BYOD: It might be the most over used acronym of 2012. Unfortunately it’s not just overused, its just as often misused. BYOD is not the same thing as consumerization of IT but rather a response to the trend – i.e., corporate policy to allow employee-owned devices on the network. The trend of consumerization of IT and the numerous corporate policies that are being implemented to deal with it are having significant impact on enterprise security professionals. This impact is being felt from the data center, across corporate networks, on new mobile devices, new mobile applications, and in mobile-supporting cloud infrastructure.
Given the degree to which mobility is driving change in enterprise infrastructure purchases, it’s important for security professionals to understand where the dollars are going for a BYOD policy, which pieces have a security component, and the arguments for return on investment.
So how many devices are we talking about? According to the independent mobility analyst Tomi Ahonen, by the end of 2012, there will be 1.1 billion to 1.2 billion smartphones in use worldwide, which “starts to approach the installed base of all personal computers of any kind including desktops, laptops, netbooks and tablet PCs like the iPad.” These are big numbers and they are growing fast as smartphones’ share of the total handset market grows. (About a third of all handsets sold are currently smartphones, according to Ahonen.) And knowledge workers are particularly fond of their mobile devices. A recent Cisco study estimates that the average knowledge worker will have 3.3 connected devices by 2014, up from an average of 2.8 this year. The Cisco study also states that corporate mobility initiatives will consume 20 percent of IT budgets in 2014, up from 17 percent in 2012. Where the money goes in implementing a BYOD policyis worth drilling into.
BYOD POLICY: TCO and ROI
When it comes to mobility, it doesn’t seem anyone wants to talk about total cost of ownership (TCO). Many are enterprises jumping into BYOD, assuming that it saves money.. But as mobile devices find their way deeper into organizations, both from a number of endpoints and applications per endpoint, more thoughtful organizations are thinking about TCO.
BoxTone, a mobile management software vendor, does a good job of thinking about TCO. While we can quibble about the numbers it uses, the company’s framework provides a good starting point. According to BoxTone, the general cost buckets can be divided into external costs (data plans and roaming, and device hardware and software), and internal/IT operations costs. The external costs are the more obvious, but enterprises that let employees expense their service plans need to factor in the loss of bulk buying plans from the carriers. The internal costs are more opaque and can include: mobile device management and security software, wireless networks and access control systems, help desk and IT operations, and general IT, administration and training. BoxTone estimates that these costs total $1,500 per user per year.
A growing slice of that cost pie is due to maturing security and management requirements. Mobile device management products, which often include baseline security features, are currently experiencing significant downward pricing pressure, as low as about one dollar per device per month, but a richer set of mobile security functionality is making its way to market.
It’s not just the number of mobile devices but their performance that strains networks and adds additional costs. Smartphone and tablets manufactures are leveraging Moore’s Law like everyone else and the use cases for mobile devices will quickly rival laptops. Given the breadth of end users on mobile devices and the diversity of use cases, BYOD is driving not just the need for performance upgrades but also much more fine-grained network access controls.
So what do organizations get for their money? Well, with respect to ROI, mileage may vary. One positive metric for employers is that employees tend to work more hours when a BYOD policy is implemented. Good Technology estimates that the average employee works seven more hours per week. For knowledge workers, of course, this is unpaid. But this is not really a measure of productivity increase under BYOD, which is the measure of production per unit of time. The McKinsey Global Institute, the research arm of the well known business consulting firm, recently estimated that social media tools could add as much as $1.3 trillion to the U.S economy if fully embraced, increasing knowledge worker productivity by an average of 20 to 25 percent. The improved communication and collaboration benefits cited in the report can be powerfully driven by mobility. What is really interesting with respect to mobility is that organizations are reconsidering the best ways to measure workforce productivity. Dell has done some in-depth survey work on this topic in its Evolving Workforce research series.
The popularity of smartphones and tablets is part of a longer trend toward an “always connected” lifestyle. We have moved from environments where a relatively small percentage of an organization’s workforce had mobile email access to one where the trends of social/collaborative tools, mobility and cloud have conspired to literally put the world at anyone’s fingertips anytime and almost anywhere. That’s powerful, but many IT and security personnel don’t get it, and employees are using social, mobile and cloud capabilities to do an end-run around IT and security teams. Those professionals would be well served by understanding fully the expected benefits associated with mobility as well as the cost centers. Security teams in particular have a hugely important role to play in ensuring that the benefits of mobility outweigh the costs. This is especially true as corporate emphasis shifts from mobile device management to more thoughtful and security focused mobile information management.