Architecture and Design /

BYOD: Large Firms need Clarity from the Top, not Ambiguity or Denial

Man looking over City

In a previous article, we pointed out how millennials – whose digital-nativeness is often praised by employers – are actually endowed with less cybersecurity-savviness than their more senior co-workers. A key consequence of this is their failure to distinguish personal from professional uses of technology, and the fact that consumer and corporate tech are still two completely different worlds.

In recent years, the classic distinction between consumer and corporate technology has been increasingly blurred, with many large firms allowing or encouraging BYOD (Bring Your Own Device) and BYOS (Bring Your Own Stuff/Software) practices, introducing many new security, legal and managerial implications which we have analysed et length in a white paper back in 2013.

At the time, a large proportion of IT departments were struggling with this, and many senior execs in large firms were simply sitting on the fence (many of them like their gadgets too !!!) : A study from Ovum in 2012 found that 80% of companies worldwide had not yet got a signed BYOD policy and that 28% of IT Departments simply ignored BYOD behaviours. Some anecdotal evidence we come across in the field day after day suggests that the situation has not changed that much in 4 years …

The tremendous growth of the consumer technology market in the past decade — much more significant than the evolution of the enterprise technology market — has continued to drive that trend relentlessly. When it comes to innovations, tech firms tend to go where the big money is. The rising consumer market has continued to be the focus of most innovative technologies, which usually take several years to enter corporate IT.

As a result, employees are more and more frustrated by what they see as inefficiencies and unnecessary rigidities in the technology they have to work with. Many firms still require that their employees use email servers with limited disk space capacity and which often force them to delete their emails in order to be able to receive new ones. In an age where services such as gMail offer virtually unlimited storage, such working tools are increasingly seen as obsolete by employees who got used to the convenience of consumer tech.

They simply forget that IT was not invented with the iPhone. The history of Corporate IT spans the past 50 years, from the introduction of the computer in the 1960s and the 1970s (perforated cards and disks the size of a washing machine), through the introduction of personal computers 20 years later, and the Internet 20 years after that. It is this evolution over 50 years that has shaped Corporate IT the way it is today, with its practices, its cost structure, its layers of legacy, and its obsessions. Consumer tech, born out of the Internet and mobile devices, is considerably younger and hasn’t yet gone through the same cycles.

One of the major differences between consumer and corporate tech, however, is the attention being paid to security. Consumer tech has to keep things fluid, transparent and simple for its mass market, where a vast majority of customers has no form of real IT knowledge. Historically, legacy corporate technologies have been designed to keep data and information locked into the organisation. Intranets prevailed over the internet, and inconvenient yet secure in-house email servers were privileged over more advanced but less secure consumer tech ones. Nowadays, though, professionals are increasingly looking for easy ways to access, work on, and share whatever they need from wherever they are. Even if this means dodging IT policies – when they exist. These practices have created layers upon layers of Shadow IT in some large firms, which have become a nightmare for many un-prepared CIOs.

The “Bring Your Own Stuff” trend goes even further and aims at giving people more flexibility in how they work in order to make them more productive. Yet the issue with BYOS is that employees all-too-often bring the bad behaviours developed in the consumer tech world — such as reusing password or accessing sensitive information from unprotected public hotspots —­ into the business world, putting corporate information assets at greater risk.

Of course, many enterprise mobility management solutions do exist and might make BYOD and BYOS programs significantly safer, but as always with complex cross-silo problems such as these, it is simply wrong for large firms to start from the technical end and throw money at an alleged technical solution in the hope it will solve everything.

The challenges go way beyond virtualisation or containerisation, and are rooted in corporate culture, issues of accountability and liability and the real ability of employees to work autonomously and securely on an IT platform they support themselves. It may involve appropriate training – as well as technical tools – and in all cases, it requires a clear positive leadership message from the top outlining what is allowed and what’s expected from staff. A message that the leaders themselves must be prepared to follow without ambiguity or denial.

 

JC Gaillard

Managing Director

Corix Partners

Click here to download our BYOD white paper “A Risk Analysis Grid for Large Corporations”

Find out more about how your business can truly protect its future from cyber threats by contacting Corix Partners.

Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and other C-level executives in resolving Security Strategy, Organisation & Governance challenges.

This article was written in collaboration with Vincent Viers for LinkedIn Pulse and originally published on 20 October 2016.