How does your CIO (or you, if you are the CIO) view the influx of iPads, iPhones, and Androids into the organization by individual users and business departments?
- It's an unauthorized invasion driven by naive users that will increase costs and threaten security and compliance. It must be stopped or at least contained.
- It's an unauthorized trend that suggests there's something wrong with the status quo of what the IT organization provides or supports -- and perhaps a surprise trend that indicates IT has fallen out of touch.
- It's a positive development that IT can both support and leverage for the benefit of users, of IT, and of the organization as a whole.
If the answer is 1, your CIO is very likely the wrong person to lead the IT organization going forward. The best answer is 3, though if the answer is 2, that means the CIO is capable of rethinking his or her management framdework to meet the changing realities of organizations today. Unfortunately, a lot of organizations still choose answer 1.
[ Learn how to manage iPhones, Androids, BlackBerrys, and other smartphones in InfoWorld's 20-page Mobile Management Deep Dive PDF special report. | Keep up on key mobile developments and insights via Twitter and with the Mobile Edge blog and Mobilize newsletter. ]
Why is the CIO's reaction to the "bring your own device" phenomenon such a litmus test? Because it encapsulates most of the issues that face businesses today in terms of technology. InfoWorld's Eric Knorr has nicely described this new empowered-user reality and proposed basic approaches IT should take to adapt, so I won't retread those steps here. InfoWorld's Bob Lewis has also explained why the underlying control orientation of data-processing-style IT simply doesn't work today, so I won't repeat that either.
What I will show is why the first answer is the wrong answer. Thanks to a series of studies by the research firm Aberdeen Group, there are hard numbers to show that the additional costs are trivial, that the economic savings are significant (covering those extra costs several times over), and -- perhaps most important to risk-averse CIOs and their compliance-focused brethren -- that a proactive BYOD strategy actually increases security and compliance. Note: I'm using "BYOD" to also include "choose your own device," not just "bring your own device," as there are reasons a company may want to own the device legally. Either way, the result is support for user-driven heterogeneity.
"Being best in class lowers both the costs and the risks," says Andrew Borg, the mobility analyst at Abderdeen. This means having a policy-based approach to management, using IT Service Management (ITSM) principles, he says, which should be in place anyhow in any large organization. Most companies are not best in class, relying on inefficient, endpoint-oriented approaches that cost a lot and drive users to work around IT.
Plus, embracing mobile heterogeneity "is a transformation of IT's role, a move from a role of naysayer to an enabler for business," he says -- a way "to get out of the dog house" IT has put itself in recently. Borg points out that mobility is viewed as one of the most strategic business initiatives for 2011 in Aberdeen's corporate surveys. In fact, more than half of companies see it as a way to increase employee productivity.
As a result, users get the tools they want or need (it doesn't matter whether it is want or need -- perhaps the first lesson for old-school CIOs to learn), the business gets extra flexibility and capability to execute better, and IT win greater assurance on security and compliance without diving into a bottomless pit of work and expense.
Mobile security is not difficult to achieve -- but often is not
In an almost every organization, users have brought in iPhones, iPads, and other mobile devices, regardless of what the corporate standard might be. Some departments pay for them in a typical "shadow IT" response to IT saying no, and many employees simply use their own devices as adjuncts to whatever is officially provisioned.
Aberdeen's surveys show:
- The average number of mobile platforms currently supported by enterprises today is 2.9 -- thus, already the norm for most is not a BlackBerry-only world.
- Today, 62 percent of companies surveyed have formal BlackBerry support in place, 43 percent for iOS, 30 percent for Android, 24 percent for Windows Mobile, 13 percent for Symbian, and 13 percent for Windows Phone.
- Today, 80 percent of companies surveyed allow BlackBerrys (with or without formal support), 77 percent allow iOS, 61 percent allow Android, 46 percent allow Windows Mobile, 33 percent allow Symbian, and 31 percent allow Windows Phone.
The bottom line is that BYOD (that is, device heterogeneity) happens whether you want it to or not. If you're told to embrace the unofficial BYOD, an old-school CIO's first reaction will likely be that these devices are risky in terms of security and should be disallowed. If you're a BlackBerry shop using RIM's BlackBerry Enterprise Server (BES) product, that's almost certainly your reaction.
However, for the vast majority of security needs, mobile device management (MDM) tools deliver what you need for iOS devices, thanks to Apple's native MDM APIs, and often for Android devices, usually by installing a client app. If you have modest security needs and use Microsoft Exchange or an Exchange ActiveSync (EAS)-compatible email server, you can ensure security compliance directly for iOS devices and some Android devices (any noncompliant devices are simply denied access) -- no third-party MDM needed.
Ironically, the "say no" approach increases risk of data breaches, data loss, and noncompliance. Only 26 percent of "laggards" (the bottom 30 percent of companies surveyed) centrally manage their mobile devices over the air, Aberdeen has found, though this is a basic capability of most MDM tools and is easy to deploy. Instead, they do nothing or have desktop support staff individually set up mobile devices. One result: 67 percent of "laggards" don't recover or decommission lost or stolen devices -- an expensive loss given regulatory reporting requirements. Compare that to 3.4 percent for the best-in-class companies -- those that on average manage 88 percent of employees' mobile devices -- and 4.9 percent of "average" companies, the middle 50 percent, who on average manage 44 percent of employees' mobile devices.