Some thoughts on BYOD (part two of two): so, how can we do it?

In my last post I explained why I think that bring your own device needs to be taken seriously. In this post I’ve tried to bring together some thoughts to suggest how we can go about enabling bring your own in a way that strikes a balance between appropriate security and real benefits for the workforce.

To start with, I thought that it was worth putting down a few things which I think ‘bring your own’ is probably not:

  • securing personal devices in the way we would corporate devices: who’d want to subject their shiny new iPhone 5 or Galaxy S3 to becoming a pseudo-corporate device and have large parts of key functionality switched off to meet security rules? I don’t think that this is necessary, nor is it likely to be very successful.
  • delivering a virtualised Windows desktop to a smartphone or tablet: which can be a fairly painful user experience even for patient people. In my view, this is definitely a last resort where legacy applications aren’t ready for delivery to mobile devices.
  • something that will only work if the user is online: even in central London there are plenty of spaces where consistently reliable mobile internet connectivity is still a dream — and when you step outside of the city it can be even further off…
  • a way to save lots of money: I’m unconvinced that bring your own will replace the need to provide core tools for many (/ most) users for a good while yet, and savings from device costs are quite likely to be swallowed up by the investment required to provide a more flexible infrastructure. And then there’s the support for this new diversity of devices to consider too…

I think that there are a number of practical ways to bring bring your own to life, specifically:

  • take it one step at a time: there are many commentators who make the (valid) point that simply delivering email to personal devices isn’t really achieving bring your own. But given how important a role email plays in people’s working lives, it’s still a good place to start, and personal experience suggests that this is still a Big Thing. In my view we should focus on practical measures to move appropriate access for corporate systems and data beyond the private network, and keep iterating.
  • don’t forget that people have personal computers too: most of the bring your own debate focuses on mobile devices, but virtualised desktops or access to corporate apps via the web using personal PCs is still a great way to make it easy for people to work from home. Indeed, I’ve lost track of how many times I’ve been asked “why can’t I get to that using my home PC?” — not everyone likes lugging a laptop to and from home everyday…
  • policy and training are every bit as important as technology: as I’ve highlighted before, unwise user behaviour is still the #1 cause of security breaches.
  • if you’re doing it encourage it: we’re looking hard to see how we can use employee purchase schemes to encourage wider use of new devices (without cost to our organisation) and maximise the exploitation of the technology change we’re delivering. The Guardian have a great video showing what they’ve achieved with this here.
  • the real hard work will be liberating our information and making it available on any device: this is going to require effort to deliver mobile application management and ultimately mobile information management (Brian Madden gives a useful summary of these terms here), and for me the goal is to provide effective APIs to corporate data — where information security is built into the API — and apps that work with those APIs. This isn’t a trivial exercise though, and isn’t simply about bring your own (actually I think that the real justification for this effort is in mobilising the workforce, better online services and open data). So, as I’ve suggested above, it makes sense to look for the quick wins that can give users a real benefit while the harder work takes place.