Bring Your Own …

More and more people in professional organizations bring their own smartphone, tablet or even laptop to work. And they don’t just bring their own device to work, they also use it to take their work with them to other places (home, traveling…) Policies like BYOD (Bring Your Own Device) and CYOD (Choose Your Own Device) try to formalize and regulate this development. Sometimes I wonder how effective this regulation is going to be. Especially because the BYO trend is not just limited to devices. People will also bring their own software tools and even their own platforms to work, even if work is not ready for it yet.

I see a growing number of projects in highly regulated organizations (e.g. the Police or large banks) where people want to share information about what they are working on and work together on different kinds of documents and files. These project groups are often composed of employees of different departments or regional divisions. Sometimes there are others involved from external organizations (government agencies, suppliers, consultants). This creates a need to share information across company platforms. Of course, you have to be careful with the information you share. So it is wise to pay attention to where the information is stored and what can or cannot be shared with a certain team or person. But chances are that if you have a highly motivated and creative team, they will not easily be stopped by company policies if these policies get in the way of realizing their goal.

I know of such a team who tried very hard to work with the internal platform that the company had provided for online collaboration. It was a very secure platform with extensive version control, finely grained access control and a good backup system. There even was a possibility to grant access to external project members. So far, so good. The team applied for a project site on this platform. Of course, there was a procedure they had to go through. After completing the necessary application forms, it took three weeks for the application to be processed. After the decision, it took another two weeks for the system administration to open the site. At that point, only the project support person who filed the application had access to the site. He started to enter the other team members and with the internal colleagues he succeeded, but the external project members had to be approved by a special procedure, requiring more paperwork and involving  a manager two layers up in the organization. Finally, after more than two months, the entire team had access to the site and they could start using it.

The problem was that at that point, there was already two months’ worth of work that had been stored elsewhere. On local hard drives, on network drives, on USB sticks and in email messages. No version control and little security. The team set to work to transfer all these files to the project site. They found the navigation difficult to work with, especially the external team members, who had to log in twice before they could work on the site. Due to security reasons, the external mail functionality was very limited. So the alerts about updated documents never reached the external team members. A forgotten password or a blocked account required manual intervention by a sysadmin and this would typically take two to three days to be resolved. All in all, the team felt that this tool was not a contribution to their success. If anything, it was a pain in the neck.

Even though company policy forbid the storage of company files on an external server, they decided to switch to Basecamp. One of the external team members had used it before and convinced the others that it would be much easier and quicker to use. Compared to the situation where files were stored in email messages and on local drives and USB sticks, Basecamp would be a lot better. Opening and configuring a Basecamp site for their project took less than half an hour. Transferring and organizing the existing files took two hours. Entering the project’s stages and milestones took another half hour. So in less than half a day, the project site was up and running. In a few hours, they had made more progress than they had on the official company platform in a few months.

So far, the team has been working along happily and the company has not interfered. There has been a heated discussion among the management as to what should be done about it. The project manager has had to answer some critical questions, but so far she has gotten away with it because her project is getting excellent results.

Now I am not saying that everyone should use Basecamp or any other specific tool. There are many different tools and there are others who have done tests and made comparisons much better than I can. Neither am I saying that it is OK to ignore company policies. The risks involved can be very serious and should be weighed carefully.

I think the example of this project team illustrates the fact that the best people for a project (the creative, the highly motivated, the result driven ones) will always try to find ways to get their work done in the most effective way. Even if that involves using tools and platforms outside of the company guidelines and policies. My feeling is that the risk of stamping down on a team like this will be that the team loses its motivation. The risk of letting the situation continue is of course that information gets lost or leaks out. If it were up to me, I would let the team continue, but I would talk to them about the security issues and maybe even periodically check on them.

Because there are so many excellent tools out there, a lot of them web based and easy to use and configure, there is no stopping a team like this. Unless you cut them off from the Internet, which is something hardly any organization will do any more. So people will not only bring their own devices to work, they will also bring their own tools and even their own platforms. Trying to prevent that is virtually impossible. And even if it would be feasible, chances are that the costs outweigh the benefits.

So if your organization is not yet ready for Bring Your Own… (Device, Tools, Platform, Whatever), you might as well get ready quickly. Effective security has always been a people’s thing rather than a technical thing. Stashing people away in Fort Knox is not going to help. The Bring Your Own… trend is driving this message home harder than ever. It is the people feeling the responsibility and acting upon it that will make the real difference. How responsible and security minded are the people in your organization? That is the most important question if you want to get ready for BYO.

About Koos de Heer

Consultant @ Van Aetsveld. Project doctor.
This entry was posted in BYOD, Security. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s