Establishing a bring your own device (BYOD) program -- one that actually works -- isn't an effort for the faint of heart.
In fact, it's a complex undertaking involving just about every corner of an organization, from IT to legal to human resources, according to Michael Disabato, a Gartner Research vice president specializing in mobile strategy, management and governance. But, of course, formal BYOD programs are necessary at a time when employees increasingly expect to use their own mobile devices at work. Gartner calls the BYOD trend -- and, by extension, the resulting demand for BYOD programs -- "the single most radical shift in the economics of client computing for business since PCs invaded the workplace."
In fact, more than 60% of employees worldwide report using personal devices -- primarily smartphones and tablet computers -- for work, according to Gartner's research, Disabato told attendees at the recent Gartner Catalyst Conference in San Diego. Gartner projects that, by 2015, companies will begin moving toward mandatory BYOD programs, and by 2016, more than half of all enterprises will have BYOD programs in place. For that reason, Gartner said last year, "every business needs a clearly articulated position on BYOD" even if it chooses not to allow the practice.
Before launching their BYOD programs, companies should establish BYOD policies, Disabato said. Such policies should spell out exactly what devices employees may use for work, what level of support the organization will provide and -- in cases where the company helps pay purchase or service costs -- who actually owns the items.
Then comes the hard work of developing a BYOD program, which Disabato recommends doing by following these six steps:
- Define and assess risk
- Consider endpoint security and mobile device management (MDM) choices
- Determine support levels
- Address legal and HR issues
- Launch a pilot program
- Follow up
1. Define and assess risk. This step requires creating a "risk profile" for employees and the data they use based on their roles. The first question to address: Do employees in a particular role have access to sensitive data? If so, it's important to define just how sensitive that information is, based on this three-level scale:
- Low: This level involves information that's essentially "almost public" and, as a result, involves very little risk, Disabato said.
- Medium: This level involves information that, if made public, could cause "moderate harm to an organization," he said.
- High: This level involves information that could cause major financial or legal problems or serious damage to the company's reputation. As Disabato put it, "It's the stuff that gets you on the front page of The Wall Street Journal, and not in a good way."
It's also important to consider -- again, role by role -- the risks involved if, for any reason, employee-owned devices aren't available for use. For instance, he said, "If they do all their work on a tablet and it's dropped or stolen, what are you going to do?"
Gartner calls the BYOD trend -- and the resulting demand for BYOD programs -- 'the single most radical shift in the economics of client computing for business since PCs invaded the workplace.'
2. Consider MDM and endpoint security choices. If you decide to invest in MDM, look for a product with a managed container that separates personal information and applications from corporate data and apps, Disabato advised. Ideally, employee-owned devices should include dedicated workspaces.
And look for products that meet near-term needs, he added. "The endpoint security market is still evolving and things are changing quickly."
3. Determine support levels. "BYOD does not mean 'bring everything,'" Disabato said. "You do not support Angry Birds. You don't support a 'my favorite recipe' program." But how should organizations decide what they do support?
Start small. Don't try to support all devices at once, he said. "Start with the list provided by your MDM vendor. Limit it to what they can provide." Then coordinate that list with the organization's service desk.
Keep in mind that platform popularity -- especially at the C-level -- may drive decisions about which platforms to support. Disabato said, "You may find that your senior management makes the choice for you," based on what devices they own. Once you've decided what to support, block unapproved devices and operating systems.
Finally, make the approved-device list an addendum to your BYOD policy, not part of the policy itself. "You don't want to have to have the policy reviewed every time somebody comes out with a new phone," he said.
Disabato recommended establishing a variety of self-service support options. "Social media allows crowdsourcing of support," he said. For example, you might use the Yammer collaboration platform to create in-house chat groups, set up wikis as permanent archives for BYO-related tips and encourage employees to participate in Twitter and vendor forums.
At the same time, it's important to have the service desk as a backup, working with staff to define support levels, practices for dealing with lost or stolen devices and similar issues. You'll need to provide service-desk employees with training on all BYOD hardware, operating systems and apps (a requirement that Disabato said is "another good argument to limit the number of devices you are supporting.")
4. Address legal and HR issues. If an organization becomes involved in a lawsuit, as either a plaintiff or a defendant, it may require turning over data on employee BYO devices -- and, quite possibly, the devices themselves. For that reason, the BYOD policy should spell out what happens in such cases: Will the company replace the device? Reimburse the employee? Provide a loaner? Eventually return the device? Or simply retain the device with no compensation for the owner? "The legal team will drive this policy decision," Disabato said.
Organizations also need to decide whether they reimburse employees for any service plans, such as a smartphone's monthly voice and data charges. In addition, BYOD users should sign a mobility usage agreement acknowledging that they've read and expect to abide by the policies. But don't use an electronic click-through agreement, Disabato said: "It needs to be a written document that they sign and that is placed in their personnel file."
5. Launch a pilot program. Start small. Include business units and end users, including program critics. "Find the complainers. Get them on board early," Disabato said.
Then scale up slowly. "Find out what didn't work and fix it," he said. "Keep track of the exceptions." Also keep in mind that the BYOD initiative will affect workflow and user experiences -- including those of executive-level employees -- so proceed cautiously. "If you mess this one up, it could be what I call a career-altering move," Disabato said.
6. Follow up. First, determine how you'll measure your BYOD program's success, Disabato advised. Possible metrics include levels of employee participation and satisfaction, numbers of support issues or incident rates and possibly employee perceptions about their privacy.
Next, get continuous user feedback. Conduct surveys and take the results seriously, he said.
Finally, remember that any BYOD program is a work in progress that will need to adapt to constant changes in both business and technology. "What works today is going to be obsolete tomorrow," Disabato warned. "You have to go back to it over and over and over again."