Wednesday, June 4, 2014

Why I'm Sick of the BYOD Propaganda

I have some gripes about this whole BYOD ongoing discussion so I thought I would throw my two cents in the mix.

I believe there is a place in the business world for BYOD. That being said, I'm about done with being inundated by articles on every LinkedIn page, G+ community and "whitepaper" slinger out there.
I see such headlines as:

"Danger! BYOD Ahead"
"Don't miss the BYOD train or your organization is dated and you are obviously a worthless CEO/CIO/IT person"
"BYOD Security Flaws"
"Let Staff Go Rogue on Tech"

and the list goes on...

What I'm getting at here is twofold. All at once, the internet is saying "CEO's: Demand BYOD or Die" and the other side (mostly retailers of BYOD products) says "BYOD too Dangerous to Use".

BYOD - by definition means to allow users to bring their own devices to work. It is important to note that there are different risk-levels for the different types of devices and information that can be accessed on them. This can occur in the form of a smart phone, laptop, tablet, desktop etc.  I tend to think that you would be hard-pressed to make a business case in most organizations that BYOD for primary work devices gives your company some sort of competitive advantage when talking about replacing that with organizationally standardized equipment.

Scenario 1:
Take for instance an organization that has four standardized models of computers available by business need. Perhaps one needs to run CAD or some graphically intense program and one does just basic Office apps and lets assume you need to have a laptop version of these specs and a desktop version. So you've got 4, predefined options at set costs which are predictable, able to be budgeted and optimized for the type of work the user will be doing. This cost includes the licensing which is tracked and manged by IT.

Scenario 2:
Now, imagine a world in the same organization that says "here's $1,500 - buy yourself a computer".

In scenario 1- the user gets exactly what they need for the type of work they will be expected to do, the equipment is known, the warranty is known, IT in the organization can report on licensing and keep an inventory of spare parts (eventually) that will assist every user.

In scenario 2 - the user gets whatever they want -  maybe they consider their work, maybe they don't. Maybe the computer doesn't have the specs it needs to perform optimally. IT has a hard time walking through issues because they don't know where the wifi switch is, or if it has a DVD drive or how the Fn keys are laid out. There is no enforceable time limit on age of machines either. You can't guarantee a warranty for x number of years.

I realize that in scenario 2 - there can be policies in place to deal with some of those issues, guidelines to work inside, but it seems to me that there is no REAL calculable benefit to allowing users to BYO-PrimaryWorkDevice.

I have users come in all the time and ask if they can bring in their iSomthing or their Android something or their Kindle something and connect to wifi. My answer is "No".  I know, that makes me a big meanie. But lets think about this. If I have provided you with a work machine that is designed to do what you need for your job and is protected appropriately, what are you going to use your personal device for? You're going to use it to stream music or movies or watch youtube (the last one you can do on your work machine) maybe play games or read a book. So don't give me any business about it making people more efficient because honestly, it's not going to.

BYOD for A Specific Purpose

There is a HUGE difference between allowing users to access their email via a smart phone/tablet/laptop via webmail/push and allowing it to be plugged directly into the corporate network.  We need to narrow the scope and define BYOD a little better before we go ahead and classify plugging your work computer into the network directly vs accessing corporate webmail from a personal device.  The risks are different, the exposure is different and honestly, one is more controllable than the other.
I propose banning the term BYOD and replacing it with: BYOP (phone), BYOC (computer), BYOS (software), BYOED (email device).

Lets face it - most corporations and organizations have had webmail available for use forever. This wasn't considered BYOD even though you can access the webmail from any computer in the world and there is no more exposure for corporate data on a push design smartphone than there is a user forwarding attachments/emails to their home email account to work on on their home computer - which is what happens.

So really, you're better off controlling the access by at least having the email/few documents on a device that has enforceable policies rather than having users forward documents via email to their aol account and opening them at home and sending them back.

These are a few of my half-baked ideas on BYOD which I will edit as I form a more coherent opinion on the subject. The discussion is out there, lets talk about it frankly instead of hiding behind acronyms and incalculable "efficiency" data from vendors.