3 rules for doing BYOD right

It’s a compelling statistic: 83 percent of companies now allow employees to use their own mobile devices for work — the quintessential definition of “bring your own device” — according to the most recent data from Aberdeen Research. Once you factor out the very-high-security industries such as defense, you’re left with, in essence, all companies.

Source: Aberdeen Research

Despite the fears expressed in 2010 when the BYOD phenomenon rose to attention, devastation has not ravaged the earth. In fact, it must be a good thing for companies to have accepted the notion so widely. A big reason, of course, is that employees work on average an extra day a week for free — without being asked, much less paid — when enabled via BYOD.

[ Read InfoWorld’s guide to mobile device, app, and information management tools. | Subscribe to InfoWorld’s Consumerization of IT newsletter today. | Get expert advice about planning and implementing your BYOD strategy with InfoWorld’s 42-page “Mobile and BYOD Deep Dive” PDF special report. ]

Although BYOD as a concept is now generally accepted, how it’s managed in practice remains all over the map, with many organizations making it unnecessarily complex for both users and IT. Some organizations have even done what IT has long feared: dumped the burden on IT once BYOD is in operation.

In the early days of BYOD, some of the fears were relatable, though they proved to be ill-founded. Companies were understandably conservative, not knowing what would happen in practice. But now that we have several years of BYOD under our belts, it’s time to move to what works best for all.

I’ve seen organizations make this migration. For example, one government agency used to ban access by non-agency-issued mobile devices and non-agency-issued PCs, then began handing out VPN access for home-based PCs on a very limited basis, with waits of up to a year for approval. Next, it allowed iPad and iPhone access to email if employees donated their devices to the agency, which would then hold legal authority over the device. Never mind that signed policies can easily and effectively get you the same results — who owns the device doesn’t matter. Finally, it now does what pretty much everyone should do: Allows access by any device that meets its technical security policies by any employee whose manager signs off on the access.

It really should be that simple from an access perspective. As you’d expect, the employee must agree to access and information-management policies, reinforcing the typical behavior (such as no forwarding through personal accounts) and responsibilities. For example, the employee must notify IT of a lost or stolen device and be prepared to have the device first locked and then wiped if not recovered, including possible loss of personal information not backed up by the user elsewhere. That’s what iTunes and iCloud bring to the iOS world, and what Samsung and others partially offer for Android in their own accounts.

Technology should not be the focus of access and information management. Yes, it can help monitor and steer employees to desired behaviors, but in no way can it replace the responsibility of individuals to do the right thing in the computing contexts they choose to be in — in a consumerized world, it’s not just devices and software that knowledge workers choose to use, but also the work processes. Policies are all about those work processes and how they are expressed no matter what technology is in use. (Previously, I’ve provided an in-depth look at the technology side of planning for, implementing, and secure BYOD.)

Rule 1: Security and management burdens must be justified by actual risks In the broad range of concerns, those technical and HR policies will vary from company to company and even from user class to user class within an organization. That’s to be expected, as the risk of data loss (the real concern in BYOD) has to be assessed against the gains to be had from BYOD, such as more productivity, more flexibility through the ability to do work in a wider variety of locations such a client sites, and greater employee satisfaction.

But the requirements and policies have to be reasonably aligned to the actual risks and compliance requirements in regulated environments. That’s where many IT organizations dropped the ball, imposing onerous requirements not matched by the actual risks.

Rule 2: Security and management burdens should be consistent across all access technologies Employees could see the imbalance simply by noting that many companies imposed tighter controls on mobile devices than on personal PCs, even though a personal PC has much more capacity to abuse data or infect a network than a mobile device does. For example, disk encryption is usually required on mobile devices but not on PCs, and companies seek to control mobile apps’ information exchange but not that on PC apps.

That imbalance should have been a red flag to security managers that perhaps PCs are undersecured or that the mobile requirements were too strict, wasting corporate resources and risking driving employees to unsafe work-arounds.

If a certain level of security is required, it should apply to all devices: Windows PCs, Macs, iPads, iPhones, Androids, BlackBerrys, and whatever else may be out there. Of course, if the effort to enforce that level of security on a specific device or platform is unduly disproportionate to that of implementing it on other devices and platforms, it makes sense for a company to exclude that outlier or impose a tax on its users to pay for the extra cost. However, IT must first verify that the device or platform does in fact require the investment to support it, and IT is not just perpetuating outdated facts or even stereotypes. For example, both Android and OS X have come a long way in their security and management capabilities in the last couple of years.

Rule 3: Place responsibility squarely on users and their managers In many organizations, IT’s role has been transformed from making the technology work to using technology as an enforcement mechanism to control employee actions. I know few people in IT who relish being the equivalent of baton-wielding riot police, but I find most IT people — especially CIOs — feel obligated to protect the company through technology implementations.

Stop that! If a person breaches data, he or she should be counseled or punished as appropriate by business-unit management. IT should provide the infrastructure to monitor information activity and to set the technical ground rules for access to corporate digital resources — but not to police activities. I don’t know when it became OK for business-unit managers to stop managing employees or automate away human responsibility, then wonder why people don’t know what the right things is, much less if they’re doing it.

We used to have a culture based on the notion of “loose lips sink ships.” Everyone was responsible for keeping secrets, managing information flow to those who truly needed it, and understanding the relative sensitivity of whatever they were working on. Security was everyone’s jobs, with experts providing the monitoring and the tools, but managers creating the expectations and holding employees accountable to them.

We need to start doing that again. It doesn’t require new, expensive technologies, nor does it (or should it) fall solely to to IT. Do phishing expeditions within the company and counsel, warn, and punish (in that order) repeat offenders. Let employees who access corporate resources using devices not on the official list know that you’re aware of their actions, and remind them of the standards of information management they are held accountable to.

Expect users to be responsible. If they want to use their own technology, demand they be smart users, too. BYOD works only when it is embraced by all, both the freedom it brings and the responsibility it engenders.

BYOD is not and should not be an IT problem. If it is in your organization, something is terribly wrong: Management isn’t managing, and employees aren’t treated as or expected to behave as adults.

This article, “3 rules for doing BYOD right,” was originally published at InfoWorld.com. Read more of Galen Gruman’s Smart User blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.