I first came across Bring Your Own (BYO) on a visit to Sydney, Australia in 1987. You probably know that it’s a common approach in Australia and New Zealand to the provision of alcoholic drinks in restaurants that don’t hold alcohol licences. Many of you who drink alcohol with meals know that this is a great idea, allowing you and your friends to buy your favourite drinks at a nearby supermarket, save money and enjoy them with your meal – value delivery as we say in IT governance terminology.

Well, now a newer acronym is frequently surfacing in the media: BYOD – it’s not Bring Your Own Didgeridoo, of course, but Bring Your Own Device. We’ve being doing that in restaurants for two decades: bringing our personal mobiles and personal laptops and we’ve also been bringing them into work. However, most businesses have usually only permitted approved devices to be connected to the corporate network for access to corporate servers and data.  That’s why many of us use corporate Blackberry and corporate-issued laptops. Why?  Mainly this is to ensure security of the corporate IT infrastructure by assurance that only approved, tested and validated software has been installed, but also it is recognised that effective IT support can really only be properly provided if the attached devices and their software are fully understood by the IT department and have been tested and validated. The tidal wave of change brought about by the new generation of touch-screen smartphones and tablets, sometimes called “the consumerisation of IT”, is leading to pressure for businesses to change.

What’s happening?
A major news item in the last few months of 2011, was that British American Tobacco (BAT) was starting deployment in the UK of BYOD for smartphones to its 35,000 employees. Employees who cannot justify their need to use remote access from a smartphone, and therefore aren’t provided with corporate Blackberrys, will be allowed to download an app that grants remote access to BAT’s IT infrastructure from their own smartphone – initially supporting the iPhone, but later Android and Windows Mobile smartphones with a view to perhaps phasing out the Blackberry. Global rollout to BAT staff is planned for 2012.

Perhaps it was Intel that was first to adopt BYOD in 2009 but even they recognised it was started in the personal computing revolution of the early 90s when employees started to login from home using their own personal computers. Others, such as David Strom, a long-serving IT journalist and editor, think BYOD is no different from the PC apps choices (for spreadsheets and word processing) that many of us made in the late 80s before our companies standardised on products, usually, Microsoft Office.

Open Kernel Labs and Citrix jointly launched a BYOD programme in 2009. In 2011, Citrix  produced an interesting  market survey report on consumerisation of IT through BYO policies based on a worldwide survey of companies, which showed that India is in the vanguard and  the UK brings up the rear.  They found that 92% of companies surveyed were aware that some employees were using non-company-issued computing devices for company work purposes and 44% of companies already had some policy in place for support of BYOD, usually for mobile workers or those in specific roles. Nearly every company surveyed expected to have a BYOD policy by 2013. Unfortunately, the report does not formally state how many companies took part in the survey but the link to it says “700 IT decision-makers and organizations”.

IT support concerns?
Gartner wrote a brief, best-practices report about BYOD in July 2011. It is freely downloadable from the Citrix website.  The report recommend that new support processes are required with new skills being acquired by the support organisation. From a service desk perspective, Gartner suggests that incidents relating to BYODs should be dealt with by approaches which include:

• Formal “timeboxed support” that is restricted to 30-60 minutes, with the user being responsible for their own support after that or paying for continuing support.
• “Best-effort” support that recognises BYOD issues are the users’ responsibility, but IT support will make efforts to help. Likely to lead to user dissatisfaction, however.
• “Technically-bound support” where BYOD devices are not supported but corporate IT infrastructure being accessed is supported. Likely to only be acceptable if standard access from web-browser or corporate apps is used from BYODs.
• “Community-support” with peer-user support using FAQs, social networks, wikis etc.

A key point here is that employee policies are essential for BYOD with monitoring and enforcement of compliance with policy.

Information security concerns?
Another useful and very readable report is Infoworld’s Mobile and BYOD -Deep Dive by Galen Gruman (29 pages), also freely downloadable.  It covers HR and legal concerns and in particular covers mobile security providing a comparison table of mobile security and management capabilities, a summary of offerings from mobile device vendors and a tabular comparison of the securability of Exchange, Notes and Groupwise on eight popular mobile platforms.

Does BYOD fit with ITIL 2011?
Anyone who is highly knowledgeable about ITIL will be wondering if these concepts contradict ITIL 2011 best practices?  I don’t think they do, particularly since ITIL has an “adopt, and adapt” approach, but I’d welcome comments about this. 

• Service Transition doesn’t forbid introduction of services based on BYOD. Testing & Validation and Release & Deployment processes can readily be used.
• The Incident Management process doesn’t forbid “timeboxing”, “best-effort” and “technically-bound” support and it actively encourages community support via superusers and FAQs
• Information security management expects a security policy to exist, be publicised to all staff and complied with in addition to being monitored and audited.

© 2012 Geoff Harmer