At the recently concluded Public Sector Chief Information Officer Convention and Exhibition (CIO Convex) 2016 in Malaysia, Mr. Mohit Sagar, Editor-in-chief at OpenGov moderated a debate on the contentious issue of BYOD (Bring your own device). The strong arguments on both sides presented serious food for thought.
The proposition: 'Malaysia should have a favourable policy on BYOD'
Mr. Gerrit Bahlman, Director of Information Technology, Hong Kong Polytechnic University, Hong Kong and Mr. Thillai Raj T. Ramanathan, Chief Technology Officer, MIMOS Berhad, Malaysia were speaking for the motion.
Arguing against the motion were Mr. Glenn Ashe, Former GCIO Attorney General Department, Australia and Mr. Ganesh Kanagarajah, Head, Strategic Products and Services Governance, Group IT PETRONAS Risk Management Division
Opening statements
For the motion- Mr. Ramanathan
Mr. Ramanathan took the floor to make the case in favour of the motion. He listed several points, based on his experiences, supporting the idea of a favourable BYOD policy:
- It helps to attract and retain talented millennials who are comfortable working on their own devices, anytime, anywhere.
- Employees take better care of their own devices, installing and updating security software. Physical theft/loss has also been seen to go down with BYOD.
- BYOD saves costs for the organisation.
- Employees use a wide variety of applications, which might bring better platforms for collaboration and innovation to the notice of senior management.
Against the motion- Mr. Kangarajah
Mr Kangarajah presented several arguments against adopting BYOD:
- Will the organisation bear liability risk for unlicensed products? If consumer grade products are used for enterprise work, it might violate licensing agreements. There’s a high probability of that happening if consumers are permitted to use their own devices.
- BYOD presents huge potential for distraction at work. What if staff spend increasing amounts of time on social media?
- The IT department would have to support a wide range of devices with different standards, operating systems and applications, increasing overheads and complicating support.
- BYOD could hamper work-life balance.
For the motion- Mr. Bahlman
Productivity perspective: Mr. Bahlman stated that for the millennial generation there’s no separation between work and life. BYOD would enhance productivity for them, allowing them to manage their personal affairs, while working.
Security perspective: Employees might use their own device irrespective of guidelines. It might be better to allow it, regulate it and provide a work environment on the device to ensure security.
Against the motion- Mr. Ashe
Mr. Ashe questioned the proposition itself, asking who or what is the BYOD policy favourable for? Is it favourable to the Malaysian government, the employees working for the Malaysian government?
He admitted that BYOD has a role to play in today’s workplace. But serious thought is required before going full steam ahead with it. He brought up security concerns and said that it was essential to protect data assets. It would be important to have a structure in place before embarking on the BYOD journey.
Rebuttals
For the motion- Mr. Ramanathan
He said that there is no longer much difference between enterprise and consumer devices. And BYOD enhances communication and boosts collaboration. So what is of benefit to employees is beneficial for the Malaysian government as well. And he said that technology rightly implemented can take care of security concerns. You can easily create a sandbox on the phone and wipe that if the device is lost.
Against the motion- Mr. Kangarajah
Does BYOD actually reduce cost? If staff is company issued devices, from a vendor, the company knows the cost and can manage the cost. But with BYOD, you will need a whole bunch of administrative controls to monitor the devices, prevent data leakage. Also, what happens if a device is lost or it breaks down, maybe due to work related issues.
For the motion- Mr. Bahlman
Critical data should not be present on the devices in the first place. If it is not, then the question of administrative controls does not arise.
All data must be classified. Non-sensitive data, which might be bulk of what some employees are dealing with can be stored on own devices without adding to risk.
BYOD might be more expensive in the short-term because systems and services would have to be re-designed from the ground-up, to ensure that important data is protected. But it is an investment which will pay off in the long run. Successful implementation of a secure BYOD environment demonstrates a commitment to understanding your data.
Against the motion- Mr. Ashe
There might still be mixing of personal and work data on staff’s own devices, notwithstanding best efforts. If an Ipad is lost, the IT department might want to wipe it clean remotely. But what f the employee doesn’t want because he/she has valuable personal material on it.
Conclusion – A consensus
By this time, views seemed to converge, though the debaters were supposed to be on opposing sides. Strong policies are required and policies cannot be created reactively, on the fly. Also, policies by themselves might not be enough. Constant monitoring is required.
BYOD implemented the right way can enable delivery of internal services with flexibility and agility, enhance productivity, collaboration and innovation.
The debate was not over yet!
The debaters appeared to have moved to the side in favour of the motion. When Mr. Sagar asked the audience, composed of officials from the Malaysian government’s digital agencies, if they supported a favourable BYOD policy for the Malaysian government, the answer was a resounding Yes.
But there were a coda yet to come.
Mr. Sagar asked the audience if they would be okay with the IT department in their organisation installing applications and implementing security controls on their personal devices, there were more than a few NOs heard from the audience. They were not willing to relinquish even partial control over their devices.
Like many other aspects of digital transformation, it is clear what needs to be done, in theory. But it is about people at the end of the day. That has to be kept in mind for practical implementation of any policy or strategy and that would be the crucial difference between success and failure.