Posted by: Arun Gupta
BYOD, BYOT, compliance, governance, IT policy, IT security
A trend that everyone is talking about, and which figures on every list (priorities, trends, technology, whatever) is Bring Your Own Device/Technology. It has proponents and opponents from various quarters — within as well as outside the enterprise. Opinions and views, recommendations and pitfalls, management tools and security concerns, the endless list continues to keep the CIO bewildered, irrespective of whether s/he embraces BYOT or not.
From what I recollect, it all started with the iPhone. Then it extended to tablets, laptops, and what have you. Not that earlier personal devices did not connect to the corporate network; they did all that on the wire and then over the air, if you will remember devices with a technology called “activesync”. As the network and technology improved, browser based apps started appearing. Soon enough, the resident app followed.
I don’t recollect all the company provided devices that I have used over the last decade. This would imply that we had a lenient policy even before the BYOT buzz appeared and started haunting every technology professional. The early PDA (which eventually integrated itself into the phone) had limited use, and was not widely prevalent due to its unwieldy size and interface. Except for the early large form factor devices, it was not a statement to make.
Evolution of devices and networks created new possibilities, as the scattered raindrops became a flood. Apps emerged for everything, along power in the hands of the executive; but with no constraints on time. Business impatience became the hallmark of new technology deployments — one that would swamp all available and unavailable time. The CIO built layers of infrastructure, applications and security to manage the demand. It did not matter who or how many used it; if it was possible, then it had to be available.
The democratization of information worried only the CIO until stories of compromise started spreading. Compromise not always by the external world, but bits of information scattered across — slowly fading away with exits and ignorant employees losing devices (or passing hands within the family). Enterprise liability driven by law and governance suddenly found itself at loggerheads with BYOT.
Depending on the country of incorporation and most probably operation, the laws require stringent compliance. BYOT contravenes some with liability creation for not just the CIO but the CEO, and even the global HQ. Recently, I witnessed a cyber law expert thrust the fear of the law of the land to listening CIOs, who cringed with every clause and interpretation of impact to the executives and the enterprise.
So what are the available choices? Will the CEO not want the next new device on the block to be connected to corporate infrastructure? Does s/he not evaluate the ramifications to the enterprise? Is ignorance a good excuse? I believe that the CIO needs to raise the bar with heightened awareness starting with the Board, which then cascades downwards. It takes only a single incident to create collective pain. CIOs can address the contingent liability with reasonable due diligence, control and documentation to dampen down the impact.
It is not going away, but what it means to you is up to you. BYOT = Bring Your Own Trouble, or BYOD = Bring Your Own Demise, or BYOD = Bring Your Own Destiny, or BYOT = Bring Your Own Tension, or BYOT = Bring Your Own Threat, or BYOD/T =? You decide!