Embarking on a BYOD journey requires a sea change in the culture of an organisation. CIOs need to handle this situation delicately, yet firmly and consistently.  Clear communication and a strong policy are an absolute must to ensure as smooth a transition as can be expected. Brandon Hampton, Director at MOBI Wireless Management, in conversation with Biztech2.com, sheds some light on the lesser known, and often ignored, facets of BYOD.

What are your recommendations in terms of the lesser known facets that CIOs should take into account when working towards the transition to BYOD?

The first recommendation I would make to a CIO is to make sure they have a clear understanding of their true costs involved in maintaining a wireless environment.  We have generally found that the costs associated with most wireless environments are inflated by over 20 percent.

I would strongly recommend that a CIO task someone from finance to study the costs of their existing environment. I find it surprising that most organisations task someone from within the IT department to determine costs. Now, what are the chances that a clear representation of an organisation’s costs will be generated by the very people responsible for those costs? And yet, it happens every day. Only with a clear understanding of the current environment can a CIO truly set achievable realistic goals around a BYOD transition.   

Secondly, I would recommend that any BYOD strategy be in line with a clearly defined corporate mobility strategy. This means that the organisation needs to develop the latter if its not already in place.

How critical is it to have a BYOD policy in place? Could you share some pointers for establishing a clear and concise policy for smooth BYOD operations?

The policy is a big and a critical component of any BYOD program.  The legal landscape is extremely nebulous, to say the least. The key weapon an organisation has to combat the scary situation of having corporate data residing on a device that they do not own and have limited control over is a foolproof policy that is enforced rigorously. This key component is one that many organisations do not pay nearly enough attention to and simply add a few lines to their existing mobility policy in an attempt to cover their bases. Most legal council also advise organisations to have a consistent policy that doesn't allow for exceptions. Given the vagueness that exists in today's legal landscape, this practice will at least ensure that an organisation is protected from punitive damages.

The language needs to be carefully worded to adequately protect an organisation, and a system must be in place to ensure that all users sign off on the policy. This is a greater area of risk today for organisations than the risk associated with data loss due to security breaches; however, the security aspect is often given much more attention.

It is also important to set clear expectations with end users regarding what the organisation will pay for and what it won't. The language also needs to be lucid regarding data on the device and that there is the possibility of personal data being wiped or becoming part of e-discovery in a lawsuit.   

Considering that employees are the weakest link when it comes to BYOD – how can CIOs drive employees to adhere to these policies?

Many Mobile Device Management applications allow for organisations to manage policy and ensure that a device is compliant before it is granted access to corporate networks and systems.  This gives a CIO the ultimate leverage by completely preventing non-compliant users from accessing corporate data. If those users value their jobs and corporate information is a key component of that job, they will ensure that their device is compliant.

What happens if an employee loses the device or leaves the company?

Successful programs have systems in place that tie in with HR systems to quickly allow for access to new employees or ensure that departing employees are prevented access to corporate servers. In many cases, the devices are wiped.  Some MDM applications allow for a company to wipe just the corporate data from the device, but not all. Either way, a significant security hole can be created if a process is not in place to deal with these employees.