CIO Opinionators

Is managing BYOD policy a waste of the CIO's time?

Karen Goulart, Senior Features Writer

In 2012, 41% of U.S. information workers used at least three devices for work, and more than a third worked from three different locations, according to Forrester Research Inc. No matter where they are, 15% of those information workers

    Requires Free Membership to View

are connected to their companies all day, every day. Perhaps they're working off one of the more than 9,000 Android permutations in the market. Maybe they're employed by one of the 70% to 80% of Fortune 500 companies that agreed to support at least one type of consumer-grade tablet for their workers last year. And if their particular tablet isn't supported, chances are it will be by 2016, when an estimated one-third of all tablets sold will be purchased by businesses. Still think the hype around bring-your-own-device policies is overblown?

Read more about BYOD policy

Is mobile virtualization the answer to the BYOD conundrum?

Data protection in the BYOD era

How role-based BYOD management is playing out at IBM

An inside look at Ford Motor Co.'s BYOD program

The importance of having a BYOD policy is not up for debate. As mobility reshapes enterprise computing, the question is, who ought to be in charge of this mobile mélange? Since "BYOD" began emerging as a buzzword less than two years ago, it's seemed a given that harnessing employees' many mobile devices should be the singular domain of the CIO. But is that as it should be?

We asked three experts in mobility to weigh in on the topic. In response, we heard an impassioned plea for CIOs to wash their hands of BYOD and focus on bigger issues, an argument for adding a chief mobility officer to deal with all aspects of the mobile spectrum, and a call for the CIO to play the go-between and delegator. The one thing all three experts agree on? Mobility is much bigger than BYOD.

CIOs wasting time on BYOD, missing mobile innovation opportunities

"There are so many opportunities for mobile to be a reducer of cost; a generator of revenue; a builder of relationships with customers, partners and employees; and those opportunities just aren't being taken advantage of yet." Simon Yates, analyst, Forrester Research Inc., Cambridge, Mass.

Simon Yates

Over the last year we've been working with hundreds of CIOs about mobility and about the impact of consumerization -- the devices employees bring into companies that they want supported and the challenges CIOs face in tackling that. Where things get sticky for CIOs is making choices about which devices and operating systems to support. It comes down to governance and policy issues: What is the liability of the company on a device containing personal and corporate information? How much should a person be reimbursed for a particular device? Who gets to be in the program?

These nontechnical issues really frustrate CIOs because they have to go through Human Resources and Legal to solve them, and they're not making enough progress toward building a BYOD program they can deploy that is structured the right way. CIOs spend far too much time figuring out these programs -- at their peril.

Our data says that 95% of customer-facing mobile application development efforts have little to no IT organization involvement. IT certainly doesn't lead them. Every business unit has money it's going to spend on technology outside of IT, When a business unit wants to build a mobile app, it will go out to a digital agency like SapientNitro or Tribal DDB. CIOs are missing a huge opportunity. The mobile applications built outside of the company will eventually end up in the CIO's lap. The apps will either be incredibly successful and other parts of the company will want to add features to them or integrate them into back-end databases or back-end applications, or they're an abject failure and the CIO is going to be asked to fix the problem. CIOs have to get involved in these customer-facing mobile activities early on, not spend all their time worrying about what mobile devices they're going to support for employees. The real opportunity for innovation and to drive business value is on the customer-facing side.

Where you'll get the pushback from CIOs is on security or compliance. It's not that the security and compliance issues related to mobile devices aren't important; it's just not the CIO's responsibility to get bogged down in those things. Delegate! Get other people to solve the problems and make recommendations. CIOs aren't experts on security or compliance, or on which mobile device management solution is better than one over the other. They're not experts on the legal requirements of shared data on the same device, but those are the things that are slowing them down.

The enterprise needs a chief mobility officer for BYOD

"More interesting, I think, than whether the CIO should be involved in policy decisions is whether there should there be a chief mobility officer or if the CIO should be a chief mobility officer, given how important mobility is to enterprises." Philip Clarke, analyst, Nemertes Research Inc., Chicago

Philip Clarke

Fundamentally, all things that have to do with information within the enterprise fall under the purview of the CIO. Whether it's mobility, desktop, centralized infrastructure, cloud infrastructure, all of it has to do with information.

The difficulty of understanding all the impacts of mobility makes a strong case for a chief mobility officer, a new position. Whether he reports to the CIO or he's level with the CIO depends on how mobility-focused the company is. But I do think the CIO needs help, because mobility is such a difficult subject.

With the convergence of tablets and laptops, we're not really going to have laptops in about five years, maybe sooner. In my view, it'll be just tablets that are built around the Microsoft Surface idea of a single device. Because of this convergence of mobility and desktop, the CIO has to be involved, not only to be able to understand what's going on within their company, but also to make strategic decisions on everything from app development to endpoint management to what type of devices they want to have in the enterprise.

If hiring a chief mobility officer is not an option, mobility has to be under the purview of the CIO. If you give mobility to the top security person, security will be their focus, and securing devices is not even half the picture with mobility. Companies still focused on securing mobile devices -- and for many that is their focus -- are not going to get much success out of mobility. All they're doing is bringing their BYOD paradigm up to that previous paradigm of BlackBerry with BES [BlackBerry Enterprise Server].

Only going as far as securing BYOD devices is not doing everything that should be done with mobility. Companies need a strategic thinker who can start making bigger decisions: "We've got these devices secure, now what are we going to do with them? How do we justify these devices? What are their use cases? Where does it make sense to start replacing laptops or desktops with mobile devices?" Companies need somebody who is highly innovative, has a real good grasp of mobility and far-reaching views on mobility -- and has demonstrated that already.

CIO needs to delegate when it comes to BYOD

"I can't give a black-or-white answer about whether CIOs should be responsible for BYOD, because CIOs are responsible for protecting the information assets of the organization, and as such they have to write policies and be responsible for polices that cover that aspect of their job. From that perspective it makes sense." Ken Dulaney, analyst, Gartner Inc., Stamford, Conn.

Ken Dulaney

BYOD policy is a huge concern. Among our clients, 60% to 70% either have a BYOD policy or are considering one. Most of the commotion is caused by tablets -- that's the thing pushing it over the edge because the tablet is an elective device. CIOs know people need notebooks and phones, but they don't feel they have money for elective devices. Most CIOs start out not wanting tablets but realize the technology is inexpensive enough and the software that comes with them is powerful enough to go right round IT. And most come to the realization that they're kidding themselves, so they want to develop best practices.

What we recommend is give employees support. The employee owns the device and assumes responsibility for anything that happens to it. What the organization puts out in terms of work-related content for employees using their own devices should be put out over a browser. This way content is not on the device and can't be compromised if the device is lost. Doing that can provide more freedom for the end users. If users then do whatever they want to do, they have to assume responsibility.

Most organizations have a code of conduct. Most have not yet been updated for the electronic age. The employee has to understand their responsibility for information assets that a company owns that happen to reside on an employee's device. BYOD as a concept touches on many aspects of the business and the preponderance of BYOD policies should be the responsibility of the CIO, but there are aspects of those policies that should probably be vetted out. We have a concept we call "mobile center of excellence." It's a temporary thing -- the company puts together different groups that are responsible for best practices for a number of things, and one of them would be mobile policies.

Mobile is something that affects all the practices of IT. It shouldn't be kept separate; it should make everything the enterprise does, done better. Devices being put into IT have a lot of things IT is not used to, whether it's developing apps for small screens, whether it's supporting BYOD for devices the company doesn't own or whether it's dealing with security threats. Mobility should raise the overall capability of IT and make its enterprise architecture more robust.

Let us know what you think about the story; email Karen Goulart, Features Writer.