400 likes | 514 Views
Addressing “The BYOD Gap”. Richard Absalom, Analyst, Consumer Impact Technology richard.absalom@ovum.com July 2012. Ovum IT Super Themes 2012. Ovum’s consumerization practice: every employee is a consumer.
E N D
Addressing “The BYOD Gap” Richard Absalom, Analyst, Consumer Impact Technology richard.absalom@ovum.com July 2012
Ovum’s consumerization practice: every employee is a consumer The employee brings consumer technology into the workplace as a preferred tool: “Bring Your Own Device” (BYOD) is a key trend Consumer as Employee Consumer as Connected Customer Consumer as Protagonist Consumer as System Component
Consumerization of IT: Managing the Employee Experience Bring Your Own Computer/Device strategies in enterprise IT Enterprise Mobility Management vendor strategy Mobile application strategies for the connected employee Governance and policy: managing employee data privacy legislation Consumerization of IT The adoption of new IT devices and applications in the consumer market is accelerating – fuelling improvements in personal productivity. Enterprise workplaces move more slowly, creating a divide between user expectations and corporate IT realities. We focus on the impact of the proliferation of new devices, apps and data sources on user behaviors and IT management practices in the enterprise.
What’s behind consumerization? Apple and Google’s consumer market focus creates the “BYOD Gap” BYOD Gap Actual point of enterprise entry Mobile device adoption curve Employee demographics Normal point of enterprise entry Early adopters Rate of adoption
Agenda • Building and defining a business case & strategy • Data security • Introducing new platforms to IT Service Desk workflow without loading into excess cost • Managing the implementation challenge • Dealing with cultural and geographic legal variance • Putting together a consumerized corporate mobility strategy • Case studies
Defining the business case for BYOD: balancing tangible and intangible benefits, risks and costs Managing an unstoppable market trend? Intangible benefits Improved employee engagement and satisfaction Improved employee productivity – yet to be demonstrated with hard evidence Shifting the burden of shortened replacement cycles on to the employee Tangible benefits Less reliance on the service desk, more self-help New, specialized line of business capabilities Hardware costs – if paying employees a stipend Airtime costs – either on corporate or personal tariffs Potential cost of a third party enterprise mobility management solution Costs and risks Potential Opex and Capex increase on the IT service desk Increased risk of data loss? Risk of violating data privacy regulation
The business case for BYOD: it is unavoidable The benefits of BYOD have not yet been proven… • Improved productivity and engagement still needs to be demonstrated with hard evidence … The threats and challenges it poses cannot be ignored • The risk of data loss is real and must be addressed, whether BYOD is officially sanctioned or not • Providing solutions to the security challenges generates further issues around cost management and data privacy
Agenda • Building and defining a business case & strategy • Data security • Introducing new platforms to IT Service Desk workflow without loading into excess cost • Managing the implementation challenge • Dealing with cultural and geographic legal variance • Putting together a consumerized corporate mobility strategy • Case studies
What consumerization means for IT: moving towards a multi-platform environment ? + BES
Consumerization means that: More (unsecured) networks are transferring corporate data More (unsecured) endpoints are accessing corporate data More (unsecured) applications are using corporate data Consumerization multiplies the threats to data security Data security is always at risk at three main points: the network, the endpoint, and the application
Agenda • Building and defining a business case & strategy • Data security • Introducing new platforms to IT Service Desk workflow without loading into excess cost • Managing the implementation challenge • Dealing with cultural and geographic legal variance • Putting together a consumerized corporate mobility strategy • Case studies
Potential lack of expertise and resource: investment required Training required to fully understand intricacies of different platforms System administrators accustomed to working with a single platform Extra man hours (and therefore cost) required on the helpdesk / service desk to deal with troubleshooting on multiple platforms IT service desks are not necessarily equipped to deal with this multi-platform environment
Contracts may need to be renegotiated Need to work with provider to establish what capabilities they have, what can and can’t be supported Outsourcing providers may need to train up staff – and charge more as a result If support for multiple OSs was not built into the original contract, the likelihood is that they will need to be renegotiated Enterprise mobility vendors provide workflow tools to manage thousands of devices at once – would require roll out and training, but designed to be “single pane of glass” easy IT service desks: how does BYOD impact existing IT service desk outsourcing arrangements?
Agenda • Building and defining a business case & strategy • Data security • Introducing new platforms to IT Service Desk workflow without loading into excess cost • Managing the implementation challenge • Dealing with cultural and geographic legal variance • Putting together a consumerized corporate mobility strategy • Case studies
BYOD is about empowering employees – but they also need to be aware of responsibilities BYOD frees employees to do their job wherever they are… • The perfect storm of mobile, social and cloud – employees are able to be connected 24/7, being productive when they’re away from the office … But its implementation needs to be closely managed • Employees need to understand the security risks and implications, and who’s responsible for what – data, applications, cost, technical support • Their consent is required to implement complete security solutions
The “complete” enterprise mobility solution should offer: Device management • Mobile enterprise application management and provisioning • Expense management
Some common MDM capabilities across major mobile OSs: Over-the-air discovery, quarantine, enrolment and configuration of devices accessing the corporate network Password policy enforcement, data encryption Remote lock and wipe Real time reporting and alerts, activity logging, GPS tracking Content- and context-aware mobile data loss prevention software Application management and distribution, document control e.g. blocking copy / paste / local storage Addressing security concerns: common MDM capabilities across major mobile OSs
Mobile enterprise application platforms – addressing the same issues as MDM but with a different approach Managing the application, not the device: • Secure app wrapping technology – applying MDM capabilities to a single app • Removes the need to intrude on personal activities • Corporate app stores • An easy way to push apps to the relevant users in the relevant format • Including custom apps – designed specifically for line-of-business users to maximize business value
On-device multi-persona management: a third way Providing separate work and personal “identities” on the same device • Solutions such as Enterproid Divide allow for one persona to be managed and secured by the enterprise, and the other to remain free for personal use • App-wrapping and persona management are a way around privacy concerns – but are they as secure? Only allow for monitoring select applications, no idea what corporate data might be going through the unsecured consumer apps • These capabilities are only available on Android at the moment – and BlackBerry to a certain extent with BlackBerry Balance
BYOD might make some savings on hardware… • Companies can save on device renewal cycles • But often devices (e.g. BlackBerry’s) come free with a corporate airtime contract anyway • Will the company still need to maintain a “backup” fleet of devices? • Will the company be providing a stipend for employees to buy their own device?
… But it will add costs elsewhere • Paying for personal tariffs can be up to 5x more expensive than a corporate tariff • Extra costs on the service desk, or; • Extra cost of a third party enterprise mobility solution, or; • Both!
Telecoms expense management solutions and corporate-provided SIMs help to manage costs Keeping track of telecoms spending • Companies are not always aware of how much they are spending • Controls can be put in place to monitor spending while roaming, for example: when a certain limit is reached, the user can be prompted as to whether they want to keep on talking / using data • One option: corporate provisioned SIM, personally owned device • The best of both worlds? The user gets the device of their choice; the enterprise gets to control the airtime contract and can keep the number if the employee leaves… • But will employees go for that?
Vendors from a range of backgrounds are converging on the enterprise mobility services space ITSM / enterprise application vendors Device OEMs IT security vendors Brand / reputation strength Enterprise mobility / MDM specialists Telecoms expense management vendors Enterprise mobility management capabilities
Agenda • Building and defining a business case & strategy • Data security • Introducing new platforms to IT Service Desk workflow without loading into excess cost • Managing the implementation challenge • Dealing with cultural and geographic legal variance • Putting together a consumerized corporate mobility strategy • Case studies
The legal implications of BYOD – complying with data privacy legislation Organizations face a legal conundrum • Data being accessed on a personal device needs to be secured. If it is lost, the organization is responsible – not the individual • However… the solutions that provide data security on a mobile device involve a certain amount of monitoring and processing of personal activities – which can be seen as a violation of data privacy rights
The legal implications of BYOD – complying with data privacy legislation • Employee consent is required • No matter which region you are operating in, the only way around is to get employee consent. They must know the implications of the solution and freely agree to it. • Regional and vertical regulation • Data privacy regulation has basic similarities from country to country, but multinational organizations must consider it in every country in which they operate • Organizations must also be aware of data regulations specific to their industry, both internationally and regionally
Agenda • Building and defining a business case & strategy • Data security • Introducing new platforms to IT Service Desk workflow without loading into excess cost • Managing the implementation challenge • Dealing with cultural and geographic legal variance • Putting together a consumerized corporate mobility strategy • Case studies
What should a consumerized corporate mobility policy address? Security: Understand the steps required to secure corporate data Employee privacy: Make employees aware of the security implications and gain their consent to implement an MDM solution Eligibility: Know exactly which employees the policy applies to Acceptable use and dealing with policy violations: Make sure employees understand the consequences of violating the policy Technical support: Have a clear idea of who’s responsibility this is Reimbursement and total cost of ownership: Understand the impact of the policy on bottom-line costs and take steps to control them
Agenda • Building and defining a business case & strategy • Data security • Introducing new platforms to IT Service Desk workflow without loading into excess cost • Managing the implementation challenge • Dealing with cultural and geographic legal variance • Putting together a consumerized corporate mobility strategy • Case studies
Consumerization case study Strategy • UK-based multinational bank not running a full BYOD policy, but replacing BlackBerrys by rolling out iPhones to its mobile employees instead. Moving beyond only using email on the go: “wanted to move from an email platform that does apps to an app platform that does email”. • 10,000 iPhones distributed by end 2011, and each of those users has the option to bring in a personally owned iPad as well (2,000 actually running on the corporate network). • 12 internal apps available to relevant employees, covering functions beyond email such as trading, customer management, customer service, and exchange rates.
Consumerization case study Security mechanisms • Everything provided in a secure environment: access to corporate data on corporate network only, no local storage – no sensitive data can be left on the device. • Single-tunnel VPN – when a user is connected to the corporate network, all other access is blocked. • All managed in-house by Standard Chartered’s own IT department
BYOD case study Strategy • Relationships with multiple mobile carriers in every country in which it operates means that Cisco is in a great position to implement an internal BYOD policy. The networking giant no longer pays for any mobile devices, telling employees to bring their own into work. Cisco leverages its relationships with carriers to provide very good Cisco-employee-only mobile tariffs. • iPhone now the most popular device in the company, 41% share. BlackBerry slipping back (24%), Android growing (10%). • Results: Mobile spend flat year on year (May 2010 – May 2011), even with 32% increase in number of mobile users. Users also self-support more effectively on personally owned devices, and mobile IT support requests dropped 20% year on year.
BYOD case study Security mechanisms • Aims to support as many platforms and devices as possible and is continually increasing its number of "trusted devices“. Trusted devices must meet certain architectural principles around security, authentication, authorization and storage, and execution elements around policy enforcement and asset management. Mobility policy • Cisco employees have to agree to a corporate mobility policy and understand that their phone may be wiped if confidential corporate data is “deemed likely to be compromised”. Violating the policy can lead to disciplinary procedures including termination of employment.
BYOD case study Strategy • In the first year of its global BYOD implementation, managed services provider Unisys deployed iPads and iPhones to customer-facing employees, and set up the IT infrastructure to allow mobile devices to securely connect to the Unisys intranet and other critical applications for day-to-day business functions. Unisys also built the systems needed to support personal Blackberrys and Windows Mobile. • The auto provisioning process (built in-house) to set up iPads and iPhones (3GS) reduced help desk calls by ~1000 and saved ~ $50,000 in licensing cost over a year. • Unisys claims to have increased workforce productivity by connecting employees on the move with critical internal corporate assets.
BYOD case study Security mechanisms • Strict authentication and encryption processes are in place, and cloud based applications mitigate the risk of mobile data theft. • What applications employees can use depends on their device’s security rating – some are more secure than others. No Android devices are yet being allowed into the Unisys environment. Mobility policy • Employees must sign up to an acceptable use policy, which informs them in which circumstances their device may be wiped, and that their device may be subpoenaed for litigation purposes (especially in the US). The data security terms are globally applied; the policy for reimbursement differs by region.
Localized consumerization case study BlackBerry emails switched off at night in Germany • In December 2011, Volkswagen agreed to deactivate the email function on its BlackBerry fleet at night for employees in Germany. The move is a result of pressure from the company’s work council to counter expectations that employees with a BlackBerry should be reachable at all times. The works council reasons that such an addiction to the “CrackBerry” corporate device heightens the risk of burnout and stress, leading to increased numbers of sick days taken.
Localized consumerization case study Consider local cultural factors when implementing any policy • Be aware that allowing a BYOD policy or provisioning employees with consumer-focused devices does not automatically mean that they will be reachable at all times. • In Germany, organizations implementing any enterprise mobility policy must do so in cooperation and agreement with local work councils. If any such policies do not conform to the employee’s contract of employment (e.g. on required working hours), expect opposition from the works council.
Localized BYOD case study Council opens up to personal devices • Leeds City Council is allowing staff to choose their own phone, including iPhones and Android devices. The council began work on the implementation in early 2012, selecting MobileIron’s MDM solution to enable the scheme. • Employee’s wanting to enrol in the BYOD scheme can only install the MobileIron software after signing a text message disclaimer agreeing to keep their phone updated with the latest OS, apply security updates, and not to attempt to circumvent any of the security measures. Having downloaded the MobileIron client app, work email, documents, and data are encrypted when accessed on the employee’s personal device.
Localized BYOD case study Ensure that employees understand and sign up to a policy before implementing any intrusive security measures • Make sure that employees are fully aware of what activities and data on their personal devices will be monitored, and how. Ask employees to sign up to a mobility policy before allowing them access to corporate data on their personal device, outlining their responsibilities in regards to protecting corporate data. • Implement adequate security steps, including a strong PIN policy and AES-128 encryption as a minimum, to prevent the loss or leakage of data through usage on personally owned devices. This may well involve buying into a third party solution if such capability / expertise is not available in-house.