It seems like it was only two years ago that smartphones began appearing in offices connected to the corporate email and Wi-Fi network; however, the phenomenon began many years ago.
When the early personal computers were brought out, replete with spreadsheets, the mavericks in enterprises realised that this meant a new freedom for them. Up until then, they would have to book time on the corporate mainframe and have their work inspected before it was punched into the system for them, and weeks later, they would receive their carefully packaged results. If there were any mistakes they would have to do it all over again. This advancement changed everything.
What we have to remember is that in the 1960s and 1970s the IT department was seen as a secret place ruled by powerful niche experts. They had total control of the department and who could access systems. The PC and its software allowed people to spread their wings. At first, some in the IT department viewed the PC with derision. It certainly wasn't going to threaten their jobs. It wasn't networked. It couldn't connect to the outside world and it had a tiny memory, comedic floppy disks and a screen.
The people who ran the IT department those days came out of a corporate, hierarchical structure that owed much to the way companies had been run since the 1940s. It was only in the late 1970s and beyond that corporates began to put more emphasis on individual initiative and freedom, and then on a corporate level in the 1980s, as enormous organisations flattened out their career structures and had to change dramatically to survive.
Along came cloud
Then, along came a company that created a great business selling cloud-based sales force automation software directly to business executives and thereby bypassing the IT department. This was only five years ago, but the world had already moved forward.
As a result of outsourcing, corporate reliance on management gurus such as W. Edwards Deming, the use of lean management techniques and the wholesale use of business process engineering, the 1990s saw corporates introducing additional part-time and contract staff and replacing routine work with automated software offshore workers and temporary labour.
This has resulted in corporate workers who very often work from home using their own PCs, smartphones, laptops and tablet computers with their own individual likes and desires for hardware and software as well as the difficult task of IT departments being able to impose control over whatever hardware or software is used. The very flexibility that corporate management demanded of its workforce has bounced back as the same workforce demanded flexible methods of working. Bring your own device schemes [BYOD] are, in fact, just the beginning of a process that will require IT departments to work closely with staff regarding the choice of tools that they use.
The increase of workers adopting social media tools outside of work has also changed the game forever. Social media was bound to have an effect on the enterprise; therefore careful analysis of the rise of social media should have alerted executives to its growth and its likely effects upon the enterprise. If an enterprise did not see BYOD coming it had better take a look at what else might be coming because it needs to be prepared in identifying emerging trends instead of being surprised when they become reality.
Enterprises should have holistic methodologies for spotting trends. This has to start from the top and include the board of directors. Trend spotting is difficult, but it is essential for the modern enterprise to thrive. To identify a trend you have to analyse your needs using a repeatable process encompassing two parts. Within the enterprise, the first part is cultural, looking at what your staff is doing in and out of the enterprise, and the second is technological - doing the same but analysing it in conjunction with what is happening in society as a whole.
Enterprises that have rich cultural backgrounds, such as the big PC companies, the big search engine companies and the big online outlets, tend to be the winners in a big way. These companies deliberately cultivate internal cultures that strengthen staff loyalty, innovation and discussion. Therefore, they are not taken by surprise when staff do something ”unexpected” - in fact, because they anticipated it, they can harness this knowledge. This is what all organisations should be doing. It is only with this holistic approach that the organisation can spot trends - and this is a process that you can implement within your company. This is a vitally important point and has to be addressed by all enterprises now, because once you have missed a trend and it has been implemented in your organisation without your involvement, you cannot stop it. BYOD is an ideal example. The tide cannot be reversed.
BYOD is here to stay and you have to manage it, as well as its implications in other areas. It would be prudent for your enterprise to look at all of its future plans for the deployment of laptops, for example, since BYOD is replacing the laptop with the tablet computer. Whether you like it or not, your sales force is working in an era where they will reject shiny new laptops for their own tablet computers. Many companies are sitting on brand-new deliveries of laptops that will never be used because they did not spot the trend for the tablet computer. Trend risk analysis, which often is part of an overall framework for the governance and management of enterprise IT (GEIT), can be deployed to avoid problems such as this.
One of the latest and most important developments in GEIT is Cobit 5 from Isaca, which should be used in all analysis of BYOD. Cobit 5 will allow you to include projections about the likely behaviour of your employees based upon current usage of social media, the culture of your organisation, how your staff are to be deployed in the future, and any upcoming mergers and acquisitions which may change the shape of your business.
To keep on top of the BYOD challenge you need to keep the requirements of the company foremost in your mind and, using a holistic process, look at the aspirations of staff and see how they match with your predictions of what is likely to happen in the market. In analysing the problem you have to analyse the culture of your company, the technology coming down the road and the human factor that is your staff.
You will have to pay particular attention to the architecture of BYOD and how small changes may have major repercussions in a short period. For example as far as human resources (HR) is concerned, a proper legal framework will have to be constructed to take into account occasions when staff leave the company and take their own device with them. For example, is the company entitled to inspect it and delete all corporate information that is stored in it? How will access to personal data be prevented if the employee does not provide consent to its inspection?
Read more about BYOD
This is particularly the case in the difference between the privacy legal framework around the world. In Europe, for example, the privacy framework is different than in the US and if your BYOD policy is US-centric and not designed for use in Europe there will be a significant number of pitfalls.
Moreover, particular care should be taken in ensuring that employees who do not want to use their personal devices for business purposes are not coerced into doing so. Not only will this be a nightmare to manage but the resentment that can build up can lead to an increase of insider threats.
You will have to consider how your mobile device management (MDM) gateway should be part of your holistic solution using Isaca recommendations and deployment of Cobit 5. Be ready to analyse risk from the cultural perspective and not only a technical perspective. Your IT security department will be available to analyse your technical risk, but you should focus on the random elements of risk that staff inject into the enterprise, since nearly all people will find ways to make their lives easier and ignore the glaring risk involved. An example of this is people who tie themselves to public clouds and keep sensitive corporate data, and often their entire email archives, on easily accessible public clouds.
Only holistic approaches to human behaviour and IT security behaviour will produce predictable outcomes. You cannot stop a trend, but you can spot one coming and if you analyse your enterprise’s present needs, balanced with the needs of your staff and the future growth of your organisation, not only will you be able to tame the BYOD growth, but you will be in a far better place to spot the next trend coming down the line and be prepared to address it by using information security as a business enabler than a temporary stopper.
Christos Dimitriadis is international vice president of Isaca.
This was first published in August 2012