Securing mobile BYOD: keeping up and doing it right

The technologies for securing access to business information and systems from personal devices are becoming very capable, and they are developing very rapidly. These should be taking away the fear of ‘Bring Your Own Device’, which is still surprisingly common among ICT teams, and allow us to embrace a change which gives us the opportunity to provide a much more user focused experience without compromising the safety of our organisations’ information. Actually, I think this will improve security too.

Firstly, I have no intention of allowing an unsecured device to connect into our secure networks. The focus for BYOD has to be on delivering information securely beyond the network, not opening the doors to all manner of unmanaged threats — that would be daft!

But I also genuinely don’t believe that managing a personal device as you would a corporate device is a viable BYOD proposition. Nor do I believe that it’s necessary given the technology capabilities available and the right policy and practices (I recently blogged some thoughts about how the traditional business and ICT relationship for security needs to be rebalanced here: Indeed, I think that BYOD could actually increase the safety of information as it will reduce the likelihood of users doing really silly things such as losing sensitive paper documents and emailing inappropriate information to personal addresses. Evidence from the Information Commissioner shows that these are by far and away the most common reasons for information incidents (

Councils have had close to 50% of their budgets cut and we have to work much more closely with communities and a wider range of partners to help bridge the gap. We need to meet the BYOD challenge or ICT will be creating expensive barriers to achieving those business goals (for example, community groups are unlikely to be willing or able to pay a large ‘IT tariff’ just to have a council device so that they can work with us, and you can’t manage a device with two different Mobile Device Management services — which is important where partners need to use their own managed corporate devices to work with us).

The main mobile platforms have been making major leaps forward in addressing concerns about security, and tools we already have available can help us to make this work.

Mobile Device Management providers such as AirWatch ( can provide the ability to implement sufficient controls and where needed lock business information safely away in a secure container.

And we actually even have very powerful tools available within our existing email services which again allow us to make sure that appropriate protection can be provided if we allow access to our corporate email from a personal device. These include requiring a passcode lock, wiping the device after a certain number of failed password attempts, remote wipe for devices which are lost or stolen, limiting the amount of email which gets sent to the device (for example, seven days worth is quite sufficient for users to get a big productivity gain while also significantly limiting the amount of data which is sent to the device), encrypting the device and managing how attachments are handled. For detail of some of these capabilities check out these links:

Microsoft Exchange ActiveSync:

Google Sync:

Balanced with the right policies, robust user training and alternative secure solutions for more sensitive information (a much smaller but very important part of the information we look after) I’m convinced that this approach can provide a viable way forward.

But we also need to remember that providing access to email and calendars is really only the first step in delivering a genuine shift and enabling our users to work productively from any device. Recent updates to iOS and Samsung’s Knox give much more sophisticated mobile management capabilities, accelerating a move away from Mobile Device Management towards secure Mobile Application Management. These links provide a bit more detail about these changes:

iOS 7:


While these are very recent additions to our toolkit, the potential they offer is substantial. And let’s not fall into the trap of thinking that this is all about ‘bring your own’ and playing with shiny toys. It’s about ICT moving beyond the old ‘all in one’ model where we have to control everything, it’s about removing technology barriers to our organisations’ innovation and it’s where we have to get to if we’re going to still be relevant in only a short period of time.

Some slides…

I had the pleasure of attending yesterday’s Service Desk and IT Support show (SITS13), talking about the work we’ve been doing to give our users online self-service access to IT and other support services and enabling bring your own device.

It was great to see how many other people are keen to discuss these subjects, and I enjoyed the conversation which followed. I’ll blog some thoughts on that in the next few days, but in the meantime one attendee asked if I’d be posting my slides here which seemed like a really good idea. So without further ado, here they are:

Slide deck

And here’s a version with a few more detailed notes:

Slide deck with notes

Bring your own helpdesk?

The consumerisation of IT is changing the way we support our users. In the ‘good old days’ IT were the experts. We knew our standard builds and applications inside out, we knew the idiosyncrasies, and we could provide the fixes and work-arounds needed to help our users do their work. (and often we even managed to do that quite well!)

Now that’s all changed.

In just the last month we’ve seen the arrival of new new iPads, smaller iPads, Windows 8, RT, Surface, another slew of Android devices, and it’s probable that within a couple of months BlackBerry 10 will arrive on the scene. After years of working to standardise and simplify the device landscape, consumer power and a technology explosion has given us a more complex scenario than we’ve seen for a generation.

And at the same time IT budgets are still under pressure and the drive to achieve ‘more for less’ has continued unabated.

So what do we do about it?

I think that the answer lies in the same forces that have created this conundrum, and actually has the potential to change the relationship between IT and our users. Along with consumerising IT we also need to consumerise support.

IT service managers have long worried about Knowledge Management, but I was struck by a recent tweet suggesting we should shift our focus to knowledge curation. By sharing the responsibility for identifying useful information, encouraging users to collaborate with each other (and with us), and making this a core part of our service delivery rather than a sideline, we might be able to harness the power of our user communities to meet the challenge of bring your own device. We’ll spend a bit less time writing up knowledge articles and a lot more time encouraging users to share their knowledge and helping other users find the advice they need.

This isn’t new. Most offices have someone who their colleagues turn to for help with IT, the internet has become a fantastic source for practical advice, and Cisco have been using this approach to support their byod programme.

Some steps we’re taking.

We realise that making this shift isn’t going to be a simple exercise. Gartner’s research into the ‘social organisation’ clearly demonstrates that successfully using collaboration for business benefit takes careful management and a focused approach.

Our key steps will be:

building on our existing success with self-service: over 60% of our helpdesk transactions are already online, which gives us a good start as people are used to dealing with IT issues through the web.

making it as easy as possible for users to access our online helpdesk service: providing access from any device, anywhere, any time.

giving more prominence to search of useful information: to encourage self-help, and make sure that knowledge (whether ‘official’ or user generated) is easy to find.

using a ‘gamification’ approach: to give users who contribute their knowledge to help colleagues the maximum sense of reward.

Previous tentative efforts have shown that this isn’t going to be easy, but the challenge of byod makes it essential that we succeed. And the rewards may extend well beyond providing more effective IT support, by helping to build a sense of connectedness and collaboration that could contribute towards more effective working generally.

Some thoughts on BYOD (part two of two): so, how can we do it?

In my last post I explained why I think that bring your own device needs to be taken seriously. In this post I’ve tried to bring together some thoughts to suggest how we can go about enabling bring your own in a way that strikes a balance between appropriate security and real benefits for the workforce.

To start with, I thought that it was worth putting down a few things which I think ‘bring your own’ is probably not:

  • securing personal devices in the way we would corporate devices: who’d want to subject their shiny new iPhone 5 or Galaxy S3 to becoming a pseudo-corporate device and have large parts of key functionality switched off to meet security rules? I don’t think that this is necessary, nor is it likely to be very successful.
  • delivering a virtualised Windows desktop to a smartphone or tablet: which can be a fairly painful user experience even for patient people. In my view, this is definitely a last resort where legacy applications aren’t ready for delivery to mobile devices.
  • something that will only work if the user is online: even in central London there are plenty of spaces where consistently reliable mobile internet connectivity is still a dream — and when you step outside of the city it can be even further off…
  • a way to save lots of money: I’m unconvinced that bring your own will replace the need to provide core tools for many (/ most) users for a good while yet, and savings from device costs are quite likely to be swallowed up by the investment required to provide a more flexible infrastructure. And then there’s the support for this new diversity of devices to consider too…

I think that there are a number of practical ways to bring bring your own to life, specifically:

  • take it one step at a time: there are many commentators who make the (valid) point that simply delivering email to personal devices isn’t really achieving bring your own. But given how important a role email plays in people’s working lives, it’s still a good place to start, and personal experience suggests that this is still a Big Thing. In my view we should focus on practical measures to move appropriate access for corporate systems and data beyond the private network, and keep iterating.
  • don’t forget that people have personal computers too: most of the bring your own debate focuses on mobile devices, but virtualised desktops or access to corporate apps via the web using personal PCs is still a great way to make it easy for people to work from home. Indeed, I’ve lost track of how many times I’ve been asked “why can’t I get to that using my home PC?” — not everyone likes lugging a laptop to and from home everyday…
  • policy and training are every bit as important as technology: as I’ve highlighted before, unwise user behaviour is still the #1 cause of security breaches.
  • if you’re doing it encourage it: we’re looking hard to see how we can use employee purchase schemes to encourage wider use of new devices (without cost to our organisation) and maximise the exploitation of the technology change we’re delivering. The Guardian have a great video showing what they’ve achieved with this here.
  • the real hard work will be liberating our information and making it available on any device: this is going to require effort to deliver mobile application management and ultimately mobile information management (Brian Madden gives a useful summary of these terms here), and for me the goal is to provide effective APIs to corporate data — where information security is built into the API — and apps that work with those APIs. This isn’t a trivial exercise though, and isn’t simply about bring your own (actually I think that the real justification for this effort is in mobilising the workforce, better online services and open data). So, as I’ve suggested above, it makes sense to look for the quick wins that can give users a real benefit while the harder work takes place.

Some thoughts on BYOD (part one of two): why does all this matter?

Bring your own device seems to crop up everywhere these days, and I’ve been struck by the wide range of attitudes and approaches to this trend. For some BYOD seems to be an unmanageable threat which has to be resisted at all costs, to others it’s a distraction from the core job of delivering IT to the business. And then there are others who are evangelising BYOD as a new IT nirvana.

So, the question I keep asking myself is how do we go about sifting the wheat from the chaff, how do we figure out what role (if any) personal devices have within the work environment, and how we can use the undoubted potential presented by the explosion in personal and mobile computing power to deliver big results for our organisations?

There are a few key reasons why in my view, BYOD (and the wider ‘consumerisation of IT’ in general) is something which has to be taken seriously:

  • the days when corporate IT could afford to provide the best IT tools are long gone: consumer devices are now changing at a phenomenal rate, with a refresh cycle of 1–2 years which very few IT organisations can afford to match. And even if we could, the ‘best practice’ model of standardised business devices will inevitably alienate a significant proportion of the workforce who prefer a different platform (the battle rages across my team between the iOS obsessives and the Android fanatics, and I’m sure it will get even more confusing if Windows RT is a success).
  • many people don’t actually want to carry separate devices around with them: and while there are still some traditionalists who want to maintain completely separate work and personal lives, there are more and more people who would relish the ability to work more flexibly but who don’t want yet another device to lug around (even if we could afford to provide it to them — which often we can’t!).
  • delivering our services is increasingly involving collaboration with a wider range of people than ever before: and in many cases it will be hard to persuade someone to contribute their time to help us provide services to the community if we then force them to use our systems in a way that they find inconvenient.
  • the way people consume IT in general is changing beyond recognition: with more and more ‘cloud’ services which let users bring their own app, meaning that they can use whatever device they like anyway!

Given all this, it seems to me that the role of IT is increasingly becoming one where we need to focus less and less on devices, and more and more on information — helping to free our users to make their own choices about the way they connect to systems, and using our energies to protect the information which matters and equally importantly help our users to work and collaborate as productively as possible.

In my next post I’ll try to set out some of the steps which I think will be important to successfully moving from the traditional IT role of supply and control, to a new way of operating where we are enabling the organisation to work more flexibly and productively than ever before.