Some thoughts on BYOD (part two of two): so, how can we do it?

In my last post I explained why I think that bring your own device needs to be taken seriously. In this post I’ve tried to bring together some thoughts to suggest how we can go about enabling bring your own in a way that strikes a balance between appropriate security and real benefits for the workforce.

To start with, I thought that it was worth putting down a few things which I think ‘bring your own’ is probably not:

  • securing personal devices in the way we would corporate devices: who’d want to subject their shiny new iPhone 5 or Galaxy S3 to becoming a pseudo-corporate device and have large parts of key functionality switched off to meet security rules? I don’t think that this is necessary, nor is it likely to be very successful.
  • delivering a virtualised Windows desktop to a smartphone or tablet: which can be a fairly painful user experience even for patient people. In my view, this is definitely a last resort where legacy applications aren’t ready for delivery to mobile devices.
  • something that will only work if the user is online: even in central London there are plenty of spaces where consistently reliable mobile internet connectivity is still a dream — and when you step outside of the city it can be even further off…
  • a way to save lots of money: I’m unconvinced that bring your own will replace the need to provide core tools for many (/ most) users for a good while yet, and savings from device costs are quite likely to be swallowed up by the investment required to provide a more flexible infrastructure. And then there’s the support for this new diversity of devices to consider too…

I think that there are a number of practical ways to bring bring your own to life, specifically:

  • take it one step at a time: there are many commentators who make the (valid) point that simply delivering email to personal devices isn’t really achieving bring your own. But given how important a role email plays in people’s working lives, it’s still a good place to start, and personal experience suggests that this is still a Big Thing. In my view we should focus on practical measures to move appropriate access for corporate systems and data beyond the private network, and keep iterating.
  • don’t forget that people have personal computers too: most of the bring your own debate focuses on mobile devices, but virtualised desktops or access to corporate apps via the web using personal PCs is still a great way to make it easy for people to work from home. Indeed, I’ve lost track of how many times I’ve been asked “why can’t I get to that using my home PC?” — not everyone likes lugging a laptop to and from home everyday…
  • policy and training are every bit as important as technology: as I’ve highlighted before, unwise user behaviour is still the #1 cause of security breaches.
  • if you’re doing it encourage it: we’re looking hard to see how we can use employee purchase schemes to encourage wider use of new devices (without cost to our organisation) and maximise the exploitation of the technology change we’re delivering. The Guardian have a great video showing what they’ve achieved with this here.
  • the real hard work will be liberating our information and making it available on any device: this is going to require effort to deliver mobile application management and ultimately mobile information management (Brian Madden gives a useful summary of these terms here), and for me the goal is to provide effective APIs to corporate data — where information security is built into the API — and apps that work with those APIs. This isn’t a trivial exercise though, and isn’t simply about bring your own (actually I think that the real justification for this effort is in mobilising the workforce, better online services and open data). So, as I’ve suggested above, it makes sense to look for the quick wins that can give users a real benefit while the harder work takes place.

Some thoughts on BYOD (part one of two): why does all this matter?

Bring your own device seems to crop up everywhere these days, and I’ve been struck by the wide range of attitudes and approaches to this trend. For some BYOD seems to be an unmanageable threat which has to be resisted at all costs, to others it’s a distraction from the core job of delivering IT to the business. And then there are others who are evangelising BYOD as a new IT nirvana.

So, the question I keep asking myself is how do we go about sifting the wheat from the chaff, how do we figure out what role (if any) personal devices have within the work environment, and how we can use the undoubted potential presented by the explosion in personal and mobile computing power to deliver big results for our organisations?

There are a few key reasons why in my view, BYOD (and the wider ‘consumerisation of IT’ in general) is something which has to be taken seriously:

  • the days when corporate IT could afford to provide the best IT tools are long gone: consumer devices are now changing at a phenomenal rate, with a refresh cycle of 1–2 years which very few IT organisations can afford to match. And even if we could, the ‘best practice’ model of standardised business devices will inevitably alienate a significant proportion of the workforce who prefer a different platform (the battle rages across my team between the iOS obsessives and the Android fanatics, and I’m sure it will get even more confusing if Windows RT is a success).
  • many people don’t actually want to carry separate devices around with them: and while there are still some traditionalists who want to maintain completely separate work and personal lives, there are more and more people who would relish the ability to work more flexibly but who don’t want yet another device to lug around (even if we could afford to provide it to them — which often we can’t!).
  • delivering our services is increasingly involving collaboration with a wider range of people than ever before: and in many cases it will be hard to persuade someone to contribute their time to help us provide services to the community if we then force them to use our systems in a way that they find inconvenient.
  • the way people consume IT in general is changing beyond recognition: with more and more ‘cloud’ services which let users bring their own app, meaning that they can use whatever device they like anyway!

Given all this, it seems to me that the role of IT is increasingly becoming one where we need to focus less and less on devices, and more and more on information — helping to free our users to make their own choices about the way they connect to systems, and using our energies to protect the information which matters and equally importantly help our users to work and collaborate as productively as possible.

In my next post I’ll try to set out some of the steps which I think will be important to successfully moving from the traditional IT role of supply and control, to a new way of operating where we are enabling the organisation to work more flexibly and productively than ever before.

Getting the right perspective

For many years now our focus in public sector ICT has been hugely on securing the information which we’re responsible for. There are good reasons for this, and plenty of examples which demonstrate the importance of taking care of the information people trust us with (not that they always do this by choice of course!).

But are we seeing the full picture? In my view there’s a real risk that some other equally important considerations get lost if we only look at technical security measures:

  • Behaviour matters as much as technology: a quick review of fines from the Information Commissioner’s Office shows that a disproportionate number of breaches are due to people’s behaviours with email, faxes and online information.
  • Paper can be as much (or even more) of a risk as electronic information: again, significant fines have been levied in response to lost paper records (which can’t be password protected, encrypted or wiped remotely in the event that they’re lost).
  • We risk focusing on security at the expense of productivity: with a result that business performance is held back and customers lose out in terms of the timeliness and quality of services they receive.
  • We need to be sensible about where we draw the line: there’s a significant difference in my view between critical business information and ‘user-generated information’ such as meeting notes etc. The latter have historically been kept in notebooks and loose paper, and if these haven’t been subject to strict controls before we need to think carefully before we lock them down simply because they’re being taken electronically.

The right approach will depend on what the information is and the context (it’s easy to forget that many private enterprises are every bit as concerned to protect intellectual property and trade secrets as government organisations are to protect public information).

Technology can play a part in changing the balance though, and I’m very drawn to the concept (put forward by Brian Katz and others) that we look afresh at security and move to an approach where we can reliably and securely work with untrusted devices, and instead focus on securing apps and information. My light summer reading has included the useful book APIs: a Strategy Guide, and this has really got me thinking about the potential for successfully using APIs to enforce business controls, and securely unlock information to balance the needs of a productive workforce with our responsibility to keep information safe.

Getting agile in #localgov : with a bit of help from G-Cloud

[This first appeared as a guest blogpost on the G-Cloud blog]

Technology is changing fast and we’re excited about the potential that this offers for us to improve the way we deliver services. This couldn’t have happened at a better time given the urgent need to sustain local services while we deal with substantial budget reductions. Lambeth’s new ICT strategy sets out our vision to enable our users to be productive from any device, anywhere, any time, and will see us focusing on using the cloud, mobility and apps to make this happen.

We’re not naive, and we realise that some business processes and legacy architecture will take more time and work before we can move them to the cloud, and we also know that given the speed at which technology is changing it will be easy to make expensive mistakes if we’re not careful. An agile approach to delivering our strategy is essential and we are prioritising focus. We have already started to migrate some of our key services such as email to the cloud, and we’ll be redesigning the way we do things to give us as much flexibility as possible as we move forward, avoiding long contract lock-ins where we can.

An example of how we can use innovation to make a real difference for our customers is our work to make tablet devices available to our users. Our pilot work has shown that this will help our frontline teams deliver much more personal and responsive services — increasing their productivity and cutting out paperwork and bureaucracy. Successes we want to build on include the services we provide to homebound library users who our home visitors can now help browse the catalogue online and check books in and out while they visit them, and vulnerable children whose social workers have reduced the time it takes to complete key work by up to 14 days through removing double entry of information.

The technology for securing information on mobile devices is changing fast and looking forward we want to switch the focus from trusting devices towards managing applications and information to provide the security we need on any device so that we can give our users genuine choices (this article helps to explain how this might work). This is going to be a work in progress for a while though, and to implement a viable model which we can use to rapidly make tablet devices available to a wider user base we need to get started by deploying a Mobile Device Management (MDM) solution which will let us protect the information on these devices. With that in mind we want an MDM service based on subscription charging which will allow us to secure devices, scale up and down easily, and keep the flexibility to change our approach as the available technology and our architecture changes. This is a perfect opportunity for us to take advantage of the cloud to deliver rapid benefits.

We like the price transparency that the Cloudstore offers us and want G-Cloud to be our first port of call for cloud services. Buying this way challenges some of our traditional thinking and approaches to procurement, and we are currently getting ourselves ready by working with our legal and procurement colleagues to make sure that our procurement processes are updated. The G-Cloud guidance to buy without further mini-competitions leads to more than a few quizzical looks, but I’ve been really encouraged at the readiness of non-IT people to take the time to understand this new approach and am confident that by getting this preparation done now we’ll be ready to move quickly once G-Cloud 2 goes live.

We’re looking forward to using G-Cloud as part of delivering our strategy: MDM providers please get started with your application process now so that we can buy your services!