The unintended consequences of forced BYOD

If Gartner’s projections are to be believed, by 2017, half of all companies will force employees to use their personal smartphones for work. Even if it doesn’t transpire so quickly, I can see it happening at numerous companies. To many CEOs, it’s like telling employees to use their own car for business trips or buy their own uniforms for use on the job — both widely accepted practices.

Whatever your views on the economic merits of the policy, such a change will have unintended consequences that go way beyond who pays for what. Neither the “use your own car” or “buy your own uniform” models will be much help in navigating the new landscape such forced-BYOD policies will create.

[ As work and personal data intermingle more, tricky questions arise on backup, remote wipe, and e-discovery. | Subscribe to InfoWorld’s Consumerization of IT newsletter today. ]

As regular readers know, I believe vendors and IT organizations usually overstate security concerns, whether for cynical profit motives or to satisfy either an unhealthy need for control or an unhealthy fear of risk. But that doesn’t mean there aren’t legitimate security concerns or risks worth avoiding. I’m a firm believer in letting employees choose the best tool for the job — computer, mobile device, applications, and cloud services — as long as those choices support or at least don’t undermine legitimate business process, outcome, security, and compliance needs.

At first blush, the notion of forced BYOD may seem like it supports employee choice, albeit in a miserly way. It does — but it also forces companies to accept two principles that will freak out most IT organizations and corporate counsels:

• Business data is no longer confined to business systems and repositories, so information management and security are no longer assurable.
• Individuals will ultimately own the information and process management and ownership, not the businesses that become their clients.

We’re already moving in those directions with optional BYOD and the acceptance of work at home (on employee PCs). Even though the consumerization phenomenon has deep roots that modern technology has only accelerated, companies today can tell themselves that those are exceptions to a system fundamentally designed to keep business data in the hands of business systems that can probably be secured and shown to be compliant. That will change in an era of forced BYOD.

Let’s be clear: Forced BYOD means a move from making the personal fit the business to making the business fit the personal. That’s a revolutionary inversion.

When the BYOD phenomenon rose in 2010, many IT pros feared BYOD because they saw that, even with the mobile management tools available, they could not guarantee security and compliance. Never mind that they couldn’t guarantee it on home PCs or even work PCs — they could at least pretend to in those venues, with complicity from corporate management, of course. Many continue to pretend they can guarantee security and compliance on mobile devices, whether BYOD or corporate-issued, by using some of the hundreds of products claiming to do so.

Even with the pretense involved, the foundational architecture skews toward protective separation of business and personal, whether through encryption, password and remote-wipe policies, app containers, VPN access, virtual machines, Web-based access to back-end-maintained data, dual-persona mobile devices, and/or any of the other mobile application and information management techniques available.

That foundation goes away when you require BYOD. Even if you tell an employee which smartphones and tablet models to choose from — similar to how “buy your own uniform” works — you can’t tell the employee which personal apps and services to use on their device. Complex, ever-changing passwords also become unlikely requirements to enforce; after all, most of the day, that smartphone is used for personal activities. Who wants to keep entering a password to be able to tweet or see a family photo?

I suppose a very authoritarian company — they do exist — could get away with making employees pay out of pocket for a specific device and subject it to complete IT control so that no personal apps or data could be used on it. This is akin to not only buying your uniform from only this supplier, but also ensuring it is kept clean and pressed. But that kind of company will have problems keeping workers not otherwise desperate for a job or utterly lacking in self-respect. If a company wants that level of control, it needs to at least buy the equipment in question.

You might think the “use your own car for business travel” approach would fit a forced-BYOD environment. After all, companies routinely refuse to pay for company cars for most employees. Yet for customer-facing employees, they require liability insurance (sometimes even policies that indemnify the employer) be maintained. They sometimes even require the employee maintain a level of appearance for the vehicle. That sure sounds like BYOD, right? “Use your own smartphone, but make sure it meets our core security requirements, which we’ll check when you connect to Exchange or our MDM server or by having you install our app container for work access.”

But unlike a car, a smartphone, tablet, or PC intimately interacts with business data and processes. That smartphone, tablet, or PC becomes part of the basic operational framework for the business, but the business has ceded it to the employee. The relationship is now more akin to the business outsourcing IT, relying on it to protect its data and ensure its processes — except that each employee is an independent outsourcer, creating a fundamentally unmanageable mix.

In other words, forced BYOD confirms that employees — at least knowledge workers — are free agents or contractors fundamentally in charge of their information and processes. The business is the client, not the owner, despite whatever its CEO, HR chief, and legal counsel imagine they’ve done in their employment agreement. Forced BYOD ensures that is only a back-end function.

Is this bad? Probably not. It’s certainly where we’ve long been heading as the business social compact began deteriorating in the 1990s — remember the big fights over at-will employment and “you’re responsible for your own career”? Businesses have long been automating away workers where possible and treating the rest as temporary contractors, regardless of their employment status.

When you adopt the contractor/outsource model, you fundamentally let go of the monolithic corporate model, which also means its information management, process management, process ownership, and information ownership. Forced BYOD formalizes that change.

Unfortunately, the companies that adopt forced BYOD likely have no clue what the decision really means. There is no technological way to maintain the control of the monolithic model in the contractor reality. And the regulatory and legal systems are largely clueless on how to work in the contractor reality. Already, traditional notions of data backup, deletion, and e-discovery are bumping against messy realities of intermingled personal-and-work devices.

It’ll be a very messy transition, with lots of unintended consequences.

There’s perhaps a silver lining. As I said, we seem to be going in that direction anyhow, and companies that adopt forced BYOD will at least make the shift explicit. We need that explicit acknowledgement to start the real discussions on how the business world and its regulations and legal requirements will need to change.

Whether you’re a business manager, IT manager, lawyer, or regulator, these discussions will make the consumerization and BYOD debates we’ve had in the last few years look like a walk in the park.

This article, “The unintended consequences of forced BYOD,” was originally published at InfoWorld.com. Read more of Galen Gruman’s Smart User blog. For the latest business technology news, follow InfoWorld.com on Twitter.