Bring, your and own (BYO) are the first three words of an acronym being increasingly discussed in IT departments as the next phase of the consumerisation trend that is catching the attention of business executives.
Today, BYO is most commonly followed by D for device, but we also have C for cloud and T for technology.
What seems consistently to have started with, “The boss wanted to use an iPad at work” has taken grip in the enterprise as the benefits beyond a happy worker have become clearer. But so too have the risks.
Speaking at the recent CW500 event, Bring your own IT department? Clive Longbottom, service director and founder of analyst Quocirca, said the practices related to BYO within organisations range from the highly organised to anarchy.
“You can only call it bring your own IT when it is fully sanctioned and controlled,” he said. “It has been called shadow IT when it is not centrally sanctioned but at least the groups doing it understood it. It could be called bring your own chaos when workers use what they want.”
He said that in the past, when everyone used laptops, only senior staff could expense new machines. But today smartphones and tablets are much cheaper and people are starting to use them for work.
He said staff are making mobile devices the centre of their working world and are starting to look at how they can access tools like on SAP and email on them.
“All of this is happening, and in a lot of cases is outside IT control and without the organisation being able to see it,” said Longbottom.
Read more from CW500 Club:
BYOD is by far the most talked about and mature of the BYO trends.
Longbottom said Quocirca has recently completed research of 700 large organisations to ask their thoughts on BYOD. These were organisations that had accepted BYOD is happening,
He said the research put businesses into distinct groups depending of their stage in the BYOD journey.
There were companies categorised as BYOD deniers that do not like it but can’t stop it, along with those that only allow BYOD in exceptional circumstance.
He said in the middle there are businesses that allow management to use BYOD but not other staff.
Then he said there were the embracers that allow people to bring approved devices, or allow all staff to bring whatever device they want.
Longbottom said there were vast differences in attitudes in different European countries, with the UK, along with Benelux countries, the most enthusiastic of all.
Countries such as Spain, Italy, Portugal and France are deniers and don’t like BYOD. In Germany they accept it but are more prescriptive about its use.
UK is an embracer but the security worries remain
Embracing BYO is more of a fait accompli for most organisations, which have probably already got BYO without knowing it.
For those that don’t even realise staff are using their own technology or are aware but don’t control it, there are obvious security risks. Longbottom said for embracers it is vital to have the security issues in the right order.
“The security of the information is what matters and you do not have to worry so much about the security of the application. If you don’t have to worry about the security of the application the device comes last.”
He said technologies are available that can divorce the business information from the users information - sandboxes and containerisation for example: “The consumer can carry on trawling every web site they want but because there is a separate corporate environment the information is safe.”
Longbottom said that if devices are lost or a worker leaves, the corporate information is not actually on the device so it remains safe: “It is a £500 block of silicon and metal not a £3bn device, with company data on it.”
He recommended that IT departments share what they are doing with staff. This will help them understand what IT is doing with a BYOD scheme while the workers could help the IT department by showing them the type of apps they are using.
Read more on BYOD:
- Lack of IT security knowledge slows global BYOD uptake
- Overcoming BYOD security risks: Policy transparency, foresight key
- The ICO issues BYOD warning after breach
- BYOD alternatives emerge as tablets outship PCs
But what about businesses?
Not many organisations have intellectual property (IP) as valuable as pharmaceuticals giant GlaxoSmithKline (GSK). The company has pharmaceutical IP worth billions of pounds that needs to be kept safe. But with a huge sales force in the field there is an obvious advantage to the use of technologies such as tablet devices and the cloud. So how does GSK go about it?
Adam Raeburn-James, senior vice president, IT end-user & infrastructure service, at the company, said like many organisations the arrival of the iPad is an appropriate landmark for the seeding of a BYOD scheme. To this day only iPad tablets are allowed at GSK.
“Two or three years ago the iPad took-off internally and suddenly we had lots of different pilots going on, but we have found it genuinely valuable to get such devices into the hands of sales and marketing people,” he said.
“But we did find some genuine benefit and in a business like ours finding a business case for the field workforce to use an iPad is not that difficult.”
Raeburn-James said this is because the company’s sales reps visit doctors and normally have lots of paper documents to show doctors. He said the savings from not using paper alone could add up to the cost of an iPad, not to mention how much easier it makes the process. He said the always-on nature of an iPad and the ability to quickly fire it up and get a document was also important for reps in the field.
Watch video interviews with the CW500 speakers
- Anthony Kemp, Director of Corporate Resources, London Borough of Hounslow
- Adam Raeburn-James, Senior vice president, IT End-user & Infrastructure Services, GSK
- Clive Longbottom, service director, Quocirca
He said the company has devices being used by staff that are owned by the company and others that are owned by the users: “It doesn’t really make a lot of difference to us because we manage them in the same way. We do not stop people downloading applications on the devices bought by the company because we get a lot of value out of that.”
Raeburn-James said in the early days of planning a BYOD project the company ran a trial with 25 people. It gave staff a budget of £1000 and asked them to go away and buy a device they wanted that enabled them to do their job. “Of the 25 only three managed to do it and all three were IT professionals,” he said.
The problem was access to applications. GSK has about 3000 applications and very few will work in a non-PC environment outside the network. The company is working on moving applications to get more people on other devices. He said a starting point is getting the 40,000 sales reps onto iPads.
The company uses mobile device management to enable external devices to get into corporate applications while outside the core network. Raeburn-James said the company retains ultimate control of the information on the devices.
“We do wipe the device. If you get an iPad you have to agree that if you lose it you lose your photographs,” he said.
But he said that the PC is still a compelling environment and is likely to be around for some years to come. The company has 100,000 users in one standard PC build worldwide and a single hardware contract. Therefore GSK, like most BYOD embracers, has a hybrid environment.
“We clearly haven’t got it sorted but we are muddling through like everyone else,” said Raeburn-James. But the company has a goal in sight. He expects the company to still run a standard desktop for at least three to five years. But he believes eventually the devices that workers use will not be the responsibility of IT.
“We want to get to a situation where we don’t take responsibility for the devices, and IT just looks after the apps and security. And I think we will be better off,” he said.
BYO in the public sector
The London Borough of Hounslow might not have billions of pounds worth of IP like GSK, but it does have highly sensitive information on its systems. Like other public sector organisations it also faces massive budget cuts. So with this in mind how is it harnessing the "bring your own" revolution?
The council has 300,000 residents and employs about 3000 staff. Anthony Kemp, director of corporate resources, said about two years ago it decided that as a result of the economic climate the council had to enable people to work from anywhere.
“People talk about ‘anytime, anyplace,’ and all that but we really did need to shrink our physical estate massively,” he said.
The local authority is becoming device agnostic: “It is more about getting the right tool for the job.” He said the council set itself the challenge of predicting what future staff will want: “If you look at the students and apprentices that come in, they expect to use things like Dropbox and other web-based apps. There is quite a cultural difference”
Kemp said the council set itself the challenge to set up an environment where staff can work in the ways they have been used to outside the office: “It is much more flexible and the things that staff use at home they can use at work. If we are to serve the workers and the population of the future we understand that we will lose control. They will find things and we can’t fight it.”
He said it was like when social media came in and users could not be controlled. But the council is not quite there with BYO and there are a number of challenges around security.
The council is setting out to provide the content staff need through software-as-a-service (SaaS) tools. The organisation has lots of vertical applications across a wide range of services. It has about 500 to 600 applications that cost a lot as they are vertically focused and designed around the business they are serving.
Read more about Hounslow council
Many of these applications do the same things, with reporting, workflow and CRM capabilities within them, for example. “You are buying the same things again and again. [Instead] we are building a platform that sits across the vertical businesses,” said Kemp.
For CRM, Hounslow uses Salesforce.com; for productivity it uses Box; and a range of other SaaS products sit around these such as a mapping service and a payments service - but only one of each. These products are already out there and staff are already using them.
“We are forgetting about the device and thinking about the user requirement. We assess the need and do a risk assessment around this,” said Kemp.
He said just like BYOD or bring your own application, users need to take some accountability: “Staff need to understand the risk and we need policies to ensure they don’t do certain things.”
Read more on Mobile apps and software
IR35 private sector reforms: GSK gives contractors 'quit or go PAYE' ultimatum
HMRC under fire over 'scaremongering' IR35 clampdown letters targeting GSK IT contractors
Mobile World Congress 2019 shows the value of a good unified endpoint management strategy
Outcomes-based security is the way forward