May 06, 2013, 1:41 PM — Highly functional personal devices are increasingly being adopted as technology tools in enterprise IT environments. This represents yet another challenge for CIOs and senior IT managers trying to use standards and frameworks-based IT service management (ITSM) processes for better governance and business benefits.
There are many ITSM implications to be considered if you allow employees to undertake some critical work tasks on the devices of their choice.
More than just being sold on the potential efficiency, mobility and cost saving benefits of embracing the bring-your-own-device (BYOD) phenomenon as part of your IT service delivery, CIOs also have to concern themselves with new risk management issues relating to data control and security.
In addition to risk, there are also implications from BYOD adoption to core ITSM processes such as incident, problem, change and service level agreement management -- to name a few -- which must be considered.
In many cases, these are operational controls that IT organisations have invested heavily in over the last five years in search of cost savings, operational efficiencies and performance improvement.
Irrespective of whether you are managing IT operations in-house or utilising a third party services provider, BYOD has the potential to sully some of the processes that you currently have in place.
However, this does not necessarily mean that it is something that should be feared. Good process can accommodate BYOD. There are ways and means to mitigate the risks with the potential benefits being many and varied if managed astutely.
IT service provider Dimension Data recently embraced the BYOD concept within its internal operations.
Ian Jansen, CIO at Dimension Data said that when its internal BYOD journey began, it soon became apparent new ITSM policies and processes had to be created for effective service management as it was something quite foreign to traditional IT.
"The method which controlled our environment no longer sufficed; yet the fundamental need to secure, manage, support and service was still there," Jansen said. "Generally, people think of BYOD in terms of devices but in reality BYOD is also a change to applications, processes and the overall experience that employees have.
"It changes the way we deploy infrastructure and services and ultimately how we manage and operate IT. Having a best practice framework like ITIL to manage the BYOD challenge is incredibly useful."
Ian Jansen, CIO at Dimension Data
Jansen insists internal ITSM practices are applicable "more than ever" where an organisation allows BYOD but he does not see it as a threat to the application of traditional ITSM best practice.
"In order for BYOD to work, you need to have extremely well implemented policies and processes," he said. "Without them you can't provide the level of service required to make it successful.
"For instance, service level agreements need to be very clear on what we support on a person's own device and what we don't. Another good example is capacity planning where we take into account the new infrastructure needed to manage personal devices.
"In the end BYOD will probably force a better ITSM practice."
Impacts across the ITIL lifecycle
The rise of BYOD has implications for organisations that have invested in process-based ITSM programs.
Karen Ferris, director of ITSM consulting company, Macanta and a board member for independent industry association, itSMF Australia, said that BYOD has an impact in many ways on ITSM processes and operations. This is because the current iteration of best practice ITSM frameworks (ITIL v3) defines a lifecycle approach to the delivery of services.
Every step defined in the ITL lifecycle framework -- including service strategy, service design, service transition and service operation -- needs readdressing with BYOD in play, Ferris said.
"For instance, service strategy needs to consider the adoption of BYOD in the organisation," she said. "It may not be appropriate to every organisation and it may not be appropriate to every employee within the organisation but careful consideration needs to be given to the ramifications of a BYOD strategy including security, legal, financial, HR and the need to maintain productivity and meet service level agreements.
"Meanwhile, the service portfolio approach of 'define, analyse, approve and charter' needs to be applied to BYOD as it does to any other service under consideration as a potential service offered by the organisation. The implications for service desk and support also have to be considered. Each of the ITSM processes has to be adopted and adapted to manage the implications of BYOD."
Ferris offered, as an example, that "BYOD as a service" would need to be included as part of the service catalogue while there will be changes to a range of other processes to reflect the changing environment.
"It will have associated service levels managed via Service Level Management," Ferris said. "Change management will be key in ensuring that changes do not compromise the security around BYOD and therefore increase risk.
"Service asset and configuration management can be used to record details of employees who have signed up for BYOD and the associated policy. Supplier management may have to manage additional suppliers if third party support for BYOD devices is put in place.
"Meanwhile, security management will be key while there will also need to be clear communication about what service is provided by the service desk and support teams for BYOD through incident management and request fulfilment. There is no right or wrong answer but the ITSM practices will need to be adapted to manage the situation."
Staff and IT have different views
It is hard to determine how much impact BYOD has on existing ITSM processes and help desk support but there is some research that suggests it is not as much as you might expect.
Lee Ward, vice president and general manager, IT outsourcing, for Unisys Asia Pacific said that while the adoption of personal devices represents "an unstoppable trend" this doesn't mean it is unmanageable.
She cited "2012 Unisys Consumerisation of IT" research -- completed by Forrester -- which showed that IT support for company-owned smart phones and tablets in Australian organisations has nearly doubled from the previous year. Interestingly, it also showed that support for BYO devices has decreased significantly compared to 2011.
"Perhaps this is because there are some fundamental differences between how employees and the IT department view IT support requirements for BYO devices," Ward said of the Forrester research.
"The study found 52 per cent of Australian IT and business decision-makers believe that employees who encounter trouble with their personally-owned devices are most likely to contact the IT department.
"However, the same report showed that 60 per cent of Australian employees say they are most likely to troubleshoot the problem themselves. A further 14 per cent say they will ask a friend. BYO devices won't necessarily create the strain that IT departments fear"
Good ITSM is the safety net
Security concerns are often raised as a barrier to more organisations embracing a broad-based BYOD strategy. According to Unisys' Ward this is a legitimate argument.
"Most organisations are relying on passwords -- a relatively primitive solution -- to secure their mobile devices and applications," Ward said. "A truly effective security approach requires a combination of strong policy and technology as well as the means to enforce both.
"Organisations have to think about security measures such as mandatory certificates, password, token and/or biometric locks as well as the use of secure VPN."
Di Data's Jansen said that a lot of planning is required to circumvent security risks.
"You have to put in place solutions to manage the security and risks while having these clearly defined in the BYOD policies," he said. "Communication is also important. People need to understand how the corporation will behave to offset risk.
"The most important aspect is to remember that BYOD is a journey. As technologies and processes evolve they are able to increasingly offset existing, new and perceived risks. The BYOD approach can be adjusted over time to reflect a comfortable security posture."
Macanta's Ferris said that clearly "security and risk have been the biggest concerns of IT management since the advent of the BYOD trend" but added that this should not stop the progress.
"Issues around security are valid concerns," Ferris said. "The biggest fear of CIOs is security particularly in regards to access to sensitive information and the chance of that information leaving the organisation.
"However, neither of these should be new concerns raised only by the advent of BYOD philosophies. Employees have had access to sensitive information for decades and the availability of CDs, USBs, email forwarding, phone cameras, photocopiers, pen and paper etc., has allowed this information to leave the organisation in the past. We have developed systems and processes to mitigate the risks and so it will be with BYOD.
"It is time to calm down about security and embrace the future. The technologies are now available to manage the risk. There is of course a cost but the cost of not embracing BYOD has to be evaluated against the cost and benefits of doing it."
So where do you start?
Step one in formalising and taking control of BYOD adoption within an organisation is to define the boundaries of how and when personal devices can be used. Commonsense insists that any policy statement needs to be as short as possible and easy to understand so that it gets read and adhered to.
Macanta's Ferris feels that the most important aspect of a BYOD policy is to ensure it is "clear and unambiguous".
"It should outline the responsibility of the employee to have suitable technology available for work purposes at all times they are expected to work," Ferris said. "It should define minimum specifications for hardware and operating systems and it should clarify who will pay for support of BYOD devices -- the organisation or the employee.
"Any compensation for using your own device for work purposes should be specified along with what is and what isn't supported. Meanwhile, security policies, levels of permissible data access, details about what will happen if a device is lost or stolen and what happens when an employee leaves the organisation also need to be covered."
When drafting its BYOD policy, Dimension Data's CIO said his organisation found it helpful to try and keep things "generic wherever possible".
"People can be incredibly passionate about a particular device," Jansen said. "Ensuring that you don't have to re-write the policy each time a new piece of technology comes along is helpful. Our policy contains minimum generic requirements for smart phones, tablets and computers.
"We are mindful that the minimum requirements are a combination of the device type, model and OS version. It is the combination of these three aspects that determine the device meeting minimum corporate requirements.
What are the benefits?
Andrew Talbot, an ITSM specialist with enterprise software vendor, BMC Software believes the increases in productivity from BYOD are significant and obvious for organisations with mature ITSM programs.
"The key thing is to ensure that processes around service request and incident management are still followed," Talbot said. "Mobility just provides easier access to effectively participate in those ITSM processes.
"Companies without in-depth ITSM practices will not realise the benefits of BYOD and it does have the potential to make communication less effective. Companies with ITSM best practices in place will be able to provide employees with accurate information will realise benefits, so BYOD is not a threat but when approached correctly is actually further justification for ITSM best practice."
In 2011, Citrix Systems presented the results of their Bring-Your-Own (BYO) Index which revealed that 92 per cent of IT organisations are aware that employees are using their own devices in the workplace and 94 per cent intend to have a formal BYO policy in place by mid-2013.
Interestingly, the research found that attracting and retaining the highest quality talent, increased worker productivity and mobility and greater employee satisfaction, as well as reducing IT costs, are the primary drivers of BYO adoption.
Macanta's Ferris, agreed with these survey results. She said forward thinking organisations have to allow good quality staff and new generation workers to work on the devices of their choosing.
"Students leaving school and university where they have been able to plug in their own devices are not going to be satisfied if they have to use equipment provided by the employer and that they are not allowed to connect their own devices," Ferris said. "This will be seen as archaic, restrictive and unsatisfactory."
While Dimension Data's Jansen said that metrics around the benefits attainable through the adoption of formal BYOD policies and processes are hard to establish, he still thinks the anecdotal evidence is strong.
"BYOD in isolation will deliver few financial benefits to an organisation other than improved staff satisfaction," Jansen said. "Most CFOs will argue that this is intangible. The effort, cost and complexities generally negate any of the capex savings that might be made.
"However, when BYOD is combined with mobility, the benefits magnify each other. It accelerates the adoption of mobility and removes inflexibility in a mobility strategy. Sometimes these benefits are thought of only in productivity terms, however we have found that there are many more."
According to Jansen, Dimension Data saw benefits in flexibility of workplace and flexible work arrangements which saves costs in physical office space and reduces staff turnover with all its costs.
"IT service continuity and business continuity is improved because people can work anywhere and do anything in the event of natural and other disasters," he said.
"There is better access to corporate information regardless of location and we believe that better decisions are being made as anything and everything is at anyone's fingertips, at any time and on any device.
"Meanwhile, BYO and mobility are very visible to the business. IT can be seen contributing and helping the business and its people to be successful and productive. This improves the relationship with end users and increases the profile of IT."