The Bring Your Own Device (BYOD) trend is consuming lots of digital ink on blogs, IT managers are wrestling with the problems created by it, and a growing number of vendors are addressing the issue with innovative new solutions. But when we talk about the “Device” in BYOD, what do we really mean? I contend that BYOD should really be BYODA: Bring Your Own Devices and Applications (remember, you saw it here first!).
The problems with BYOD in a device-only context are several:
- IT must spend more of its already scarce time to manage employee-owned devices like iPhones, iPads, Android smartphones, Android tablets, etc., in addition to the devices they supply to employees. This consumes an increasing amount of staff time in IT departments that are already resource- and budget constrained.
- More strategically, employee-owned devices that access corporate applications, download email, store attachments and the like are mini-repositories of sensitive and confidential information that can create a variety of compliance problems. For example, a lost device that cannot be remotely wiped (not all companies have yet implemented this capability) can create enormous data breach notification problems, not to mention the potential exposure of intellectual property.
- Even for devices that are not lost, imagine going through an e-discovery, regulatory audit or similar exercise in which you have to identify, search and extract data from potentially thousands of devices that are spread around the globe.
- When employees leave your company, you have to ensure that a) sensitive or confidential corporate data has been returned to the company along with the device itself and b) that copies are not stored in repositories outside of IT’s control.
How are these problems any different for an organization when users download Dropbox, share company files via Hotmail to get around file-size limits in the corporate email system, or post information to Twitter or Facebook? Fundamentally, the problems are the same for devices as they are for applications: IT must spend time managing/blocking/creating policies about these applications if they want to exercise any sort of control over the content stored or sent using them, they face compliance issues when data is stored in personal cloud repositories, they face the same kinds of search and extraction problems when going through e-discovery or regulatory audits, and they have no assurance that corporate content is not still somewhere in the cloud after an employee leaves.
In short, the BYOD problem is not really a device-focused issue, it’s part of a larger governance issue that encompasses both devices and potentially thousands of different (mostly cloud) applications.