Mobile BYOD strategy reveals if your CIO is good or bad

How does your CIO (or you, if you are the CIO) view the influx of iPads, iPhones, and Androids into the organization by individual users and business departments?

1. It’s an unauthorized invasion driven by naive users that will increase costs and threaten security and compliance. It must be stopped or at least contained.
2. It’s an unauthorized trend that suggests there’s something wrong with the status quo of what the IT organization provides or supports — and perhaps a surprise trend that indicates IT has fallen out of touch.
3. It’s a positive development that IT can both support and leverage for the benefit of users, of IT, and of the organization as a whole.

If the answer is 1, your CIO is very likely the wrong person to lead the IT organization going forward. The best answer is 3, though if the answer is 2, that means the CIO is capable of rethinking his or her management framdework to meet the changing realities of organizations today. Unfortunately, a lot of organizations still choose answer 1.

Why is the CIO’s reaction to the “bring your own device” phenomenon such a litmus test? Because it encapsulates most of the issues that face businesses today in terms of technology. InfoWorld’s Eric Knorr has nicely described this new empowered-user reality and proposed basic approaches IT should take to adapt, so I won’t retread those steps here. InfoWorld’s Bob Lewis has also explained why the underlying control orientation of data-processing-style IT simply doesn’t work today, so I won’t repeat that either.

What I will show is why the first answer is the wrong answer. Thanks to a series of studies by the research firm Aberdeen Group, there are hard numbers to show that the additional costs are trivial, that the economic savings are significant (covering those extra costs several times over), and — perhaps most important to risk-averse CIOs and their compliance-focused brethren — that a proactive BYOD strategy actually increases security and compliance. Note: I’m using “BYOD” to also include “choose your own device,” not just “bring your own device,” as there are reasons a company may want to own the device legally. Either way, the result is support for user-driven heterogeneity.

“Being best in class lowers both the costs and the risks,” says Andrew Borg, the mobility analyst at Abderdeen. This means having a policy-based approach to management, using IT Service Management (ITSM) principles, he says, which should be in place anyhow in any large organization. Most companies are not best in class, relying on inefficient, endpoint-oriented approaches that cost a lot and drive users to work around IT.

Plus, embracing mobile heterogeneity “is a transformation of IT’s role, a move from a role of naysayer to an enabler for business,” he says — a way “to get out of the dog house” IT has put itself in recently. Borg points out that mobility is viewed as one of the most strategic business initiatives for 2011 in Aberdeen’s corporate surveys. In fact, more than half of companies see it as a way to increase employee productivity.

As a result, users get the tools they want or need (it doesn’t matter whether it is want or need — perhaps the first lesson for old-school CIOs to learn), the business gets extra flexibility and capability to execute better, and IT win greater assurance on security and compliance without diving into a bottomless pit of work and expense.

Mobile security is not difficult to achieve — but often is not In an almost every organization, users have brought in iPhones, iPads, and other mobile devices, regardless of what the corporate standard might be. Some departments pay for them in a typical “shadow IT” response to IT saying no, and many employees simply use their own devices as adjuncts to whatever is officially provisioned.

Aberdeen’s surveys show:

• The average number of mobile platforms currently supported by enterprises today is 2.9 — thus, already the norm for most is not a BlackBerry-only world.
• Today, 62 percent of companies surveyed have formal BlackBerry support in place, 43 percent for iOS, 30 percent for Android, 24 percent for Windows Mobile, 13 percent for Symbian, and 13 percent for Windows Phone.
• Today, 80 percent of companies surveyed allow BlackBerrys (with or without formal support), 77 percent allow iOS, 61 percent allow Android, 46 percent allow Windows Mobile, 33 percent allow Symbian, and 31 percent allow Windows Phone.

The bottom line is that BYOD (that is, device heterogeneity) happens whether you want it to or not. If you’re told to embrace the unofficial BYOD, an old-school CIO’s first reaction will likely be that these devices are risky in terms of security and should be disallowed. If you’re a BlackBerry shop using RIM’s BlackBerry Enterprise Server (BES) product, that’s almost certainly your reaction.

However, for the vast majority of security needs, mobile device management (MDM) tools deliver what you need for iOS devices, thanks to Apple’s native MDM APIs, and often for Android devices, usually by installing a client app. If you have modest security needs and use Microsoft Exchange or an Exchange ActiveSync (EAS)-compatible email server, you can ensure security compliance directly for iOS devices and some Android devices (any noncompliant devices are simply denied access) — no third-party MDM needed.

Ironically, the “say no” approach increases risk of data breaches, data loss, and noncompliance. Only 26 percent of “laggards” (the bottom 30 percent of companies surveyed) centrally manage their mobile devices over the air, Aberdeen has found, though this is a basic capability of most MDM tools and is easy to deploy. Instead, they do nothing or have desktop support staff individually set up mobile devices. One result: 67 percent of “laggards” don’t recover or decommission lost or stolen devices — an expensive loss given regulatory reporting requirements. Compare that to 3.4 percent for the best-in-class companies — those that on average manage 88 percent of employees’ mobile devices — and 4.9 percent of “average” companies, the middle 50 percent, who on average manage 44 percent of employees’ mobile devices.

More shocking, only 30 percent of tablets — which really means iPads, given that 99 percent of corporate-used tablets are iPads — are remotely wipable. Never mind that remote wipe is a basic MDM capability that even Exchange all by itself supports or that the mechanism for enabling remote wipe on a tablet (iOS or Android) is the same as for an iPhone, so it should be automatically enabled for any tablet that has email access. “There’s no reason that iPads should be less managed than iPhones — yet they are,” Borg says. That suggests IT’s approach to them is the problem; it’s either ignoring them or trying to impose burdensome high-touch controls that keep many iPads in the shadows.

The truth is, in the last year mobile security has become a straightforward issue to handle. I’ve put most of InfoWorld’s key how-to articles in a downloadable PDF. I’ve also covered the fact that architecturally, mobile devices are more secure than PCs, so perhaps IT should be viewing mobile more as a security aid than a threat.

If you don’t allow access on mobile devices, your employees will work around you. For example, they may forward email from their “secured” desktop clients to Gmail and Hotmail accounts they then access on their smartphones or tablets, where they’re both invisible to you and at much higher risk for data loss or breach. In fact, this is so routine, it’s not funny.

Aberdeen’s Borg points out that IT has a great carrot here that it often is not using: email access. IT should start by securing corprorate email access and tell employees, “‘If you want email, meet policies.’ That is the carrot that works for everyone.” After all, people who have unsanctioned devices almost always want to access their email and calendars from them. Thus, they need to go through your email server — which can impose policies such as requiring on-device encryption, passwords requirements, and automatic device wipe after a specified number of failed attempts. In other words, telling users they can access email officially gives you the very control lost when you block them from that access.

Because the technology is policy-based, you don’t need to know the specific devices a user has or configure it yourself — the server validates the compliance and acts accordingly. You don’t need to manage the endpoints, just the gateways to your data. For those devices that need the user to install specific apps to achieve policy compliance, it’s easy enough to provide an intranet page linking to them, along with a list of recommended or approved devices.

Note: That’s why you’d also require a VPN to access sensitive data and might use virtual LANs on your wireless network to segregate sensitive traffic from personal traffic. But if you allow remote access into your organization’s network and data repositories, you should be doing this already. The fact that the client happens to be mobile is irrelevant.

Some CIOs raise the compliance bugaboo, suggesting that HIPAA, Sarbanes-Oxley, HICAP, PCI, and all the other regulations make it impossible to embrace mobility. That’s simply not true. Using an MDM tool, “from the device perspective BlackBerry and iOS can be made compliant with every regulation I’m aware of,” Borg says.

That does leave one gaping hole: Android, a platform whose popularity is surpassing the iPhone’s. In contrast, Windows Phone 7 and WebOS are also not very securable, but their market shares are very tiny, so they’re usually not an issue from users’ perspectives. Borg says that eventually Android will be manageable as well, but for now only a few Android devices can meet such regulatory requirements, such as Samsung tablets when managed by Sybase’s Afaria product.

Thus, your policy as CIO should be that compliant devices are allowed in. As long as the compliance requirements IT imposes are reasonable, employees will respect them. You may need more than one level of compliance; employees who work with and access nonsensitive information should have less onerous compliance policies.

Companies already do that with, say, financial and employee information, so they should be able to extend that tiered access thinking to device policies. For example, maybe any device is allowed to use the public virtual LAN to access the Internet, but only devices that support on-device encryption, remote wipe, and password requirements can access corporate email and general file shares. Additionally, only devices that support VPNs and certificates can access sensitive data that should be gated within the internal network anyhow, such as through VPNs, certificates, and the like.

The bottom line: In exchange for reasonable freedom of device, users allow IT to manage their devices via policies. Many companies require employees to explicitly to agree to this, others simply assert it as a policy, and some insist on owning the device even if they allow employee choice — that’s an HR or legal issue the CIO can leave to others to figure out. The CIO’s job is to ensure the policies are executed at the technology level.

Yes, there will always be rogue users, mobile or otherwise, who continue to forward work email to noncompliant devices. For example, users also transfer data to their home desktops this way, so the behavior needs to be treated more broadly. “The organization has become permeable, so you need to look at the whole picture,” Borg says — not just specific endpoint devices. “You need to move the focus from the endpoints to the core,” he says.

As for securing applications — usually the next objection raised after the device issue is neutralized — there are tools to do so where it makes sense. The first question, of course, should be whether it matters what games a user might install or what office app they use. Chances are it doesn’t matter. Again, the right approach is to apply policies to those applications where there’s material risk or other need for direct management, such as licensing compliance and access monitoring. The sandbox segregation of iOS and BlackBerry OS reduces the risk of malware problems, though again Android devices fall behind and may end up being supported only for nonsensitive classes of users.

Mobile costs don’t increase appreciably with BYOD Once an old-school CIO gets over the security excuse, he or she usually raises the cost objection. Given the huge number of devices, IT support costs will skyrocket, and IT will be overwhelmed with calls and need extensive training on every possible device. The internal network will require significant capacity increase — from bandwidth to available IP addresses for the DHCP server — to handle the tripling or quadrupling of devices that access it (over Wi-Fi). Telecom costs will skyrocket as everyone gets a data plan for each and every device.

Baloney. Let’s take those three cost objections one by one.

Aberdeen’s research has found that support costs go up just 1.3 percent for best-in-class companies and up 7.0 percent for the rest when they allow device heterogeneity. That’s a low rise, even among those not best in class. One reason is simple: When users choose their own devices, they tend to pick ones they know and learn the ones they pick. In other words, they aren’t dependent on IT.

“They are more self-supporting,” Borg says. When such users call IT, it tends to be for two reasons, according to Brian Reed, marketing chief at at mobile services management provider Boxtone: help with forgotten passwords and problems with cellular coverage (which IT can’t help with, of course), not with the devices themselves.

I’ve talked to more than a dozen CIOs who’ve allowed users to choose their own devices, whether or not paid for by the company, and not one has had an issue with support costs as a result. Aberdeen’s data shows their experience is the norm. In fact, this data suggests that forcing all users to use a specific device is likelier to increase support costs than allowing users to choose their own devices. Those who don’t care will take the standard issue, Borg notes.

“There are indeed costs to training and expertise. However, you probably have existing talent to support iOS and Android, but even if you need to add talent, the costs are low,” Borg says. He also says most organizations recoup that extra cost because BYOD lowers corporate spending by replacing at least some employer-paid devices with employee-paid ones.

Borg chuckled when I raised the spectre of network costs ballooning as iPads, iPhones, and Androids invaded the workplace and camped on Wi-Fi networks all day. Sure, you will need more IP addresses and perhaps more wireless network bandwidth. “But it’s time for retirement if a CIO can’t add servers. Solutions are available to grow beyond where you are, and it’s just an incremental cost. It’s not rocket science, full of danger, or high-cost,” he says.

CIOs will need to address network growth regardless of smartphones and tablets, Borg notes: His reseach shows 22 types of devices are already available on wireless LANs, such as video surveillance, videoconferencing, and HVAC controls: “And these are just the beginning.” The fact is that wireless connectivity needs will increase anyhow, so CIOs need to plan accordingly whether or not they like the BYOD idea.

Finally, there’s the issue of telecom costs rising as employees get 3G data plans for all those devices. Of course, the first question the CIO should ask is “Why do I care?” Such costs should not be IT costs but business costs. Business units should figure out sensible policies for mobile network access costs, then apply them through a technology called the budget, which managers and the CFO’s organization are more than capable of handling. They can decide which employees really need three data plans and who doesn’t, when it makes sense to stop reimbursing for $15-per-night hotel Wi-Fi charges in favor of 30-day tablet 3G plans that cover several trips for $20 or $30, and the like.

The good news is that carriers typically charge consumers less for data plans than they charge businesses, so you often save one-third to half the cost simply by having the employee doing the purchasing. This is one reason the BYOD phenomenon has become so popular.

Another reason: Rather than poring over telecom bills to catch errors and departed employees’ plans, a company can stop worrying about the problem by using a stipend approach instead. It used to be that you could negotiate preferred rates for telecom by playing one carrier off another, but as we move to having just two major carriers (and only two if you plan on supporting iPhones and iPads), that leverage is disappearing.

Plus, if you support BYOD, you must have multiple carriers — individuals’ family plans are too powerful for them to switch carriers for the company’s benefit. Whoever manages telecom — the CFO’s office, the CIO’s office, or some other business unit — can simply dispense with the headaches, at least for their mobile telecom.

Using a stipend has other advantages:

• It creates cost certainty, as you decide how much each employee will receive or be reimbursed, if you prefer. You can have multiple classes of stipend to address the fact that some employees are always on the road. It’s also to the company’s advantage to have both their basic smartphone and tablet costs covered to ensure 24/7 access, whereas for others it’s a workday need only, so a stipend to cover part or all of one device’s telecom costs is sufficient.
• It lets users leverage their family plans, so calls to other family members and friends don’t accrue against them — which would add pressure on the company to increase the stipend amount.
• It has employees pay attention to costs more carefully. They’re less likely to ignore the “you’re roaming overseas” prompts on their iPads to turn off roaming if they know they’ll foot the bill for it.
• It reinforces that employees have both the freedom and the responsibility that comes with it, reinforcing the notion of being a trusted member of the team.

“My IT controller discovered the capped stipend idea years ago, and it has been a bonanza,” says Bernard “Bud” Mathaisel, executive adviser and CIO of Achievo, a software and IT outsourcer, and former CIO of Disney, Ford, Solectron, and other large companies. “It allowed us to plan and track IT budgets, while giving the users something they wanted, with them governing how the device was used, who they chose for their plan, and how they contracted. It took IT out of the personal independence equation, and everyone was happy.”

An old-school CFO, lawyer, or HR director may be nervous about such an approach, fearing liability for unreimbursed expenses or for having different reimbursement classes. But businesses have long done this: They cap allowable meal expenses for travelers and often for airfares and hotel costs — that’s a capped reimbursement. To avoid the accounting overhead, some provide per-diem expenses regardless of what employees actually spend — that’s a capped stipend. The same thinking is used for bonuses, salaries, stock grants, ability to work at home, access to company vehicles, and the like, so applying that approach to mobile devices and associated costs really should be no big deal. In any event, this is not the CIO’s or IT’s problem.

The trickier issue: The notion of shared ownership What all of this comes down to is a different view of technology: It says that the device and its service is jointly owned by the company and the employee, not clearly by one or the other. Although iOS and BlackBerry provide the tools to manage company assets separately from employee assets, and there are ways to accomplish some of that in Android, it’s the very sharedness that is at the root of a lot of fear over BYOD.

The same Aberdeen research that dispels the security and cost myths about mobile heterogeneity also shows a curious fact: Half of the best-in-class companies don’t let employees bring in their own devices. The other half are split between letting them bring in any compliant device and one on a preapproved list. For the rest of the companies surveyed, more than half let employees bring in any device. Thus, those companies best able to manage BYOD are least likely to allow its fullest form.

If you’re an old-school CIO, you’ll take that fact and use it to show why you should ban most devices — all while characterizing it as an expansion of what is allowed, of course. But what the data really indicate is that companies that allow a free-for-all are not best in class; they have no visibility into what is accessing their network and data, and they have no or few policies at the network or data level. They’ve abdicated their responsibility.

The best-in-class companies do in fact support heterogeneity: 74 percent of them support two or more devices, versus 65 percent of all companies and 45 percent of laggards. The problem many of them have is in giving up ownership of the device, often because they believe they need that ownership to enforce the policies. Ironically, a conservative approach to ownership did not translate into a conservative approach to heterogeneity.

Aberdeen’s data shows that these best-in-class companies that insist on owning the devices are beginning to change their minds as they gain confidence over their management of device heterogeneity. The surveys show that a higher percentage of the best-in-class companies currently insisting on device ownership are planning to allow some or complete employee ownership than the average companies that currently insist on device ownership.

Borg says this demonstrates a methodical approach to mobile heterogeneity that takes the challenge one step at a time to ensure it works over the long term: “It’s a matter of trust and a more cautious approach. The best-in-class companies pilot before they deploy and ensure that the MDM solutions work as advertised with employee-liable [employee-owned] devices. They know that once the horse has left the proverbial barn, there’s no turning back.”

When all is said and done, a modern CIO will look — if he or she hasn’t already done so — at the mobile heterogeneity and user choice as powerful benefits for the organization that IT can easily support and even drive. The tools are there, the methods are known, the risks are lower than for inaction or avoidance, and the goodwill that results is strong.

Perhaps even more valuable: Addressing mobile heterogeneity through a policies-based approach is a great way to pilot this postmodern, stewardship-oriented IT philosophy that will be needed for the cloud, social technology, analytics, and all the other technology-augmented business activities that a modern company and its employees rely on.

Rick Pople, global IT practices leader at the consultancy Hackett Group, says most organizations will struggle with this new world. Middle managers are right to be concerned they will end up with a heterogeneous mess — the whole overview has not been thought through the right way. “That’s why they are wrapped in the notion maintaining control over the environment rather than embrace the fact that the global, heterogeneous nature of transactions, platforms, and data allow greater degree of freedom — in a deliberate way,” Pople says.

That is why a CIO’s reaction to the BYOD phenomenon is such a litmus test of that CIO’s ability to lead today: Mobile is just the most pressing, obvious example of a deeper change coming.

This article, “Mobile BYOD strategy reveals if your CIO is good or bad,” was originally published at InfoWorld.com. Read more of Galen Gruman’s Mobile Edge blog and follow the latest developments in mobile technology at InfoWorld.com. Follow Galen’s mobile musings on Twitter at MobileGalen. For the latest business technology news, follow InfoWorld.com on Twitter.