My good friend Ben Goodman echoed something in his post from Monday that I have seen in a bunch of other posts recently. It aims to tackle the fact that in BYOD (Bring your own device) you will have corporate and personal data on your individual device. “However, the more important trend, at least when it comes to security and regulatory compliance – is happening under the surface of the device. It’s how employees are choosing the cloud-based applications they want to use. These impulse application selections means, too often, that proprietary data or data that should be protected actually ends up scattered through many online services and accessed on devices the enterprise doesn’t manage.” There a couple of things wrong with this statement and then the thesis that stands behind it. None of this reflects on the rest of Ben’s very good post, I’m just picking on this idea.
The first fallacy that must be tackled here is that most employees don’t choose their cloud and in many cases don’t even know what a cloud means in this context. They choose apps that are aligned with clouds but not necessarily the cloud behind it. People choose to use Evernote because it allows notes that they take on one device to automagically appear on another one of their devices. People pick Notesy or SimpleNote because it allows them to type notes and get them somewhere else. They don’t usually understand the Dropbox and Box are clouds. They may understand that iCloud is a cloud but only because someone put it in the name. I actually had a conversation today where we said we shutting down access to a specific cloud and the person had no idea what it meant to them or their users.
The second fallacy of this statement is that these selections are impulse buys. People choose apps because it allows them to get something done easily. They prefer free apps but if the app is simple enough and saves them from some arduous task they will consider paying for it. When it comes to work and employees, they choose their apps one of two ways, they were provided an app to do the job that has a great UI and UX, or they were provided a crapplication that causes them to want to tear their hair out. When that happens they start to look in their device’s marketplace for an app that provides an easier way to do the same tasks that won’t involve doing bodily harm to themselves.
The last issue is that people are putting corporate data at risk and it wasn’t until mobile devices came around that the data was ever at risk. Most of the applications that people are choosing to use are for creating their own data. While it might involve some corporate data, they took notes in Evernote during a meeting; in most cases it’s not these app choices that are putting corporate data into arbitrary clouds. That’s not to say that employees won’t use Box, SugarSync, or Dropbox to move a work file home so they can use it on their own time. Employees have been doing that for a few years, long before they could even use their mobile devices for editing. They would email their word doc home or put it on a thumb drive. As soon as Dropbox appeared it became the preferred method for moving data around because it was easy. To think that it is an impulse app selection that causes enterprise data to be spread around just doesn’t pass the smell test. Years ago people use to bring paper documents home in their briefcase; it isn’t something that just started happening out of the blue.
This doesn’t mean that the enterprise should throw their hands up and give in. On the contrary, they should see this as an opportunity to engage their employees and discover with the employees, how to make them the most productive possible. They should work with the employees to make those solutions that avoid the crapplication classification and let people be more efficient and productive. When they discover what those apps are, they should like at some sort of MAM (Mobile Application Management) system that will allow them to wrap or containerize the app so they can protect enterprise data. The issue with these systems is that they will only help those whom are using mobile devices and won’t affect those that are using laptops and desktops.
Enterprises have to start looking at what’s important here and it’s the data that is their asset. They need to look for way to protect the data, which will eventually lead them to look into a MIM (Mobile Information Management) System. If they look at ways to protect the data no matter where it lies, they begin to understand that the endpoints become abstracted. They no longer have to worry about their employees emailing the data home or putting it on a USB stick, they have built their protection scheme around the information that is valuable to them.
The thesis behind all of these protectionist statements revolves around the fear, uncertainty, and doubt (FUD) surrounding CoIT, that users always want to go around IT and CoIT encourages them to do that. Enterprises feel they must control this consumerization and their users or they will make bad choices if they haven’t already. While this can and does happen sometimes, it is most often due to the inability of IT to embrace a strategy that incorporates and enables mobile computing so people can work from anywhere at anytime with the data that they need. It is a matter of moving away from the legacy strategy that says you must control the endpoints to be safe, people be damned, to a strategy of protecting your most strategic asset, your data, and yet allowing your employees to be able to use it in an easy and productive manner.