News Stay informed about the latest enterprise technology news and product updates.

BYOD and ITIL: Amicable relationship or irreconcilable differences?

BYOD, or bring your own device to work, is gaining ground, adding complexity to IT's job. Do frameworks like ITIL help or hurt BYOD?

Mobile devices that function as mini-computers are changing how employees work and how IT supports them. The trend to bring your own device to work -- or BYOD -- adds complexity to IT's already complicated job of mobile device management. Some question whether standard frameworks for delivering IT services apply to BYOD. Sharon Taylor, chief architect for the IT Infrastructure Library and president of Aspect Group Inc., an IT Service Management (ITSM) consulting and training company in Ottawa, assures us that ITIL is there to help, not hurt, BYOD programs.

Is ITIL appropriate for mobile device management and BYOD programs? Some people have said that it isn’t a useful framework for mobile platforms.
Taylor: ITIL is a set of practices for managing all IT services and thus not related to specific platforms, per se. It works with cloud computing, it works with mobile computing, it works with any kind of IT typology. And I think the people who are saying that it is not a useful framework really miss the point about what it is actually for.

The whole trend toward mobility has largely come from the raised awareness about cloud computing and how it lends itself to device-agnostic services. And it raises additional issues from an IT Service Management perspective that cause us to look at things in new ways.

BYOD is slightly different in terms of service-managing a mobile workforce. Managing a mobile workforce that has company-issued devices is much more straightforward. ITIL keeps up with that, and it is all about service management.

BYOD adds another layer of complexity to the things that best practices try to espouse, such as conforming to a corporate standard to lower cost of utilization and to enhance security and lower vulnerability and business risk. If you bring your own device, that changes how we think about service-managing a workforce. However, it is still managed in the same way, using the same processes.

Does a BYOD policy call into question the tenets of ITIL and ITSM?
Taylor: It forces us to think about focusing on different parts of the practice and in a different way.

I'll give you some examples. Some of the issues that are introduced as a result of BYOD are not so much service management issues as enterprise management issues. Take corporate identity: If it is important for the organization to have a branded identity amongst its workforce, this becomes more difficult with BYOD. If employees use their own smartphones, chances are they are going to be using their own telephone number. That means that the corporate identity is not the same as it would be if they were using an enterprise-issued device. So if corporate identity is an important thing, then that is something the organization needs to think about -- how does it manage that? And there are technical ways to do that, but it raises the cost and complexity of support.

Similarly, if we think about staff turnover in a BYOD environment, what do you do when an employee leaves the organization or changes departments, in terms of the accessibility that their own devices have to the company's data, information and access to the network? This becomes a huge issue and costly in terms of maintaining the security and maintaining access rights appropriately.

Then there is the issue of compatibility, which from an IT support perspective, is where the costs really can be a lot higher. If you have a number of different devices all trying to access the same services, and they are employee-owned devices, and who knows what else is being run on them, you have issues around compatibility.  If you are choosing to support those devices as a workforce tool, then you are probably expected to support them from an IT service perspective -- and that becomes a lot more complex to do and a lot more problematic. So things like security of corporate information and corporate data, these are all issues that come along with the BYOD concept. But they are not insurmountable.

In terms of how ITIL would approach this challenge, probably the focus would intensify over things like access management, one of the processes within ITIL. VPNs, or setting some corporate policy or IT policy for what can be stored resident on the local device, can be implemented. So there are ways that ITIL deals with that stuff, and those things are inherent in ITIL now. But it just causes a shift of thinking, and perhaps a shift of resources in terms of how those practices are actually executed.

And what about the observation about mobility and BYOD that the technology is just moving too fast for these best practices, in terms of the number of devices out there to potentially control and the number of new releases of the software for those devices?  Can a service desk even keep up?
Taylor: The fact that the technology is changing at a rapid pace has never stopped best practices from keeping up. It just means that people have to change what they focus on. But, for example, if you use the service desk, trying to script and prepare and educate service desk staff to deal with ever-changing device access to a corporate infrastructure, for example, does become very cost-intensive. So, one way to get around doing that is by establishing some base standards for the use of those kinds of products on a corporate infrastructure -- and how often they can be changed.

BYOD adds another layer of complexity to best practices such as conforming to a corporate standard to lower cost of utilization. … However, it is still managed in the same way using the same processes.

Sharon Taylor, chief architect, ITIL

But the reality is that that's been going on for eons, ever since the first mobile devices, like the PDAs in the old days which couldn't even fit in your pocket. People will find a way to use them as a work productivity tool. So, you have two choices: You can either ban their use as a policy statement, or you try and select the middle ground, where you can allow them to have access and be part of the employee's productivity; but knowing that there are inherent risks and costs associated with that, then you have to make a business decision about who pays for that and how much of it you pay for.

So it comes back to business policy in many cases. Are we going to try to keep pace with the change from a service desk perspective, or do we just throw best efforts at it? Do we pass on the costs to the users, which some organizations are doing? So, if you want to use your iPhone 4 on the corporate infrastructure and you want that device to be supported, you have to pay for the privilege of doing that. That is becoming a more common business cost model. But all this is really as old as ITIL is old, making the consumer aware of the cost of providing service by the choices they make is something that ITIL has talked about all the time.

Especially in Version 3.
Taylor: That's right. And from the early ‘80s we have talked about changing consumer behavior by managing demand patterns. Let's say you have a sales department that has a mobile workforce, and they all have different devices, but they all want to use them because cloud computing makes it easy for them. You think, from an asset perspective, "Oh wow, this is going to cost us less money because we are not having to dole out new smartphones or PDAs to all these people." However, the downside is that the support costs probably will eat up those savings. So, as a business entity, the IT provider says, "OK, we can support BYOD, but here is the cost associated with doing that. And here are some choices: For example, we'll build the applications that you need to use on your device so that you can access the infrastructure, if you agree to limit the number of devices that you will offer for use by the workforce. Or, we can build different platforms if you will constrain the use of how many applications you access." So there are different ways to manage the diversity of that, but those are all things we have espoused as part of ITIL practices for over 20 years now.

One recent sentiment is that the idea of IT controlling the use of technology in the company is going the way of the dodo bird. In talking to CIOs, are you sensing that there is culture shift in how IT and the business are going to be interacting or offering IT services in the enterprise?
Taylor: Well I think that there is a shift happening, but I don't think it is as related to things like mobility in the workforce as the catalyst. The shift in thinking is that total control brings with it rigidity in terms of business profitability. So, you can control everything -- technically, it is possible; you can lock down things to ensure that you have 100% control of the environment. But what you give up on the other side is innovation and productivity. And I think CIOs and CEOs and COOs are all starting to see that there is a middle road that is likely the best opportunity, one that for high-secure environments that have lots of legislative compliance needs, there might be a need to have more control in certain aspects of the business. But in others, it might be quite OK to open up the cap slightly and have less control in favor of innovation. And that might come by the way of the use of new technology, such as bring your own device. I think the best innovations are spawned out of happenstance, to some degree. So the shift in thinking is coming more from thought about business profitability and innovation than from technology, per se. I think these changes are byproducts of the fact that our thinking is shifting to, let's focus more on how innovation releases profits in a company, as opposed to IT controlling or preserving the sanctity of the environment.

Let us know what you think about the story; email Linda Tucci, Senior News Writer

Dig Deeper on Small-business IT strategy

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.