This content is part of the Essential Guide: A CIO's guide to SMAC strategy and governance

Essential Guide

Browse Sections
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Eight steps for comprehensive BYOD governance

BYOD governance is not a destination, but a journey. It begins with this eight step roadmap for safe and effective BYOD policies.

With the proliferation of mobile bring your own devices and applications; CIOs have entered into a new era of governance challenges, at the very least. Many organizations have jumped in and enthusiastically embraced these new technologies and, as many pioneers do, have the benefits and the scars to show for their efforts. Many others, however, have been extremely conservative (politically correct term for slow) in their approach to adopting BYOD and BYOA, mainly because of the known and unknown risks that they pose. One major contributor to the somewhat measured pace of BYOD adoption is the failure of the enterprise to fully understand that these new mobile capabilities (intentionally or otherwise) make profound changes not just to their technologies, but the very culture and operating model of their enterprise. By culture, I am referring to the core beliefs and values that motivate and drive people to do what they do. By operating model, I am referring to the system of methods and procedures that prescribe how people do what they do. And changing a company's culture and operating model is hard, really hard.

"There is nothing more difficult to take in hand, more perilous to conduct, or more uncertain in its success, than to take the lead in the introduction of a new order of things." Niccolo Machiavelli, The Prince, 1532.

Within the context of cultural and operating model change, consider the following with respect to the use of bring your own device (BYOD) …

Pre-BYOD Adoption
Traditional Enterprise Perspective

Post-BYOD Adoption
Mobile Enterprise Perspective

I use what I am given which is often less useful than what I have for personal use. I can buy and use whatever device I want, sometimes subject to enterprise-approved choice and use.
I use what I am given, subject to all policies and restrictions imposed by my company. My device comes with an operating system; what more do I need?
I am required to comply with cyber and information security policies and procedures established by my IT department. There are penalties for non-compliance. My device comes with built-in security; I might augment security if the IT department requires it.
I use the applications that are dictated and provided by my company when they are provided. Policy restricts me from adding new applications of my choosing. I will use enterprise applications that I need to and there is a whole other world of applications available on-demand.
My enterprise pays for my mobile device and its ongoing support.   I am fine with paying for my own device as long as I can chose, own and control its use.
Use of my mobile device is restricted to company purposes. I will use my device for work purposes while at work and for anything else that I want to when I want to.

The makings of a comprehensive BYOD governance roadmap…

From a cultural perspective, BYOD changes a company's technology values from "… I use what I am given in the way that I am told …"to" … I use what I want in the way that I want when I want to as long as my usage is (mostly) consistent with enterprise policies and procedures …" Similar to the cultural and social impacts of telecommuting, the lines between our business and personal lives become blurred even further. The responsibility for efficiently and safely accessing and using enterprise assets and resources shifts from one that has been historically IT department-centric, with some employee accountability, to a context where there is much more shared responsibility between enterprise and employee. These cultural and social changes must be managed well beyond the scope of the IT department's reach and must therefore be viewed as an enterprise responsibility.

From an operating model perspective, responsibility for access to enterprise assets and resources is changed from "… paid for, owned and supported by the enterprise … "to" … paid for, owned and primarily supported by the employee." Importantly, the scope of the enterprise's firewall perimeter is moved away from the endpoint and further into the network. Clearly, significant changes must be designed and implemented to the cyber and information security architectures of the network, applications and data management capabilities throughout the enterprise. The assumption that electronic access to the enterprise (on or off premises) by employees is "safe" because their devices are under enterprise control can no longer be made with confidence.

A comprehensive BYOD governance roadmap must therefore include goals, objectives, value statements, operating principles, policies, procedures, standards and guidelines that address the scope of required cultural and operating model changes. The roadmap should carefully balance strategies for device management and used with a focus on good user experience. Let's look at some good practices for establishing and maintaining safe and effective mobile BYOD practices.

The good practices described below are adapted from "BYOD in the Enterprise – a Holistic Approach", ISACA Journal, Volume 1, 2013, S. Ravindran, R. Sadana and D. Baranwal.

1. Identify and involve key stakeholders. Customers, IT, Human Resources, Marketing/Sales, Legal, Management/Operating Committees and sometimes even the Board of Directors should be involved, as appropriate to ensure that enterprise-wide requirements are thoroughly articulated, understood and included, as appropriate.

2. Define a sustainable BYOD policy. Major elements of the policy should include, for example: Identification of sensitive and proprietary corporate and personal information; management of asset ownership cost; delivery of a good (perhaps differentiating) user experience; provision for periodic non-disruptive updates to the policy as technologies or regulations change.

3. Include regulatory and internal audit compliance requirements. In addition to protecting sensitive and proprietary information, most jurisdictions have retention and reporting requirements for e-discovery and other legal proceedings. Ensure that mobile BYOD policies include provisions for these requirements. BYOD should be included as part of the enterprise risk assessment processes and policies should clearly conform to all statements regarding enterprise risk appetite.

4. Create and maintain an enterprise-wide list of supported devices. Endeavor to include support for the major device types and operating systems and keep the list up-to-date with new marketplace offerings.

5. Equip and train the staff. Like any IT deployment, provisioning and good training is key to successful adoption and effective use. This is an area where CIOs must communicate early and often. Prudent use of BYOD is, more than ever, everyone's responsibility -- it's not just an IT problem. Ongoing communication and training that includes the benefits and the potential pitfalls of BYOD is a must for successful deployment and use.

6. Create a mobile app store. Mobile apps require different skills, experience and operating platforms and procedures to develop deploy and manage. Ensure that you have plans in place to acquire, train and develop the right human resources and that you have the bench strength to meet the demands of your BYOD strategy roadmap.

7. Ensure that the corporate network is up to the BYOD journey. Support for mobile devices generally results in an increased number of devices connected. Increasing availability and use of video in both personal and professional worlds creates an even larger demand on networking resources and capabilities. Guest networks are commonly provided for site visitors who do not need full access to enterprise resources. Include procedures in your network management playbook to continuously monitor and refine your network architecture to meet these ever-changing requirements.

There is clearly a mix of cultural, personal and technological factors to consider and, as always, CIOs are in a wonderful position to lead their enterprise's journey.

8. Implement policies and procedures for deprovisioning devices. When an employee leaves the company, it is critical that the enterprise has a thorough and consistent means to ensure all corporate information is removed from the employee's device. Similarly, if a device is lost or stolen, the enterprise must have an effective means for wiping the device contents, sometimes even including the employee's personal information.

The road to successful BYOD implementation is surely a journey. Every organization will deal with its own unique opportunities and challenges and every implementation will be different. There is clearly a mix of cultural, personal and technological factors to consider and, as always, CIOs are in a wonderful position to lead their enterprise's journey.

Let me know what you think. Post a comment or drop me a note at [email protected] Discuss, debate or even argue -- let's continue the conversation…

Dig Deeper on Enterprise mobile strategy