Thursday, May 17, 2012

BYOD risk management: a new extreme sport?

We’ve all been hearing dire warnings about the problems with a “bring your own device” policy in and around the halls of IT. You might get the impression that BYOD is a new extreme sport.  Or as scary as being handed the CEO job of the world’s #3 Internet search firm. In other words, you had better have a net and all sorts of safety gear. Or your resume up-to-date. (Ahem.)

In my view, the scariest part, however, is not the BYOD policy itself, but the extreme lengths that companies are going to make them possible. A couple examples:

I saw a recent Network World article that talked about how the CEO of Mimecast had his mobile phone “remote wiped” as a result of a BYOD policy he helped put in place. The story goes like this: while on a family vacation to South Africa, the CEO’s 5-year-old daughter tried entering the incorrect PIN code 5 times into his phone, and poof – the corporate-installed MDM software erased the content of his phone, including his vacation pics.

And if you think that was scary, this next one involves…lawyers. And risk management evaluations.
Ben Tomhave wrote up a piece for VentureBeat that said, essentially, “look before you leap” when implementing BYOD, and then gave some advice for how to do that. He listed 3 steps: conduct a comprehensive risk analysis, identify and communicate a legal strategy, and deploy mobile device management.

All of that adds up to quite a buzz kill.

Now, the good news is that people are so interested in bringing their favorite mobile devices to the workplace (or at least doing work on those devices), that enterprises feel they must go to some pretty impressive lengths to try to deal with it. But the question is: are such extreme measures really needed?

A look at the cold, hard facts might initially lead you to think so. I found this infographic from ESET, which rattles off some of the stats. There’s definitely a quantifiable problem, especially if, as they say, 81% of people use a personal electronic device for work-related functions. And nearly half of those let someone else use that same device.

Galen Gruman argued in InfoWorld that in The Case of the Remote-Wiped Vacation Photos and situations like it, companies have many other, less extreme options they could (and should) try first. I’m sure the same can be said of bringing in the lawyers and compliance teams.

You can deduce from my tone that I, too, believe these kinds of extreme measures are over the top. If you’re not careful with your approach, you’ll threaten to squeeze any financial benefit (and probably productivity) out of BYOD.

I think the risk must be solved for, just not in the traditional ways you might think – since those approaches are going to lead you to some of the aforementioned extreme solutions. As one of our field guys told me, “the knee-jerk reaction is to implement something really draconian, when the solution is far simpler.”

Being in a start-up is about delivering a new take on existing problems – going for the simple solution arrived at by looking at the problem from a different perspective. As you can probably guess, the Framehawk answer to BYOD is to take a look at long-held IT assumptions and rethink them. The goal: solve the enterprise’s risk problems while also supporting the user -- never forgetting why they wanted to bring their own device in the first place.

Hopefully we’re piquing your interest. There's more information here and yet to come on this blog.
Of course, if you really want to do things the hard way, you can always rent a helicopter, a parachute, and a snowboard.  Or, that Yahoo! CEO job might still be open…

This blog is also posted at the Framehawk blog.