It seems like it was only two years ago that smartphones began appearing in offices connected to the corporate e-mail and Wi-Fi network. Yet, the phenomenon began many years ago. When the early PCs appeared, replete with spreadsheets, the mavericks in enterprises realized that this meant a new freedom for them. Until then, they would have to book time on the corporate mainframe and have their work inspected before it was punched into the system for them, and weeks later, they would receive their carefully packaged results. If there were any mistakes, they would have to do it all over again. The PC changed everything.
What we have to remember is that in the 1960s and '70s, the IT (MIS or EDP?) department was seen as a secret place ruled by powerful niche experts. They had total control of the department and who could access systems. The PC and its software allowed users to spread their wings. At first, some in the IT department viewed the PC with derision. It certainly wasn't going to threaten their jobs. It wasn't networked. It couldn't connect to the outside world and it had a tiny memory, comedic floppy disks and a screen!
The people who ran the IT department those days came out of a corporate, hierarchical structure that owed much to the way companies had been run since the 1940s. It was only in the late '70s and beyond that corporations began to put more emphasis on individual initiative and freedom, and then on a corporate level in the '80s, as enormous organizations flattened out their career structures and had to change dramatically to survive.
Much later, along came a company that created a great business selling cloud-based sales force automation software directly to business executives and thereby bypassing the IT department. This was only five years ago, but the world had already moved forward.
As a result of outsourcing, corporate reliance on management gurus such as W. Edwards Deming, the use of lean management techniques and the wholesale use of business process engineering, the 1990s saw corporations introducing additional part-time and contract staff and replacing routine work with automated software, offshore workers, and temporary labour.
This has resulted in corporate workers who very often work from home using their own PCs, smart phones, laptops and tablet computers with their own individual likes and desires for hardware and software. It also resulted in the difficult task of IT departments being able to impose control over whatever hardware or software is used. The very flexibility that corporate management demanded of its workforce has bounced back as the same workforce demanded flexible methods of working. BYOD (Bring Your Own Device) is, in fact, just the beginning of a process that will require IT departments to work closely with staff regarding the choice of tools that they use.
The increase of workers adopting social media tools outside of work has also changed the game forever. Social media was bound to have an effect on the enterprise. Therefore, careful analysis of the rise of social media should have alerted executives to its growth and its likely effects upon the enterprise. If an enterprise did not see BYOD coming, it had better take a look at what else might be coming because it needs to be prepared in identifying emerging trends instead of being surprised when they become reality
Enterprises should have holistic methodologies for spotting trends. This has to start from the top and include the board of directors. Trend spotting is difficult, but it is essential for the modern enterprise to thrive. To identify a trend you have to analyze your needs using a repeatable process encompassing two parts: cultural and technological. Within the enterprise, the first part is cultural, looking at what your staff is doing in and out of the enterprise, and the second is technological-doing the same but analysing it in conjunction with what is happening in society as a whole.
Enterprises that have rich cultural backgrounds, such as the big PC companies, the big search engine companies and the big online outlets, tend to be the winners in a big way. These companies deliberately cultivate internal cultures that strengthen staff loyalty, innovation and discussion. Therefore, they are not taken by surprise when staff do something "unexpected." In fact, because they anticipated it, they can harness this knowledge. This is what all organizations should be doing. It is only with this holistic approach that the organisation can spot trends, and this is a process that you can implement within your company. This is a vitally important point and has to be addressed by all enterprises now, because once you have missed a trend and it has been implemented in your organisation without your involvement, you cannot stop it. BYOD is an ideal example. The tide cannot be reversed.
BYOD is here to stay and you have to manage it, as well as its implications in other areas. It would be prudent for your enterprise to look at all of its future plans for the deployment of laptops because, for example, BYOD is replacing the laptop with the tablet computer. Whether you like it or not, your sales force is working in an era where they will reject shiny new laptops for their own tablet computers. Many companies are sitting on brand-new deliveries of laptops that will never be used because they did not spot the trend for the tablet computer. Trend risk analysis, which often is part of an overall framework for the governance and management of enterprise IT (GEIT), can be deployed to avoid problems such as this.
One of the latest developments in GEIT is COBIT 5 from ISACA, which should be used in all analysis of BYOD. COBIT 5 will allow you to include projections about the likely behaviour of your employees based upon current usage of social media, the culture of your organisation, how your staff is to be deployed in the future, and any upcoming mergers and acquisitions, which may change the shape of your business.
To keep on top of the BYOD challenge, you need to keep the requirements of the company foremost in your mind and, using a holistic process, look at the aspirations of staff and see how they match with your predictions of what is likely to happen in the market. In analyzing the problem, you have to analyze the culture of your company, the technology coming down the road, and the human factor that is your staff.
You will have to pay particular attention to the architecture of BYOD and how small changes may have major repercussions in a short period. For example, as far as HR is concerned, a proper legal framework will have to be constructed to take into account occasions when staff leave the company and take their own device with them. For example, is the company entitled to inspect it and delete all corporate information that is stored in it? How will access to personal data be prevented if the employee does not provide consent to its inspection?
This is particularly the case in the difference between the privacy legal framework around the world. In Europe, for example, the privacy framework is different than in the US. If your BYOD policy is US-centric and not designed for use in Europe, there will be a significant number of pitfalls.
Moreover, particular care should be taken in ensuring that employees who do not want to use their personal devices for business purposes are not coerced into doing so. Not only will this be a nightmare to manage, but the resentment that can build up can lead to an increase of insider threats.
You will have to consider how your mobile device management (MDM) gateway should be part of your holistic solution using ISACA recommendations and deployment of COBIT 5. Be ready to analyze risk from the cultural perspective and not only a technical perspective. Your IT security department will be available to analyse your technical risk, but you should focus on the random elements of risk that staff inject into the enterprise, since nearly all people will find ways to make their lives easier and ignore the glaring risk involved. An example of this is people who tie themselves to public clouds and keep sensitive corporate data, and often their entire email archives, on easily accessible public clouds.
Only holistic approaches to human behaviour and IT security behaviour will produce predictable outcomes. You cannot stop a trend, but you can spot one coming; and if you analyze your enterprise's present needs, balanced with the needs of your staff and the future growth of your organization, not only will you be able to tame the BYOD growth, but you will be in a far better place to spot the next trend coming down the line and be prepared to address it by using information security as a business enabler than a temporary stopper.
BYOD: It's Time to Throw Out the Rule Book
Two-Thirds of Senior Management Donít Know Where Their Company Data Is
The Social Enterprising Environment
International Vice President Christos K. Dimitriadis, Ph.D., CISA, CISM, CRISC, is the head of information security at INTRALOT GROUP, a Greece-based multinational supplier of integrated gaming and transaction processing systems, where he manages information security in more than 50 countries in all continents. He has worked in information security for more than 12 years and has authored 80 security-related publications. He has provided information security services to the International Telecommunication Union, European Commission Directorate Generals, European Ministries and international organizations, as well as business consulting services to entrepreneurial companies. He is chair of ISACA's COBIT Security Task Force and has served as chair of ISACA's External Relations Committee and member of the Relations Board, Academic Relations Committee, ISACA Journal Editorial Committee and Business Model for Information Security Work Group.
He is a frequent speaker at IT security events around EMEA.