5. Manage through best practices
Every CIO I've ever met says his or her IT organization follows best practices. We all know that's not true, even if the aspiration is honest. The term usually means "what the consultant or vendor tells us to do," but it should mean more. It should mean "what we can show works for us" -- that is, regular review of what's going on, what's working, what's being bypassed, and so on, then adjusting accordingly.
Yes, Step 5 is Step 1. If you're not evolving, you're dying.
What about the alphabet soup the vendors talk about?
You've probably noticed by now that I barely mentioned MDM, and I didn't go into the more recent vendor silver bullets: mobile application management (MAM), enterprise mobility management (EMM), mobile information management (MIM), telecom expense management (TEM), or mobile risk management (MRM). I'm tempted to say they're all scams, but I won't go quite that far.
MDM, MAM, and MIM are simply aspects of management, covering the endpoint, application, and content, respectively. It's stupid to think of them as mobile-specific, as they apply to any technology system. MAM and MIM are highly immature areas that many in IT focus on for results they'll never get: They see MAM and MIM as ways to straitjacket apps and contents, much as they see MDM as ways to straitjacket devices. As one consultant recently told me, "Information is like water; it finds a way through" -- a "no" approach is a loser's proposition.
What MDM, MAM, and MIM do have as legitimate concepts is the notion of management. All three aspects of digital processes should be managed for a variety of reasons: access, manipulation, and validity. I use these neutral terms on purpose: If you treat these as only "how to control," you lose the "how to take advantage of" aspect that needs to be the major impetus for your management. Management is about ensuring that good things happen as often as possible and bad things happen as little as possible. If you focus on only preventing the bad, you're not likely to get the good and wind up with nothing.
For example, MAM makes sense if your goal is to promote the use of mobile applications among your workforce, so they can do more when not at a computer. You can create apps and distribute them in a managed way based on roles, changing permissions as needed both for app access and access to the information is handled. (If you're using only commercial apps, it makes more sense to create an intranet site with download links or to use the corporate iOS app store for distribution.) If your goal is to prevent users from working on information by crippling their app access or capabilities, good luck -- neither Apple, Google, nor Microsoft support that paranoid mindset in their mobile architectures.
Also, whatever you do to secure and control the environment has to be at least usability-neutral, so you don't discourage the good through excessive hurdles or encourage the bad by driving employees to workarounds. Security implementations that have high usability will get you the best result. Unfortunately, many security pros don't understand this, so they make themselves the enemy. And lose.
Then there's EMM, which should stand for "expensive mobile management," given that it's favored by consultants and advisory firms proffering long lists of all the things one must do -- meaning, of course, buy from them. Some use EMM to mean the holistic view of managing information and processes in a mobile context, covering the whole gamut of issues I've reviewed here. That's legitimate EMM, but most mean the term as the most extensive straitjacket they've yet devised.
"MRM" is a meaningless term, created to stand out from all the other MxM acronyms. Yes, understanding risk is important, and I wish all the companies that cite risk could actually help us understand which risks are meaningful. Until then, MRM is an empty buzzword.
Finally there's "TEM," a fancy term for cost control in the context of services you buy from carriers. A noble goal, TEM was a very powerful service a decade ago, but its value has fallen considerably. The data I've seen from the TEM vendors shows that the expense wastage in mobile is very small, notwithstanding their favorite horror story of the $6,000 roaming bill. Large companies may be overspending about $100 to $300 per user per year due to employee-purchased ringtones, cell plans never turned off (so still billed), data plans with higher-than-needed levels, and the (very) occasional roaming surprise. But they'll spend about $60 to $100 per user to license the TEM tools, not counting the IT and accounting labor time going forward.
It's a low-reward proposition at this point for reasonably well-managed companies. I encourage periodic assessment of open accounts and review of mobile and networking expenses to see if they trend in a troublesome way, but the CFO's office should be doing that anyhow. Charging a department for its occasional roaming overage will help create the management discipline to reduce future incidents. A TEM product may be worthwhile for your organization, but only if you can use it for proactive planning in addition to expense validation.