If Gartner's projections are to be believed, by 2017, half of all companies will force employees to use their personal smartphones for work. Even if it doesn't transpire so quickly, I can see it happening at numerous companies. To many CEOs, it's like telling employees to use their own car for business trips or buy their own uniforms for use on the job -- both widely accepted practices.
Whatever your views on the economic merits of the policy, such a change will have unintended consequences that go way beyond who pays for what. Neither the "use your own car" or "buy your own uniform" models will be much help in navigating the new landscape such forced-BYOD policies will create.
[ As work and personal data intermingle more, tricky questions arise on backup, remote wipe, and e-discovery. | Subscribe to InfoWorld's Consumerization of IT newsletter today. ]
As regular readers know, I believe vendors and IT organizations usually overstate security concerns, whether for cynical profit motives or to satisfy either an unhealthy need for control or an unhealthy fear of risk. But that doesn't mean there aren't legitimate security concerns or risks worth avoiding. I'm a firm believer in letting employees choose the best tool for the job -- computer, mobile device, applications, and cloud services -- as long as those choices support or at least don't undermine legitimate business process, outcome, security, and compliance needs.
At first blush, the notion of forced BYOD may seem like it supports employee choice, albeit in a miserly way. It does -- but it also forces companies to accept two principles that will freak out most IT organizations and corporate counsels:
- Business data is no longer confined to business systems and repositories, so information management and security are no longer assurable.
- Individuals will ultimately own the information and process management and ownership, not the businesses that become their clients.
We're already moving in those directions with optional BYOD and the acceptance of work at home (on employee PCs). Even though the consumerization phenomenon has deep roots that modern technology has only accelerated, companies today can tell themselves that those are exceptions to a system fundamentally designed to keep business data in the hands of business systems that can probably be secured and shown to be compliant. That will change in an era of forced BYOD.
Let's be clear: Forced BYOD means a move from making the personal fit the business to making the business fit the personal. That's a revolutionary inversion.
When the BYOD phenomenon rose in 2010, many IT pros feared BYOD because they saw that, even with the mobile management tools available, they could not guarantee security and compliance. Never mind that they couldn't guarantee it on home PCs or even work PCs -- they could at least pretend to in those venues, with complicity from corporate management, of course. Many continue to pretend they can guarantee security and compliance on mobile devices, whether BYOD or corporate-issued, by using some of the hundreds of products claiming to do so.
Even with the pretense involved, the foundational architecture skews toward protective separation of business and personal, whether through encryption, password and remote-wipe policies, app containers, VPN access, virtual machines, Web-based access to back-end-maintained data, dual-persona mobile devices, and/or any of the other mobile application and information management techniques available.
That foundation goes away when you require BYOD. Even if you tell an employee which smartphones and tablet models to choose from -- similar to how "buy your own uniform" works -- you can't tell the employee which personal apps and services to use on their device. Complex, ever-changing passwords also become unlikely requirements to enforce; after all, most of the day, that smartphone is used for personal activities. Who wants to keep entering a password to be able to tweet or see a family photo?