptable use policy and/or associate handbook incorporate the use of corporate-owned smartphones and tablets? Go through each policy and review them with the HR department to make sure that every angle has been covered. Organizations should take this opportunity to update or create any applicable policy. This will give the organization the opportunity to verify that all their policies are relevant to the organization and communicate the mobile device management strategy to the associates.
Controls
Through the vendor selection, the organization will need to develop a strong understanding of access control from each management system. Most management systems will have similar core functionalities, but it is important for them to understand their mandatory requirements versus the "nice-to-have" features. Through this process, organizations may identify unavailable features in a mobile device management solution, which can save them significant time in the evaluation process. It is important for each organization to determine the level of control over the corporate owned devices, such as being able to wipe a lost phone, application download restrictions and personal use of the device for corporate owned devices. During this exercise, an organization may determine that not all corporate users will be treated the same and will require organizations to have multiple device configuration policies (e.g. Executive Group Policy, IT Group Policy, Doctors Group Policy, B.Y.O.D. Group Policy). Once an organization understands the applicable controls for corporate owned devices, they will need to shift focus to defining their B.Y.O.D. controls. This is where technology, security and HR professionals need to draw the line in protecting corporate information. At the same time, they need to confirm that the organization will not monitor the personal use and modify the personal configuration of the associate's device. Like any other project, the technology team will need to test the process of installing agents to a personal device and verify the limited access from the mobile device management systems. It is recommended that organizations have a unique policy for B.Y.O.D. users to sign. Each organization will need to customize their B.Y.O.D. policy, but it should include the following clauses: reporting to the organization that the phone has been stolen or lost (which would require the IT team to disable the agent access), no liability for data loss (during installation or update of agent) and confirming the associate is voluntarily requesting access.
Metrics
Each organization will be looking at different types of metrics. Some organizations will be looking for an increase in the B.Y.O.D. adoption rate, while other organizations are looking to reduce their overall mobile costs. As organizations plan on evaluating and replacing their current mobile device strategy with a newer technology, they will need to measure the progress and results of the project. During the first kickoff meeting of the "Upgrade of M.D.M./B.Y.O.D. Offering" project, the first topic on the agenda should be, "Why make the move?" Each organization will most likely have a combination of reasons after that initial discussion. It is important to understand the question because it will be the foundation of organization's metric and reporting through the execution of the project. Most importantly, it will provide the final grade of success or failure of the entire project.
Final thoughts
When organizations are looking to update or deploy a new mobile device management solution, the most important advice would be to take your time. Also, understanding the business needs, risk tolerance (if any,) and the support model are factors that will be critical to a successful roll out. During the regulatory requirements review process, do not sacrifice any regulatory requirement for a mobile device management or device feature/function. Work collaboratively with the compliance, HR and technology associates. There are many factors beyond the technology that need to be addressed and require many experts to build the right solution for each organization. From a metrics perspective, increasing B.Y.O.D. users to lower the organization's monthly service cost has an obvious and immediate impact to the organization. From a long-term perspective, there are more benefits for the organization because associates will be responsible for their own devices and upgrades. They are just running another application on their handheld device. Thus, IT groups will see a reduction in help desk tickets on mobile devices and the organization will not be purchasing the future upgrades. There are many benefits to a B.Y.O.D. strategy which provides a cost-saving solution to the organization and secure email (even internal applications) access for associates. The planning of the project, the understanding of all risk factors, the vendor selection process and roll out strategy are not the responsibility of one team. There has to be a collaborative effort among the technology, security, compliance and HR groups to properly execute a B.Y.O.D. strategy. Having all of these players at the table during the initial kickoff meeting will provide each organization the guidance necessary for implementing a successful B.Y.O.D. strategy.
