Ok, so maybe nothing is a bit of a stretch, but here is a different take on the traditional: “how do we manage devices?” challenge.
[dropcap]L[/dropcap]et’s start with a baseline understanding of what we do. A fairly neutral definition of IT is to provide organizations with access to information and tools to enable employees to make informed and timely decisions in the most efficient way possible – all at a justifiable cost. Fair enough? At the end of the day, employee productivity is about the creation and consumption of and decisions that surround information. In most cases, devices such as phones, tablets, PCs are just tools that give us the ability to create and interact with that information in order to make decisions for better of the business. That information is built from data generated in emails, meeting notes, reports, etc. etc. So, in summary, it should be fair to say, day-to-day business is all about data.
What’s the real problem?
Now to define the problem. How do you define a BYOD (“Bring Your Own Device”) effort? Is it an initiative to eliminate the cost of issuing employee devices? Is it allowing users to bring in any device from home with the premise that it is used for enhancing their productivity (making better/faster decisions)? Is it something ‘we have to do’ to appeal to a new generation of workforce? Or, is it simply, “all of the above” with a subtext, “how do we safely manage those devices?” Here lies the problem with any of those definitions: If the fundamental goal is to figure out how to manage all of today and tomorrow’s devices, it’s a losing proposition. Innovation is too great, and technology changes in a moment’s time. Besides, at the end of the day, how does that device ‘management’ help the business with access to their data?
Rarely in BYOD discussions do I spend a significant amount of time talking about data. Typically conversations are around MDM/MAM/Phone/OS strategy, etc. Rather, I see a need to change the conversation to “Data Management Strategy.” A focus on securing the data first and then offering a tiered approached of device management based on the end-user experience desired (more on this later). In the end, a data strategy first will have lowered the risk of accidental intellectual property loss in a manner that is device agnostic and allows room to scale.
A lesson from the music industry
Take for example, digital rights managed (DRM) music. As a music lover, you want unlimited access to music. So you enter into a ‘contract’ with a company that licenses music (let’s say Xbox Music). In return for your monthly fee, a certificate is granted to you and the world of music is available to you. All of the music that you download can be played across multiple devices (tablets, phones, etc.) online or offline. The music file is what is managed, not the device, nor album art, or playlists, etc. Upon termination of our agreement, the certificate is removed from my device and access to play the music is revoked. The powerful benefit of this model is that Xbox Music knows very little of my machine therefore ‘wiping’ the device of all music isn’t required…the files just become obsolete.
Is it full proof? Like any system, it’s not 100% full proof. The system is not designed to be perfect, but rather protect against easy ways to exploit the system…mostly accidental loss and some intentional. Anyone seeking to be malicious, will probably succeed.
Build an ‘experience matrix’
In the world of security, user-experience is usually inversely proportional to protection. The more secure you want to make a system, the worse the experience gets for the user (think two-factor authentication). If organizations can protect their data first, managing devices becomes more of an experience discussion and security is determined by the level of experience desired. Microsoft (internally) offers a rich BYOD experience. MSIT has accomplished this by enabling employees with tools to protect the data first. A clear policy and mandatory training ensures employees understand how to secure the data. Then, MSIT publishes a support/management matrix for a wide category of devices. The matrix includes what experiences are enabled and what level of management is required to obtain that experience.
Recommendations for a Data Management (BYOD) Strategy
- Data classification. Protecting IP is important, but spending a million dollars over a year-long project to protect the holiday party catering menu, is not efficient. One size doesn’t fit all.
- Develop a matrix of experiences you want to offer with devices you will support. As much of this exercise is deciding what you will/won’t support as it is clearly documenting it for users to rationalize
-
Build change into the strategy. One thing is for certain, by the time you implement a strategy, it will have new requirements. Build the strategy with agility in mind and answer question like:
- What if iPads were no longer supported tomorrow?
- What if WiFi is no longer free wherever you go?
- Is the strategy flexible enough to support these and other situations?
- What if iPads were no longer supported tomorrow?