By Dr. Andrew Maxwell.
IT managers are coming under increasing pressure to provide enhanced business functionality at lower costs. They are also charged with the responsibility of ensuring system reliability and security. However, increasing pressure to provide enhanced services that deploy new and unproven technology may make the achievement of reliability and security difficult, especially when the business does not recognize these inherent conflicts. Such challenges are exacerbated by external compliance events or the increasing availability of new technologies that make this complex issue ever more difficult. As a consequence, many IT managers adopt a defensive and reactive approach to new technology solutions, despite the fact that they would like nothing better than to find ways to enhance the overall contribution IT can make to organizational performance.
In the last couple of years the increasing utilization of intelligent devices by individuals outside of the work environment, specifically smart phones and laptop computers, has created awareness of the potential for new information technology solutions to enhance workplace productivity. Access to a broad array of online services and the availability of hundreds of software applications that can be inexpensively downloaded offers users an increasing number of opportunities for individuals to adopt solutions that can improve organizational performance. Further, organizations that don’t embrace these opportunities are seen as repressive and lacking in innovation by individuals raised on smart mobile devices and instant internet access. Employees’ and managers’ knowledge of the benefits of deployment such devices, and the willingness of younger staff to challenge the status quo that all IT decisions are made by IT managers, create a tension between IT managers who need to maintain a discipline around IT implementation that ensures procedures and security protocols are maintained, especially when they have limited resources to implement and support the wide array of devices and software solutions now available.
The idea of bringing a personal device to work (Bring Your Own Device – BYOD) or the provision of such devices by the company, creates a number of challenges for IT managers, who often respond by raising concerns about the lack of security that such devices introduce into the corporate IT environment. Given that they are accountable to senior management for security, this often results in maintenance of the status quo, rather than an active investigation of how security concerns can be addressed. While security concerns are undoubtedly legitimate, both in terms of managing data on the devices (i.e. backing up critical data and wiping data on lost devices), and ensuring that personal devices don’t breach corporate IT firewalls (i.e. introducing malware into the organization’s IT’s software infrastructure), security challenges are possible to overcome. Other issues associated with the introduction of devices are also resolvable, but require both a significant deployment of corporate resources (i.e. 24 hour support for a myriad of downloaded applications on a variety of devices) and the establishment of new corporate procedures (i.e. what is acceptable use for a personal device). Given the complexity of these issues, and increasing budgetary pressures to keep IT costs under control, it is not surprising that, while acknowledging there could be substantial business benefits, many IT managers are reluctant to embrace BYOD implementation. With foreseen benefits often difficult to quantify, but support costs and security issues easier to understand, many organizations fail to take advantage of the opportunities afforded by these new solutions. As a result, they fail to achieve their innovation potential and fully engage their employees in identifying opportunities to enhance business productivity, as well as increase employee satisfaction.
Organizations that want to change the status quo and become more innovative through wide spread adoption of smart mobile devices must address the cultural and innovation management issues that preclude change. Faced with evidence of bottom line business benefits, such as improved customer intimacy and enhanced process management, BYOD has the potential to link IT investment more closely to bottom line performance. However developing a strategy to take advantage of these opportunities requires two fundamental changes in how organizations manage their IT investments and decisions. First, organizations that recognize the benefits of implementing BYOD solutions must understand that supporting these devices has an associated cost. Business managers, rather than the IT department, can then weigh up the costs and benefits of supporting BYOD, and make an informed decision of whether or not they will fund increases in IT support costs, and look to link these costs with direct business results. Second, traditional models of IT policy making, where decisions are made and enforced centrally, will have to adapt to one where IT organizations enable individuals to make decisions about the devices and software they use, rather than allowing IT to make all such decisions. In this role IT managers guide and recommend rather than manage, and have to explain why certain decisions are made and devices supported, based on cost effectiveness and the need to protect corporate data, rather than simple edict.
Unlike most IT implementation processes, where IT management simply respond to an external change in standard or software/hardware upgrade, organizations implementing BYOD solutions must address four separate areas: device compatibility, applications, policy and support:
A) There are a number of devices used by individuals that have different operating systems and levels of security. Organization must decide which devices to support, and choose operating systems that provide both the required level of security and functionality. While Apple devices seem to offer both, connecting Android devices, which also offer a large number of applications, creates security due to the variety of flavours of operating system. While Blackberry devices are designed for security, the number of applications available is limited.
As a consequence of these different capabilities IT managers may wish to limit the number of devices supported, a decision which may be impacted by the industry in which the organization operates, or the nature of the data and applications being accessed.
B) There are tens of thousands of software applications that can run on these devices. Organization must decide how it will make decisions as to which are appropriate (or allow end users to have no restrictions). In addition, IT departments must decide whether application or device functionality should be limited for security reasons.
C) Allowing people to use their own smart devices for work creates policy implications which the organization must address, not just from a technical issue, but from a legal, financial and ethical perspectives also. Organizations must develop policies about who owns content, and how the device, applications and data plans are funded. As well organizations must define acceptable use policies and be conscious of the signaling impact these policies have on both individual status, and the drive to increase innovation throughout the organization.
D) IT managers are acutely aware of the challenges of managing even a limited range of devices and applications in a corporate environment. To provide the required level of support for a wide range of mobile devices and downloadable applications to individuals at all levels within an organization presents an enormous challenge to IT managers, especially given the variability in end user expertise. Required support includes remote device management, management of data plans, and answering simple device and applications issues 24 hours a day.
Given the complexities of implementing a BYOD program, it is not therefore surprising that most IT managers fail to embrace BYOD as a corporate strategy by hiding behind security concerns. Senior management in organizations hold IT managers responsible for security and find it difficult to argue with IT managers who express security concerns despite evidence that other organizations have found appropriate technology solutions that can address these issues. Senior management in organizations that wish to harness the potential from BYOD activities need to change the decision-making processes in organizations so that it is decentralized to individuals who can see the benefits, understand the pitfalls and approve the budget. Organizations must work hard to develop establishing policies appropriate to the culture and regulatory environment in which they operate.
Given the variety of issues, and the complexity of policy and resource issues that need to be addressed, IT managers are well served to look for external guidance when implementing BYOD in their organizations. This guidance can come from technology suppliers, existing partners or industry experts, such as Info-Tech Research group (http://www.infotech.com/) who can provide guidance on each of the issues identified, and provide templates for companies to use when making implementation decisions and developing appropriate policies.
Another popular alternative is to find an external service provider who can cost-effectively provide hardware, software, services and both device and software support. In addition, experienced service providers can often identify ways to reduce costs (for example of data management) and facilitate adoption (for example by providing appropriate use policies). Utilization of such services limits the changes required in the organizations IT staff, and enables the organization to benefit from the partners experience in this area, where support and learning costs are shared. Further, appropriate external partners can help address many of the practical issues around the adoption of BYOD to encourage adoption and a culture of IT innovation. However, the choice of the most appropriate partner requires a different selection approach to that of issuing an RFP that assumes the customer knows what they want. Partnering to optimize the implementation of BYOD devices can only be achieved with a partner who understands how to increase customer productivity, which requires additional resources to train, develop policy, implement solutions and provide direct support to end users 24/7.
The fact that demand for enhanced IT service comes from end users makes it easier to allocate new funds as there is a direct link between the end users who see improvements in productivity and effectiveness and those with budgetary responsibility. This should make it easier for IT managers to make the case for allocation of new resources required to implement BYOD policies and gather broader support for the program from the entire organization. Harnessing end user demand for BYOD solutions can allow organizations to more rapidly move forward and achieve benefits from this next generation of IT technology that has the potential to achieve outcomes more directly linked to business performance. If you are in an organization that is failing to the address this opportunity, perhaps I have provided some insights on opportunities to move forward.