Where does the buck stop for BYOD/mobility?

As with all business initiatives, when companies begin an enterprise mobility journey, they must assign responsibility to ensure accountability. Because mobility impacts so many areas of an organization, however, assigning responsibility—especially in smaller companies where mobility may be driven by a single executive’s edict—can be tricky.

Start with policy

While the initial focus of mobility is often on users getting devices, every successful mobility program should start with the careful development of policies designed to protect the data that users will access.

Responsibility for developing these policies falls onto a number of groups that must work together to understand the following: who needs mobile access; what they need access to; what the legal and compliance ramifications are; whether IT is capable of ensuring data security and enforcing the policies that are created; and whether the policies, when enforced, will enable business users to be productive. For the best results, the committee that formulates mobility policies should include representatives from HR, legal, compliance, security, IT and business users.

Striking the right balance between risk and productivity is essential. Lax security can lead to data breaches; however, making access too difficult can compel business users to circumvent security policies, leading to the rise of shadow IT.

Models of device ownership

Once policies are set, you can decide on the proper ownership model for the devices:

• Corporate owned—The company owns the device and takes responsibility for its entire lifecycle, including device management, remote access, applications needed and security strategy. This model is best suited for highly-regulated environments.

• Choose your own device (CYOD)—You offer a list of supported devices and operating systems, then employees choose from them. Like a corporate-owned approach, the company controls the entire device lifecycle. While this model represents more work for your team, there’s more flexibility for employees who may need or want different types of devices.

• Corporate owned, personally enabled (COPE)—More common in Europe, with this approach you own and control the device, but let employees put certain data and personal apps from public app stores on it.

• Bring your own device (BYOD)—The employee owns and is responsible for the device, while you are responsible for any enterprise data on the device. With BYOD, however, you has no real control over the data, unless a secure workspace is used.

Be aware, one mode doesn’t always fit all. It is common for organizations to offer both corporate-owned devices for employees accessing highly regulated data and BYO devices with secure workspaces for employees accessing less sensitive information.                                             

While it may seem that the onus is on you, employees also have a responsibility. No mobility strategy that balances productivity against risk can be successful unless employees take security seriously and follow required guidelines. As part of rolling out any mobility program, it’s essential that a group, whether from HR or IT, be assigned to conduct training on security features and processes—and clearly communicate the consequences of disregarding them.