Your lips say "no" but your behavior says "yes". In the end, most employees will give up some privacy in return for convenience if their employers level with them.
A recent post by Lori MacVittie on F5's DevCentral site raised a lot of good questions about the future of the consumerization of IT. I re-posted her column, "Why MDM May Save IT From Consumerization," on my Facebook page and asked one key question: "Do you WANT your personal device managed by IT?"
The answers were generally along the lines of "hell, no." Admittedly, I have geeky friends who might be a little more particular than the average consumer about who manages their data or systems, but after shopping this questions with other friends and family, I think the knee-jerk answer is "no."
Like most of us, MacVittie is fine with the requirements for responsible BYOD (bring your own device) and MDM (mobile device management. She writes: "If I'm going to have corporate email messages, which in addition to their sensitive nature oftentimes include attachments that have even more confidential data--product roadmaps, marketing strategies, detailed internal discussions on functionality and features--then it would be necessary to follow best practices like locking the screen with a password and requiring stored data to be encrypted." But MacVittie also makes the point that her personal device is PERSONAL. It's shared with her young son, who does all of the things that a young man normally does, like hit random keys, delete random apps, and possibly erase the data on her device after trying and failing to unlock it too many times.
She's right that some people freak out when they see everything spelled out about MDM: mandatory screen locking, mandatory remote wipe, mandatory password rules. But after observing recent tech history, coupled with my own experience in rolling out an MDM policy, I think that those who say "no" and really mean it are few and far between.
BYOD and MDM pose a classic liberty and privacy versus security and convenience tradeoff. We all want liberty and privacy, but most of us are willing to give up some of it for security or convenience.
If you had asked folks five years ago whether they'd accept free email as long as the provider could mine their correspondence for marketing data, they--like the people who responded to my Facebook post--would have said: "Hell, no!" But fast forward, and Gmail is one of the world's largest email providers.
The Wall Street Journal and other media outlets have repeatedly pointed out that free or low-cost phone apps have been downloading users' personal information without their knowledge for years. Yet we go on buying phones and downloading these apps.
How is IT installing a management app on your device any worse? It's not. And frankly, when employees are approached in the right way, they'll see the situation as more of a win-win, since IT is helping them keep their devices secure. What really matters in making MDM successful are the rules of engagement--the way that you approach and treat employees.
Rules Of Engagement
Trust is always a two-way street. A huge part of BYOD is allowing employees the convenience to use whatever tool they want at whatever time makes sense for them. So the organization is trusting employees to do the right things but will also hold them accountable, putting in some technical controls to help employees not make mistakes.
Employees, in turn, must put some amount of trust in the organization, e.g., let it wipe the device only when that's truly needed. Trust gets eroded when employees feel that IT is doing something to them instead of working with them.
Yes, a policy is necessary, and the one I use spells out how and when IT will manage employees' personal devices. (All employees who use their own devices for work must sign that policy.) But beyond such policies, IT organizations must establish credibility that the trust employees place in them won't be abused. Have you ever had an IT admin use remote viewing or control in a non-professional manner? If that kind of abuse happens more than once, kiss trust goodbye.
The other way that trust gets eroded is when IT organizations treat employees like prisoners. MDM sandboxing has its advantages, but a fascist-tight span of control doesn't ultimately work, either with employees or against smart, dedicated attackers.
I remember when my Palm-based smartphone came with one of those "total lockdown" secure messaging platforms, and the thing completely took over. It was like a virus. I figured out how to bypass it, but it was inconvenient, so I wiped my phone, said no thank you to the messaging platform, and had my employer buy me a company-owned phone.
The rules of engagement with employees on BYOD should differ depending on the type of company. The rules at highly regulated companies, for instance, will differ from those at open, highly collaborative ones. Also understand that the CIO or CISO can't make span-of-control decisions in a vacuum.
Bottom line, MacVittie is right--MDM will cut the knees out from under consumerization, but only at organizations that fail to communicate and negotiate with employees and create sensible BYOD policies and rules of engagement. Employees are totally fine with giving up some convenience and privacy. But they're not OK with the organization going all fascist on them. There's a tradeoff that needs to work for everyone.
Jonathan Feldman is a contributing editor for InformationWeek and director of IT services for a rapidly growing city in North Carolina. Write to him at firstname.lastname@example.org or at @_jfeldman.
The Enterprise Connect conference program covers the full range of platforms, services, and applications that comprise modern communications and collaboration systems. It happens March 26-29 in Orlando, Fla. Find out more.
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.