IT Challenges of workplace mobility

The term “consumerization of information technology (IT)” was first mentioned by Gartner almost a decade ago1 when they claimed that consumerization would become "the most significant trend affecting IT in the next 10 years“. According to Gartner, after the dot-com bubble and collapse, many IT vendors decided to shift their resources and innovation to the consumer market, rather than to the corporate market, the latter having had a limited budget at the time. The result has been a change in the way technology enters the marketplace: that is, instead of new technology flowing down from business to the consumer (as it did with the desktop computer) the flow is reversed and the consumer market often gets the new technology before it enters the enterprise. A typical example of this phenomenon is the iPad, or other tablets. Designed and marketed for mass consumers, it entered very quickly into the work environment as a useful device, particularly for employees who are used to travel and who do not have a fixed desk.

The key point of consumerization is that innovation is now driven more by consumer markets rather than by business markets. Mobile devices are becoming more and more affordable for consumers, who are demanding new needs, features and upgrades at a fast rate. Therefore a company may find it easier and more effective to follow the mobile technology advancements by aligning with the consumer, rather than by maintaining the much-slower pace of business IT adoption.

In addition to this, the consumerization of IT has a much faster renewal rate because it is being pushed by a younger, more mobile workforce who grew up with the Internet and is less inclined to draw a line between corporate and personal technology. People have the possibility to use the latest and most advanced mobile device technology at home and they expect to be able to use it in the working environment as well. This mix of personal and business technology is having a significant impact on corporate IT departments, which traditionally issue and control the technology that employees use to do their jobs. Consequently, IT departments are facing new challenges: on the one hand, they have to keep up and address new needs from their users; on the other hand, they have to secure and protect company data, keep IT costs under control and manage networks with a technology that they do not procure or master.

It is now clear how the so-called BYOD (“Bring Your Own Device”) has appeared in the big stage of the corporate world, gaining more and more popularity and adopters across the organizations in the past years, but not without ambiguities and controversies.

According to research by Gartner2, nearly half of the world’s companies will choose a full BYOD policy by 2020, while 40% of them will still leave the possibility to choose between BYOD and a corporate device. It is estimated that about 15% of companies, due to the nature of their activities and business, will never move towards this business philosophy.

However, BYOD is quite a heterogeneous phenomenon and it would be a mistake to generalize it across the globe. In fact, its adoption rate might change according to geography, industry and within specific organizations, according to the corporate culture and employees’ jobs. BYOD is currently used by most companies with a turnover of USD 500 million to USD 5 billion, with 2,500 to 5,000 employees4. Commerce, utilities and banking are the sectors with the highest use of personal devices for work purposes, particularly, standard mobile phones and smartphones.

In terms of applications used, emails and social networks represent the first and second use of personal devices in the work environment respectively. However, according to recent research3, enterprise applications such as CRM, time-and-expense tracking and ERP are gradually taking place even within employee-owned devices.

In terms of geography, companies in Europe have very low adoption rates among all regions, while emerging markets such as India, China and Brazil are very likely to use personal devices at work, especially mobile phones4. 

The different adoption rate across countries is also observed in a survey launched by Dell5 in 2013, surveying over 1500 IT decision makers across the United States, United Kingdom, France, Germany, Spain, Italy, Australia, Singapore, India, and the Beijing region. According to the study, United States, Beijing region and Australia represent the top three countries that encourage BYOD by actively managing and supporting any device that users want to bring into the corporate environment; France, Germany and the U.K. are the bottom three in providing this level of support.

The study by Avanade Singapore also highlights the strong adoption of BYOD in the Asian region, which is explained by the fact that consumers are more familiar and used to handling multiple devices in their daily activities. According to the report, 72% of organizations in Asia-Pacific invited the majority of their employees to use personal devices at work.

Forrester6 claims that the European business climate is not very favorable to BYOD at the moment due to complex regulatory environments, unfavorable tax regimes and high cost of mobile data usage. This unfavorable environment is characterized through six significant “euro barriers” to a successful BYOD adoption:

1) Cross-border data roaming leads to cost explosions that inhibit bring-your-own contracts.

2) Employment regulation – such as national health and safety rules – hampers BYOD adoption in Europe.

3) Employee data protection laws inhibit security enforcement as European private devices are considered private property of the employee.

4) European tax and labor laws inhibit allowances for mobile contracts and applications whereas in the US such allowances are common practice.

5) Users end up taking on too much responsibility for security themselves, leaving business execs understand and manage risks associated with a specific Windows, Android, or iOS upgrade.

6) Limited support of private devices endangers business continuity as private devices are not centrally configured by IT and cannot be supported by corporate help desks.

For these reasons, the BYOD acceptance in Europe is lagging compared to other regions across the world, with a very low rate of successful BYOD projects. According to Forrester, only 15% of mobility managers in Europe went beyond the pilot phase of a BYOD project.

However, employees are actually interested in using their own devices at work, but without having to pay for it. Forrester found that on average 60% of European users wanted to bring their own smartphone and tablet to work. However those users expect to be supported by their employers when buying their own devices for work since only 6% of respondents would be willing to pay for a mobile/smartphone used for work in full, while 18% are willing to make a contribution. It is commonly believed that in the future, BYOD will be less and less subsidized by companies and employees do not actually want to pay for using a corporate device.

BYOD is not the only way to address users demand for new and faster technology in the working environment. There are also other alternative options that companies have been using and which offer partial solutions to the BYOD drawbacks, but bring other disadvantages as well.

The idea behind BYOD is to let end users choose the devices, programs and services that best meet their personal and business needs, with access, support and security supplied by the company IT department  - often with subsidies for device purchases.

However, BYOD places new burdens on IT as it tries to deal with an infinite variety of platforms and profiles. COPE (“Corporate Owned Personally Enabled”) takes the opposite approach - instead of making corporate functions work on personal devices, it sets up a framework to support and allow personal uses of company devices. For BYOD, the question for IT departments is "How do I secure information on a device that is not owned by the company?“. With COPE, the question becomes, “How can I loosen my grip for my employees to use their devices for personal use?”.

COPE is an IT business strategy through which an organization buys and provides computing resources and devices to be used and managed by employees. COPE allows an organization to source and deliver computing devices and services to employees and is how most organizations provide handheld or portable devices/gadgets to their employees. In the COPE model, a company supplies and owns the mobile devices, but rather than locking them down, it enables their personal use for its employees.

A further approach is developed with CYOD (“Choose your own device”). When you implement CYOD, you let the employees decide which devices are allowed within the company from a shortlist of smartphones and tablets, enabling them to bring their own. In contrast to BYOD, the company put a filter on the models of devices that are supported and validated by the company policy.

The difference between COPE and CYOD is that in the first case the device is a corporate-owned device that employees are allowed to access their own information on.

Supporting mobility via BYOD programs must rhyme with more secure, flexible and interoperable systems. In addition, security issues are one of the top concerns when it comes to mobility : 69% of European companies state that security will be the key factor to initiate changes in ways of working over the next three years7. For companies, the question is more than ever to balance security and enablement so that employees can work and collaborate with confidence.

IT departments therefore have to define technical requirements in terms of security for devices to be properly used in the company’s network and applications on two major topics: corporate data protection (1) and IT systems integrity (2).

1. The main challenge with any BYOD implementation is ensuring the protection of corporate data. When a corporate asset, such as a laptop or  smartphone, is used to access business applications and potentially manipulate corporate information, CIOs will ask for a tight control of assets and therefore claim for more restrictive usage policies. A more diverse portfolio of devices with a multitude of hardware, OS and software combinations also raises the question of effectiveness and regulatory compliance of these policies.

IT must therefore have a clear strategy for ensuring corporate data and information system protection on all devices, be they corporate managed or employee self-supported and managed. Thanks to technology solutions, this may include secure business partitioning solutions in order to separate and tightly control corporate data on the device. Another answer may be to avoid data storage on the device and allow to access to sensitive data only through a Virtual Desktop Infrastructure (VDI) application or SaaS solutions.

The control of devices is also crucial to ensure data protection when it comes to remotely revoke access at some point in the lifecycle of the device or the employee – for example in case of loss or theft of the device or employment termination. Thanks to Mobile Device Management (MDM) solutions, IT teams can now remotely update access rights, revoke partial or total access to data or applications or even wipe data and applications on the device.

2. The second challenge to address is to mitigate application risks (malware and application vulnerabilities) and protection against potential new threats in order to maintain the integrity and operability of corporate IT systems. Because of a more extensive device portfolio with  wider-ranging capabilities, there is no denying the potential of new attack vectors.

Although CIOs are nowadays striving to cover technical risks given the importance it implies for corporate data and business systems, other regulatory, HR, organizational and legal risks have yet to be anticipated and mitigated. Indeed, besides corporate security issues, there are issues to be addressed from a user and employee perspective. As the lines between personal and professional lives keep on blurring, the mix between personal and work activities on the same device can pose challenges. Private photos, text messages, e-mail, phone calls and Internet browsing must be subject to personal privacy and properly separated from professional activities, requiring appropriate and comprehensive security, HR and legal measures between companies and employees, for example with the signing of compliance and protection agreements.

Beside hardware and device ownership issues, IT departments have still to answer the question of corporate application and data access. A few technologies are available, compatible and coherent with a BYOD approach, in particular SaaS (“Software-as-a-Service”), Virtual Desktop Infrastructure and Enterprise Applications Store.

Firstly, using SaaS applications on BYOD computing devices means that IT departments do not have to worry about data storage on the employees’ personal hardware, application installation and maintenance. For example, the use of Google Apps or of any other office productivity cloud-based application means not only that no emails or documents are stored on the device but also that secure access is granted through any mainstream Internet browser. The same goes for other corporate applications (CRM, project management, finance, etc.) as long as CIOs opted for a SaaS approach.

Furthermore, Virtual Desktop Infrastructure (VDI) is a technology that seems to be perfectly compatible with the BYOD policy. In fact, the desktop virtualization model manages operating systems, data and applications from on a virtual machine on a datacentre, giving access to clients through a network connection. VDI brings significant advantages in terms of security, licensing liability and client management, since employees can access to their virtual desktop from anywhere with a thin device, a tablet or a smart phone, that can be personally owned.

Enterprise App Stores is another interesting example of the consumerization of IT. First introduced in the consumer world, it was then adopted by companies in parallel with the spread of the BYOD phenomenon. According to Gartner8, the increasing number of mobile devices within enterprises will drive the adoption of enterprise app stores. The research firm estimates that 25% of companies will have an enterprise app store by 2017. This movement represents a coherent reaction of companies to the adoption of mobile devices (through BYOD, CYOD or COPE) giving IT better control over the demand and procurement process of software applications.

With the consumerization of IT and its effects within the corporate environment, CIOs are increasingly pushed to develop a comprehensive approach of workplace mobility that fits with new employees’ needs and expectations, be it through BYOD or not. This approach must go beyond the device ownership issue as it raises the question of the overall portability of information systems so that employees can work and collaborate more effectively.

-----------------------------------------------------------------------------------------

1Gartner, Press release, October 2005
2Gartner, “BYOD : the facts and the future”, April 2013
3Avanade, “Global Survey: Dispelling Six Myths of Consumerization of IT”, January 2012
4Gartner, “BYOD : the facts and the future”, April 2013
5Dell Unveils Global BOYD Survey Results : Embrace BYOD or Be Left Behind, January 2013
6Forrester, “Demystifying BYOD in Europe, December 2013
7Orange E-LoB, Research on the evolution of the professional workplace, October 2013
8Gartner, Press Release, February 2013