The concept of bring your own device (BYOD) may have started with students and employees simply using their own phone at work or school, but it rapidly evolved to include personal email, data storage, and BYO technology (BYOT). A blog posting at the Chronicle of Higher Education about how to prepare for a job change raised red flags and set off fireworks in the CIO world. The blog and the ensuing comments discussed employees archiving their business email and data to a personal cloud account and migrating software licenses to personal email accounts.
To learn more about how the latest developments in BYOD are affecting IT staffs, I spoke with Theresa Rowe, Chief Information Officer at Oakland University, who serves on the board of several technology companies and a Top 50 Most Social CIO In Higher Education.
Theresa Rowe (Twitter: @OUCIO), CIO - Oakland University
With the fall semester right around the corner, Theresa fondly remembers old-time days on campus. Back when Mom and Dad were given a paper from the university describing exactly what kind of computer their student would need to bring to campus. Some amount of software, probably involving Microsoft Word, was installed and ready to go. Either the family hand-me-down computer (is the network card too old?) or a shiny new graduation gift computer came to campus with the student. Student techs would float through the dorm on move-in day, ready to help connect that desktop to the wired network (as long as the right network card had been purchased).
Fast-forward to the current campus and the incoming new student. That student will likely bring 3 to 5 devices, all requiring a network connection. One key change is who selected those devices. Unlike years past, when the university recommended devices based on testing and support options, we now see devices selected by the student (and their parents).
This shift has affected faculty as well. Years ago IT assigned a pool of computers for faculty use. That grew to a computer for each faculty member. But the trend to employ more part-time or adjunct faculty members meant that limited campus resources were not likely available. Part-time and adjunct faculty members increasingly showed up with their own computers and expected to connect to the network and accomplish work.
The change in direction that started with personal choice has been referred to as consumerization of IT, a term that emerged in 2001 (Douglas Neal and John Taylor, Leading Edge Forum) to describe the reorientation of information technology and computing products around the individual end user. BYOD and now BYOT are subsets of this, involving employees choosing, procuring, and purchasing the devices and other technology used at work.
What started as a tiny snowball at the top of the IT purchase-and-utilization hill is now a huge rolling boulder with impact throughout our educational institutions. While we try to create an orderly, secure, and accountable structure for the IT organization, the campus community is going shopping and creating a personalized, customized work environment.
On one hand, the shift from employer-provided computing equipment and tools to self-funded equipment and tools can be appreciated for its positive budget impact. A case might be made that personally-customized technical environments and toolkits improve educational delivery, research, and general work product. On the other hand, the loss of traditional controls is forcing higher costs, security issues, and management challenges.
We are increasingly dealing with individual decisions that do not scale, do not provide risk management, and do not provide accountability. Consumerization is more than a discussion about the impact of iPads and BYOD. We need to include conversations about how decisions are made, how costs are shifting, and how accountability changes.
Theresa visualizes the IT operation at Oakland University as "planets in orbit." Data, storage, communications, software, devices, and the faculty, staff and students using these pieces, are all in motion, and may be in different orbits. Intersections of the orbits make for challenging security and risk-assessment strategies.
Consider this situation: A faculty member loses an iPhone. The previously-assigned desktop computer typically never left the desk; it was installed with identified software, and connected only to a known network. But the lost iPhone could be anywhere in the world. The data accessed from that iPhone may be resident on the phone, it may be cloud-resident, but accessible with a saved login, or it may be protected if the user was careful about security. What if data were shared as attachments in email; where do those data live? Are data attachments on a server accessed through a university-contracted cloud email provider, or are they resident in an app purchased by the owner of the iPhone? If you ask the owner of the iPhone, will they be able to accurately describe the data storage locations accessible from the iPhone?
The challenge to the IT staff is to determine the possible controls, considering:
- The device may or may not be owned by the employer. Today 78% of employees are using their own personal devices at work.
- If a device is personally owned, the security of the device may be limited by the owner's understanding of and commitment to techniques used to appropriately secure the device.
- The software in use on the device may be a mix of software personally purchased by an individual and software purchased by the employer.
- University data and personal data may mix on the device, traveling between personally-owned software and university-contracted software.
- The device may just be a pass-through to storage in the cloud, privately selected and purchased.
The challenge for the central IT organization is that many of these decisions are, by intent, personal. Inserting the IT professional into the decision process is difficult. We can't go shopping with every employee. We can't check every personally-owned smartphone to make sure that pass-codes or encryption solutions are enabled. We cannot audit our employees to see who is buying cloud storage services. When the university publishes a department phone number, they expect those calls to be answered; if an employee prefers to use a personally-owned phone service, should the university post their personal phone number on the web site? When an employee quits, IT cannot easily pull back those items that the employee personally chose to store in the cloud.
The concept of a walled-garden around data that need to be protected seems like a reasonable solution, but in practice, is very difficult to implement. Providing an employee with the access to data they need to do their jobs does not imply that a protective bubble wraps those data elements wherever they go in orbit. If the individual making the decisions does not understand where my email attachments are stored, or cannot answer the question, "when you hit save, where are the data physically stored?" We cannot expect individuals to make security and accountability decisions in the best interest of the university. But without the ability to insert central IT into the individually-driven process, a security gap exists.
Theresa observes that there is a set of services at college and corporate campuses that are now triplicated; one set owned by the employee, another set owned and provided by the employer, and the third set that is vendor-provided or in the cloud:
- Cell / phone service
- Data network service
- Technology device
- Storage plan
- Software
Data are flowing and merging among these three service sets at different times and from different locations as the employee moves about. This makes retrieval of the different pieces difficult when the employee departs. The challenge of the CIO is to manage the employer's interest, while understanding that the employee at times may have a different interest. The employee may start moving things around to preserve what they want to keep after departure, for example email and contacts to a personal account. The researcher may be tempted to move research data to a storage service. Is it worthwhile to try to pull an app off the employee's iPhone that was employer-provided as a corporate tool? Can you get back sales spreadsheets that the employee stored in Google Drive in their personal account? As part of the exit process, employers have to figure out what needs to be pulled back from departing employees.
In conclusion, CIOs and IT leaders must consider investing in technology solutions that exist today in order to further improve network and user application visibility and control, while delivering flexible and secure consumption models.