The Maturing of Enterprise Mobility, and the Way CIOs Talk about BYOD, MDM and Risk
In recent conversations with CIOs, it was great to hear that both enterprises and solution providers alike have evolved from their early, simplistic view that enterprise mobility initiatives are all about the management of devices. For many organizations, the instinctive initial response to Bring Your Own Device (BYOD) initiatives was for IT to do what IT has always done – which is to block access for all mobile devices, except those for which IT can establish direct visibility and control. In its 1Q 2015 study on mobility and security, Aberdeen Group found that about three out of five (61 percent) of all respondents had already implemented some type of mobile device management (MDM) solution, with another one out of five planning to have one in place in the next 12 months.
But most CIOs today recognize that enterprise mobility initiatives are about much more than managing devices! On the contrary, in Aberdeen’s study the leading drivers for current investments included the positive objectives of enabling user productivity (53 percent of all respondents), supporting collaboration between users (26 percent), and improving user satisfaction (22 percent). To be sure, investments are also based in part on “elimination of the negative” objectives, such as minimizing security-related incidents (e.g., data loss or exposure, unauthorized access, unplanned downtime; 37 percent of all respondents), and sustaining compliance-related requirements (20 percent). This is a good example of the balance that must be struck, for the role of CIO to remain strategic and relevant.
Given this context, it was refreshing to hear these recent CIO and vendor conversations focus around making enterprise mobility initiatives:
• Easier for users to enroll devices, deploy applications, and access and share the content they need to carry out their business objectives
• Easier for administrators to deploy and manage the tools they need to maintain visibility and control
• More effective at protecting enterprise applications and data, without compromising employee privacy and control over their own applications and data
But does this mean that enterprise control over mobile devices, applications or data doesn’t really matter? No, and here are a couple of facts that help to confirm why. One leading provider of enterprise mobility management solutions reported that of the more than 6M devices being managed across their customer base, 130K (about 2.2 percent ) needed to be remotely “wiped” in the last 12 months – e.g., as a result of the device being lost, stolen, or otherwise unaccounted for. This measurement aligns extremely well with the findings from Aberdeen’s recent survey:
• Over more than 130 responding organizations, the average number of mobile devices being managed was about 7,100
• Of these, the number that were successfully recovered or disabled over a 12-month period averaged just over 200 – or about 2.8 percent
Doing the math, the cost of replacing 2-3 percent of an organization’s mobile devices each year probably doesn’t justify the cost of an MDM solution for 100 percent of the organization’s mobile devices – especially when some of the replacement cost is on the shoulders of the employees, under the auspices of BYOD. But that really helps to make the bigger point: the risk is not so much in the replacement of devices, but in the compromise of sensitive data or access to other enterprise resources. Moreover, remember that these are just some of the negative (or “unrewarded”) aspects of risk from enterprise mobility – CIOs can and should also do an assessment of the positive (or “rewarded”) aspects of enterprise mobility, based on before-and-after estimates of the time to deploy applications, access and share content, and so on.
“It’s encouraging to know that many CIOs are thinking about both the rewarded and the unrewarded aspects of enterprise mobility initiatives, which makes them better partners and strategic advisors to the business”
It isn’t always intuitive to think of such benefits in terms of risk, but in fact the proper definition of risk – the likelihood of something occurring, and the magnitude of the business impact if it does occur – actually encompasses both sides of the coin. Said another way, making risk-based decisions about enterprise mobility is about making decisions in the face of uncertainties – that is, if we knew exactly how much productivity would go up, or exactly how much a data breach incident would cost, it wouldn’t be a risk at all: it would be a fact! For now, it’s encouraging to know that many CIOs are thinking about both the rewarded and the unrewarded aspects of enterprise mobility initiatives, which makes them better partners and strategic advisors to the business. Going forward, we still have a lot of work to do with regard to how we quantify and communicate about these risk-based decisions – but let’s make that the topic for another day.