• Save
The business side of BYOD (and the "Internet of Things" / IoT )
Upcoming SlideShare
Loading in...5
×
 

The business side of BYOD (and the "Internet of Things" / IoT )

on

  • 1,595 views

This short book is a discussion from a cultural and organizational perspective about the current and potential business impacts of enabling smartphones, tablets, computers, and any other device that ...

This short book is a discussion from a cultural and organizational perspective about the current and potential business impacts of enabling smartphones, tablets, computers, and any other device that goes under the label "Internet of Things" - IoT.

It has been prepared as a "case study"/"brainfood" for a workshop on change management (see http://www.slideshare.net/robertolofaro/are-you-ready-for-change-workshop-presentation-and-concept).

Focus: knowledge- and information-management beyond your corporate boundaries.

You can always find the (free) edition of my business books on http://www.slideshare.net/robertolofaro (sometimes full books, sometimes key chapters useful for your own publishing, consulting, training and overall change activities).

The (low price, of course!) printed and Kindle versions are available on http://astore.amazon.com/getarothewor-20

Aim: spread ideas, and collect feed-back (visit my profile http://www.linkedin.com/in/robertolofaro)

Statistics

Views

Total Views
1,595
Views on SlideShare
1,588
Embed Views
7

Actions

Likes
3
Downloads
0
Comments
0

3 Embeds 7

https://twitter.com 5
http://www.frype.com 1
http://www.draugiem.lv 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

The business side of BYOD (and the "Internet of Things" / IoT ) The business side of BYOD (and the "Internet of Things" / IoT ) Document Transcript

  • The business side of BYOD cultural and organizational impacts Roberto Lofaro
  • Copyright © 2014 Roberto Lofaro All rights reserved. ISBN:1494844265 ISBN-13: 978-1494844264
  • CONTENTS A Caveat .................................................................................................................. v 1 Today .................................................................................................................... 1 1.1. Why BYOD is relevant ................................................................................ 1 1.2. Pervasive computing ................................................................................... 5 1.3. Ownership and control of devices ........................................................... 9 1.4. A systemic perspective .............................................................................. 11 1.5. Managing (i.e. “governance” of) the BYOD risk ............................. 16 2 Tomorrow.......................................................................................................... 19 2.1 Coping with the future ............................................................................... 19 2.2 Impacts on the delivery of ICT services ............................................... 23 2.3 Business architecture and “virtual” ICT systems ............................. 29 2.4 Internet of Things: a “blue sky” perspective ...................................... 32 2.5 Essentials of a dynamic security policy ................................................ 36
  • A CAVEAT This page should be accessible for free on Amazon: if you are looking for a book on the “technical” side of BYOD, this is not for you. If, instead, you are looking for something that delivers an overview about present and future issues and impacts related to the introduction within your company of a technology that is outside your control, this might help. Moreover: the title says “BYOD”- but you should read it as “and any device that you do not really control”, i.e. including “wearable computing” and other similar future devices (yes, including the “Internet of Things”). When I was asked if I would be interested in writing with another colleague a book on “how to write a BYOD policy” we jointly decided that it would have to be something more than a mere cookbook. After the book publication was put on hold and, eventually, postponed “sine die” (i.e. practically shelved), I decided to re-use what, throwing the heart beyond the fence, I had already written. Therefore, this short book is basically a “brainstorming case study” that will be used in a new service, as it covers issues (privacy, intellectual property rights, security, information management, social networking) that nowadays are part and parcel of any cultural, organizational, technological change. As a further support, you can also refer to the books that I published on Amazon and Kindle on organizational change and business social networking, books that you can read online for free on Slideshare1. Your comments and suggestions are welcome2. 1 http://www.slideshare.net/robertolofaro 2 http://www.linkedin.com/in/robertolofaro v
  • 1 TODAY 1.1. Why BYOD is relevant What is BYOD (Bring Your Own Device)? Certainly not simply enabling your people (staff, suppliers, stakeholders, friends and foes) to use their own favorite device(s) to connect to your information system. Recent statistics show that new mobile phones are more often than not smartphones, i.e. pocket-size computers with antennas, often based on systems (Android and iOS) whose suppliers have a long history of “data mining” their users. The main issue isn't, of course, if you trust Apple or Google- but that, in order to enable their marketing activities, they keep open access paths to the resources provided by those devices: including gigabytes of memory. BYOD isn't a choice, but a business event that must be managed: if you refuse, users can (actually, they already did) simply bring their own devices in their own pocket and configure them as if they were e.g. connected to Exchange via a PC (yes, some mobile phones can “hide” their identity). Most security systems are designed to keep intruders out- not to police and monitor those in: and modern portable computing devices are actually miniature portable broadcasting units- also if you ignore the information confirmed by Snowden on NSA’s practices and tools (incidentally: most of the information he disclosed is five years old). 1
  • http://www.linkedin.com/in/robertolofaro Unfortunately, computer security is closely coupled with a marketing urge that preys over (and nurtures) a constant feeling of insecurity, to push for new technologies, services, etc. Specifically on BYOD, this “marketing scare” includes the risk of your corporate data being stolen from a mobile phone or tablet that is used for both personal and business uses- also if it is not provided by the company. So far, both media and industry sources (including person-to-person contacts) failed to deliver a convincing case. In the past, banks did not like to disclose hacking of ATMs, as this could undermine their customers' confidence- and maybe this is the case also for BYOD. In ICT, since the early 2000s, right after the Y2K scare, almost each year there is something new that requires significant investment, training, accelerates the obsolescence of your existing technologies, and... delivers no real value. Frankly: how many organizations really received a significant benefit by switching from Windows XP to Windows 7? In many cases, it is only the “scheduled obsolescence” forced upon you by your suppliers that unleashes a wave of technological upgrades that consumes budget while adding bells and whistles that you could easily do without. Or: you update to Windows 7 because Windows XP is not supportedand then you discover that you have to update hardware, software, and maybe even “reverse engineer” applications that do not work anymore within the new environment, and whose developers (people and companies) disappeared long, long ago. This assessment anyway ignores the loss of productivity incurred when users have to adapt to and learn new tools, or even abandon a wealth of “true and tried” practices that used features removed from the new tools. BYOD can therefore deliver a further value-added: obsolescence is decided by the user, who then has to balance off the costs and benefits of any “technological upgrade”. Except for few “early adopters” and “techno-enthusiasts”, this could bring up a different way of developing and delivering systems. 2
  • The business side of BYOD - cultural and organizational impacts Therefore, consider what is described within the next few pages as an “assessment of potential issues”, which must be complemented by an internal assessment of what really concerns you, “coping” strategies, allocation of resources, etc. Disclosure: I rather say “coping” than “managing”, as I consider “risk management” almost an oxymoron. You can manage what you know and control, but assuming that you can really manage risk generates a potential self-delusional state where you have a degree of control that you will never achieve. As many dislike “coping” due to its mumbo-jumbo “shrink” overtones, I will use “risk governance” as a more appropriate description of what you will need to do when considering BYOD. This is even more relevant now, as computing is not any more just associated with computers or even computing devices such as laptops, netbooks, and tablets. Smartphones and tablet-like devices are just a first step, as the lowering of data traffic fees and device production costs is opening the door to new services, e.g. expanding business intelligence on mobile devices. If you consider each portable device with the ability to connect to a private or public network as a kind of “repeater”, sometimes even by explicitly sharing its own Internet connection (i.e. becoming a “Wi-Fi hotspot”), you can have devices that are authorized to connect to your system- and act as a “bridge” toward unauthorized devices. In plain English: each device that you do not own or control and is enabled to connect to your ICT is a potential Trojan horse. Therefore, you have to consider that probably your policies, often designed to manage computers that lacked any independent broadcasting ability (e.g. pre-Wi-Fi and Bluetooth), present a different set of risks and opportunities- to be managed accordingly. Many notebook policies include rules that are violated on a daily basis, e.g. by assuming that nobody will even share her or his computer with somebody else, or that any device is used exclusively for business purposes, and therefore privacy rules do not apply. 3
  • http://www.linkedin.com/in/robertolofaro As a “field test”, in your next travel by plane or train look at how many portable computing devices around you show business information: how many of your fellow businesspeople do adopt low-cost options such as “polarized screen”, “encrypted USB key”, “boot password” (i.e. that make impossible to access data on the hard-disk also if removed from the computer)? Probably, only the paranoids or... those who already suffered one or more losses. Some of the current devices (e.g. wrist-watches that can be connected via Wi-Fi to mobile phones) deliver services that a decade ago would have been considered science-fiction. Do you remember the movie “The Recruit”, where confidential data were removed using a USB-key hidden within a Thermos bottle? So primitive: nowadays, even a wristwatch or jewelry is equipped with a data port. Also, you have to consider all these portable devices as portable, usermanaged extensions of your own corporate information systems: where does the boundary between business and personal uses end? Another dimension of analysis is the increase of ways to quickly spread data around. When I was working in Paris in late 1990s, a “private data business network” that we discussed for a business intelligence customer was offered by a Telco provider with the following level of service: 14.4Kbps top, 9.6Kbps guaranteed speed- at a ludicrously high price (roughly: what my colleagues from the USA paid for a much faster connection). In 2013, less than 10 EUR a month could deliver in European Union to any consumer the ability to transfer in excess of 1GB with a speed good enough to watch a movie (i.e. transfer a decade of your business data in minutes)- using an untraceable mobile phone available in supermarkets for less than 100 EUR. By mid-2000s, the International Telecommunications Union already was forecasting a geometric growth of Mobile Internet traffic, and assumed that it would take few years to exceed the traffic delivered via landlines. 4
  • The business side of BYOD - cultural and organizational impacts 1.2. Pervasive computing The increase in bandwidth (“Mobile Broadband”) enabled in the first decade of this century the delivery of data-intensive services everywhere, while integrating mobile-based and traditional service seamlessly. The most critical issue of all these devices is the ability to store vast volumes of data not only within themselves, but also on tiny, add-on, easily replaceable memory cards holding dozens of gigabytes. Why? Because while security software publishers and “BYOD management” providers would like to sell you on the much-hyped scare of broadcasting data, it is the old-fashioned pick-pocket and loss of a device that requires no technical skills or investment in technologies and provides the best opportunity for potential rogue operators. Example: how many of you store on your mobile phone or device business email messages with attachments? And how many of you share that device outside business hours? In the early 1990s, portable computers were the exception- still, often security policies concerning the connection and use of personal devices sound more focused on 1990s challenges. A further challenge to the design and development of a BYOD policy: you need to keep watching for the evolution of communication architectures and services, e.g. the Internet 2.0 routers able to “trace” (and maybe store) each individual connection, and architectural evolutions within mobile devices. As technology evolves, other hurdles limiting the number of devices that can be permanently connected to the Internet will be removed, e.g. through the “Internet of things” built on IPv6, a new version of the “Internet Protocol” used to uniquely identify a connection. A key feature of IPv6 is the exponential increase of the number of devices that can be connected: from the vending machine in your office to your fridge at home, anything nearby an Internet access could be connected 24/7, and there would still be plenty of “space” available to connect further devices. 5
  • http://www.linkedin.com/in/robertolofaro As of September 2013, Google reported that IPv6 connections reached 2% of the traffic, doubling from one year before3 What if you have no Internet access? Well, if you allow mobile phones to be used in your environment... a “disconnected” but Internet-enabled device might actually be connected to a mobile phone that doubles up as a “portable hotspot”, and therefore become connected to external resources. Beside devices that you could ask, in a “paranoid élan”, to be left at the gate before entering your premises, you have also to consider another trend: “wearable computing”. So far, watches, jewelry, backpacks, jackets are on the market and clearly advertise their “intelligent abilities”. You can also find embedded computing within everyday objects and items, evolving from what few years ago was done in a bookshop in The Netherlands, where you could take any book, browse it while sipping a coffee anywhere you liked within the building, and then leave it on the nearest table- its RFID tag enabled staff to know where each book was. Almost a decade ago I discussed with a colleague the potential use of RFID to deliver special paper to Courts, so that the “lifecycle” and presence of each individual page could be immediately checked. In Italy, as shown by recent news items in 2013, it happened once in a while that whole case files “disappeared”, as most legal documents are stored on paper- and if you get unsupervised access to a storage room (due to staff cuts, it is possible), you can easily “wander”. Unfortunately, at the time this solution was too expensive. Companies are already scratching their head about the issues involved in the use of devices such as Google Glass (and other “wearable” computing), from privacy concerns to potential liabilities. http://www.internetsociety.org/blog/2013/09/ipv6-deployment-hits-2keeps-growing/ 6
  • The business side of BYOD - cultural and organizational impacts For the time being, wearable computing (e.g. what is “embedded” within clothes) is already being rejected in some areas, due to its invasive nature (basically- those close to a “wearable” computer feels as if they were within a reality TV show)4. For the time being- as mobile phone use within a business environment was frowned up in mid-1990s, when the Pan-European GSM network was rolled out, but eventually became possible even on planes, the same might apply for less visible pervasive computing. This new environment is here to stay, and any BYOD policy should cover not just current devices and technologies, but also the conceptual framework associated with devices that we cannot yet even consider, all covered by a simple concept: “Pervasive computing”. ICT services by definition support business activities, but usually there is a bias: the boundaries of the services are assumed to coincide with boundaries of the physical office. Few of the existing policies consider the management of “sneaky computing devices”, such as printers connected via the Internet, a wellknown issue in more “paranoid-oriented” environments, where some organizations use internal staff also to do maintenance activities on printers, copiers, etc. The current trend toward embedding computing capabilities within any electrically-powered apparatus, from the humble light switch, to desktop phones, printers, and any office equipment, along with BYOD, is blurring the distinction between low-bandwidth remote or mobile services and onsite ICT access. A first step is the obvious disappearance of the “business hours” concept, for anybody within your supply chain- from suppliers to customers: systems' availability and monitoring should be considered a 24/7 issue, also if pervasive computing is at last actually bringing again to the fore the understanding that individuals need instead a balance between work and life, if they are to operate under the best (intellectual and physical) conditions. 4 http://www.businessinsider.com/google-employees-google-glass- 2014-1 7
  • http://www.linkedin.com/in/robertolofaro Anybody working in supporting and managing ICT infrastructure since the mid-2000s knows that the humble printer or copier connected via Internet to your supplier is a security risk to be managed, but it is worth repeating. Each “smart” printer and copier usually is equipped not only with a network card, but often also storing devices keeping at a minimum logs, and maybe even a copy of anything that has been printed, copied, faxed. How many ICT infrastructure managers have in place a policy ensuring that those devices:  are properly configured and secured;  cannot be accessed by unsupervised external staff;  have their memory storage securely wiped before being moved, relocated, sold, or disposed of? What about devices outside your own control? Personally: I saw this “lax” attitude to confidentiality and security (to say nothing about privacy) not just with personal devices (what BYOD is about) also in shops used for large-volume printing over 5 years ago. When I asked to do a new copy of a document, the shop owner remembered that I had been there, and… printed from the stored copy! In many countries, most of the ways to “secure” those devices create a privacy and intellectual property issue, as your options usually include:  removing information once the connection is lost (by installing software on the device)  “remote wiping” and other administrative rights on devices that enable “containing” any data leak  monitoring and logging accesses and data transfers  monitoring the use of the device, to avoid the insertion of “Trojan horse” and spyware software  anything that you would usually do on a computer that is provided by your corporation to your staff. Soon, with digital circuits printed on paper using special inks (part of the “3D printing” activities), it might be that even a single piece of paper is in reality a computer peripheral (more about this in the next chapter). 8
  • The business side of BYOD - cultural and organizational impacts 1.3. Ownership and control of devices The obvious issues related to devices involved in BYOD activities? aren't used exclusively for your own purposes might contain confidential data belonging to others could include software and applications that are unlicensed but used to operate services on your own systems  if you lose the device, the data it contains might be lost forever    It is doubtful that you can enforce your own security or password policies on devices that you don't buy, don't own, don't manage. A company could design and implement a BYOD policy enforcing e.g. remote wipe, but that would not protect from the interaction with other remote users of the same device (or even other devices). Example: consultants working for a company and some of the suppliers within the supply chain of your main competitors. While BYOD opens opportunities, enabling devices owned by a third party to access to and interact with your systems implies not only that you apply constraints to how those devices are connected, but also that you have to add constraints within your own ICT services. Imagine that you are providing access to information about your “assortment planning”, components purchases, depletion rate, etc. This information is accessible in real-time, externally connected devices usually “synchronize” their information with your systems, e.g. delivery time for replacements or resupply rate. Such information is certainly useful to both you and your suppliers providing spare parts, but you cannot manage the lifecycle of information once it is released outside your own information systems. Moreover, portable devices lack the level of “business continuity” services that any PC or computer connected to your ICT systems are currently assumed to have: in many cases, if you reset the device, its data are lost forever (some devices have even a “secure wipe” function). 9
  • http://www.linkedin.com/in/robertolofaro At the same time, if this information is stored on devices belonging to your suppliers, and then is used to inform their own information systems, e.g. to identify how often and how many spare parts should be delivered, you are exposing company-sensitive data about your production facilities to a third-party, and assuming that they will manage the information that you shared with the with the same level of confidentiality that you would require from your own staff (avoid Bluetooth and Wi-Fi in public places, etc.) Thanks to the inherently hybrid (business and personal) use of these devices, the risk is that information about your actual turnover and operations can be accessible through unsecured channels (Bluetooth, Wi-Fi) to any third-party willing to “listen”, or even that critical information is updated by an unauthorized third-party. This would therefore require a careful re-assessment of any application and service that can be used from external users, e.g. by:  checking the type of device (and not just the access credentials)  “customizing constraints” on data, interface, features  require additional identification  last but not least, consider encrypting to the addressee any information that is transmitted. Many companies working on the development of software solutions using mobile devices discovered at their own cost what has been true in the past on any platform, before the standardization of Windows and Mac OS. Or: when you venture beyond the tried-and-true (e.g. just one type, model, version of device and associated software), you end up having also within the same supplier an endless list of options to consider when developing your own mobile-enabled processes, software packages, and overall services. 10
  • The business side of BYOD - cultural and organizational impacts 1.4. A systemic perspective Instead of focusing on specific devices, introducing BYOD in your company implies adopting a different approach to software and users. A “systemic perspective” implies considering at least the following elements as part of the “BYOD delivery” environment, the same that should be assumed for any software development activity:  Devices  Users  Services  Channels  Information As hinted in the previous section, a systemic perspective should identify the minimal level of service available associated with each combination of those element, and obviously the associated risks and "fallback positions". Easier said than done, when you are considering devices that you cannot reach unless those carrying them around are willing to let them connect to your systems, instead of just sharing the same credentials (username, password, etc.) across multiple devices. Any user connected through traditional means, including portable PCs, can take a “passive” attitude, thanks to the nature of the software tools available and stability of the environment within the device (e.g. the applications installed on each PC or the software update policies enforced). With portable devices this is not the case: therefore, a further element needs to be added to that traditional list- a continuous revision of the constraints and monitoring enforced by the users, e.g. to “compartmentalize” access to information. By using their own devices to connect to corporate ICT environments, users de facto accept to become extensions of those environments, and it should be acceptable to adopt a “transparent” approach to policing, i.e. whenever connecting, both the user and the device should be authorized for that specific service, delivered in that specific location, with a predefined set of constraints. 11
  • http://www.linkedin.com/in/robertolofaro Some companies are actually turning BYOD into a compulsory practice5, forgetting a small detail: contracts with telecommunication suppliers have to be restructured to “consolidate” traffic, if you really want to optimize costs6- and your own traditional corporate security policies for mobile users could violate data privacy regulations. Again, a small example: if each one of the members of your staff has a monthly data allowance of, say, 1GB, how much of it is really used? And how much is billed for “power users” (those routinely exceeding that quota)? As it is already the case with “intelligent meters”, it is actually possible, if you treat your Telco as yet another utility, to negotiate on a “consolidated traffic” basis- i.e. a monthly cost by month per user, but with traffic resources (minutes, messages, data traffic) “pooled”. Anyway: this implies also keeping your staff more involved and active in the use and management of their own devices than they were with ordinary desktop PCs, where “do not disclose your password and have a screensaver with password when not at your desk” were usually enough. More than a technical issue or technical training, it is a communicationcentric orientation that starts with a training programme and continues with on-going reminders and a “listening function”, to get feed-back from the actual users, as, with BYOD, it would be a waste of resources to build inhouse abilities to deal with “cookbook recipes” for each potential device. It is still possible to then adopt, for some users who will be provided a “maintenance service” by your own ICT staff, specific models, but that would eventually become the exception. As discussed later, you have to deal with general principles, broad categories, and a two-way communication channel between your ICT staff and BYOD users7. 5 http://www.cio.com/article/732676/Mandatory_BYOD_Heading_Your_Way 6 http://blogs.cio.com/byod/17816/infographic-byods-dirty-little-secret 7 http://www.cio.com/slideshow/detail/103232#slide1 12
  • The business side of BYOD - cultural and organizational impacts Each corporate culture will have its own way of managing “continuous communication and training” activities, but a checklist of the basic elements that it should include might be useful:  communication channel to inform users on planned system evolutions that could affect their use of their devices  alert system to inform users of critical issues  routine “knowledge update” on what could be of interest to users  communication channel to enable users to either share information with ICT staff (to be then relayed to other users), or to receive answers A further element is tailoring the access to ICT via BYOD services to the specific level of ICT knowledge and willingness to get involved of each user, to be assessed before the services are activated8. While mobile devices increasingly get closer to Arthur Clarke's concept that any technology advanced enough looks like magic, it is still true that this “magic” can be easily tweaked by any user willing to just push few (virtual) buttons here and there. And all this, without necessarily then becoming able to get back to where it was (except by resetting the device, probably losing whatever was stored on it). When talking about “systemic” perspectives, often in technology and business activities there is a mistaken overlap with another concept“controlled environment”. While a “system” is a closed ecosystem, the “systemic perspective of BYOD” has to consider each member of the system as one potential “gateway” toward other systems. Also if your own users were to use their devices only to connect with you and the Internet, there could still be plenty of opportunities to end up with “Trojan horse” applications to be added through applications that look just as any ordinary game or application. With BYOD, a “user profile” extends way beyond configuring access to applications, as you have to consider the “personality” of your users. 8 http://www.cio.com/slideshow/detail/103232#slide1 13
  • http://www.linkedin.com/in/robertolofaro In BYOD, you could end up with “rules of engagement” so complex that users would eventually refuse not only to use their own devices, but also to use any device that is not physically connected within the walls of your organization. As for the communication and training practices discussed above, you have to tailor the appropriate balance between services and nuisance to use those services to your own corporate culture. In my experience since the late 1980s on decision support, cultural/organizational change, and business intelligence, a technology that alters the way you work is more easily adopted if you have in house a “champion”. On BYOD, you have to consider that people will be used to interact with multimedia, and maybe you can have a look at a simple communication checklist on video social media marketing, from a completely different industry (wines)9, to have some ideas on what is involved. The key concept is “be credible in your commitment”: it might be through videos, emails, or just a collection of 1-page “how to” or “question and answer”. If you search Google for BYOD, you will find plenty of manuals, rules, documents, presentations, movies, webinars. Do as you please, but, remember that, as other technologies I worked on (including introducing Web technologies in companies that were still skeptical about PCs, in the 1990s), a technological change is really a cultural (and often organizational- formally or informally) change. What could be acceptable if you were to work for, say, security services, would not be acceptable if you were to work for a bakery. Actually: even the former can have issues with plenty of “lost” or “stolen” portable devices with sensitive data, as reported continuously on UK newspapers while I was living there, more than a decade ago. 9 http://www.jeffbullas.com/2010/01/06/32-lessons-for-online-videosocial-media-marketing-success/#Eh876tZ8HQQ06SOB.01 14
  • The business side of BYOD - cultural and organizational impacts Since the 1980s, I had often worked with companies and organizations that adopted the “hire the professional” approach to security, i.e. hiring former military and related security forces, while forgetting one small detail: they are coming from a different culture. If you really want to benefit from that investment, your newly hired security expert should get through an “induction training” (not so different from what they had in the military etc.), to turn their wealth of knowledge and experience into something that is useful within your environment, your culture, and with your people. An issue that often specialists forget is that the world is larger than their office (again, the need to be “systemic”): and any user moderately exposed to technology already had plenty of data privacy issues to deal with, from cars10, to mobile devices11. Each level of service, composed of data, interface, features, should require a specific “access profile”, enabling constraints to be enforced. This “balancing” will be obviously carefully done at the senior management level: maybe your CEO would like to use her/his iPad, but without getting too much technobabble, i.e. (s)he would probably allow you to install on that iPad anything that your ICT staff assumes to be needed to keep it secure anytime, anywhere- convenience of use is the key element (do not bother to ask your CEO or CFO to enter 4 passwords and a PIN!). At a lower level, to avoid the Snowden of the future, induction training should include BYOD awareness and profiling. If you bother to define a BYOD policy that includes some security constraints, only continuous monitoring of the associated risks, and identification through “listening” of new ones as reported by your own users, would make it really work. 10 http://www.faz.net/aktuell/feuilleton/vernetztes-fahren-das-geschaeftmit-den-intimen-daten-aus-dem-auto-12773929.html 11 http://www.lemonde.fr/technologies/article/2014/01/28/ce-que-vosapplications-mobiles-savent-sur-vous_4355686_651865.html 15
  • http://www.linkedin.com/in/robertolofaro 1.5. Managing (i.e. “governance” of) the BYOD risk As discussed in the previous section, a policy that enables users to use their own devices to connect to your corporate ICT systems should be tailored to your own corporate culture. Generally, obtrusive and repeated often enough to be remembered, but not enough to discourage use of devices: has to be remembered, and followed, not ignored or laughed at. Whenever a process is considered at a systemic level, each component activity has to be assessed toward at least the following elements:  Degrees of freedom, i.e. your level of flexibility vs. the environment where the process is executed  Actors involved, i.e. who concurs to the execution of the process  Stakeholders impacted, i.e. who could influence or be influenced by the process  Etc. etc.12 Beside the benefits, this process identifies a set of risks that must be:  Assessed: as you can manage what you know, you need to know it  Managed: as what you know to be potentially critical has to be managed to maximize the potential benefits while minimizing the risks  Avoided: as in some cases a risk is unacceptable, and it is better to circumvent it, whatever the cost  Accepted: whenever the cost to avoid or manage the risk is excessive if compared with the potential business impacts. Whatever your current assessment on the risks associated with your BYOD policy, you will have to monitor them as you would do with any other risk- with an additional twist: you have to include a degree of “delegation” to the users (or somebody supporting them). 12 Suggested reading: “Managing Successful Programmes – 2011 edition”, TSO, ISBN 978-0-11-331327-3, Part 1 and the introductory and ending sections of each chapter within Part 2 16
  • The business side of BYOD - cultural and organizational impacts Monitoring has a purpose: to optimize your allocation of resources, e.g. to lower the time devoted to control a risk that used to be classified as “to be managed”, and becomes “to be accepted”. Obviously, there are plenty of methodologies around describing how to measure and control or “manage” risk, and probably your organization has its own risk management framework, e.g. due to compliance issues related to SOX, or, in the financial industry, Basel III. In the end, introducing BYOD requires a different attitude to change13, which can be summarized as: get used to permanent change14 (as I said to my customers since the early 1990s). Corporate processes usually are designed to be scalable, e.g. in a large multinational corporation BYOD processes at HQ are designed considering also the needs and structure of branches, or whenever using external suppliers. A note of warning that is an invitation to a “reality check”: sometimes, there is an overestimation of the resources available in remote areas, with processes designed assuming that staff members are allocated full-time to each process, while the typical remote staff “juggles” multiple roles. A purely quantitative approach to risk associated with business policies is often a figment of imagination, i.e. some “subjective” or “qualitative” assessment is made, converted into a number, and then computed as if it were objective. Suggestion: always question the underlying method used to identify a specific “risk value”, and advocate tailoring to your own specific environment starting with the same type of line of reasoning used to identify the value, not just “fairness issues”. 13 http://www.slideshare.net/robertolofaro/bfm2013-knowledgebasedorganizational-change 14 http://www.torbenrick.eu/blog/change-management/is-changereadiness-the-new-change-management/ 17
  • http://www.linkedin.com/in/robertolofaro 18
  • The business side of BYOD - cultural and organizational impacts 2 TOMORROW 2.1 Coping with the future As previously discussed, developing a policy to manage current and future devices is not an option: devices are here to stay. We do not know yet how far “pervasive computing” will go: former Vice-President Cheney had in the past the wireless function of his pacemaker disabled, as there were fears of a potential attack from hackers15. Welcome to the Internet of Things (IoT) and a new definition of critical national infrastructure that could become a target during a “cyber-attack” It should be just a routine check in the XXI century: if relevant, identify potential sources of trouble- including wearable computing, as this is basic “risk management” (I already often expressed online my skepticism on the “management” part; see section 1.5 in this book) Yes, your own clothes and any accessory that you wear could soon be equipped with a computing device that “talks” with your environment, and provides anything from information about their use, to a log of the places that you visited (courtesy of the ever shrinking size of GPS receivers). 15 http://www.washingtonpost.com/blogs/the-switch/wp/2013/10/21/yesterrorists-could-have-hacked-dick-cheneys-heart/ 19
  • http://www.linkedin.com/in/robertolofaro Or do you think that makes sense to “secure” smartphones that could act as a tracking/homing device, while ignoring ubiquitous computers, i.e. controlling equipment within your car that could be misused? For the paranoids: if computers control everything in your car, hacking could imply activating the wrong feature of your car at the wrong time. When we talk about devices, often we assume evolutions of what we are used to: from USB keys to evolutions of personal communication products. Instead, not too long ago a startup released information about a supposedly non-invasive surgical procedure to insert a pace-maker based on nanotechnology, through a catheter16. Also if you choose to consider that printable devices (e.g. using graphene-based ink17) belong to science fiction (they don't), you can see all around you devices that are something that looked as science fiction barely a decade ago, and whose storage capacity is counted in dozens of gigabytes. Moreover: a recent article on a magazine from an engineering association showed how you can make your own “electrical ink”, i.e. how to create devices whose origin is completely untraceable. So, as a cottage market of “blueprints for 3D printers” and other selfmade devices is developing, forget even the traditional way to have “well behaving” devices- by ensuring that suppliers would risk their business if one of their devices was to be identified as designed to support misuses. We started to see almost invisible devices able to store vast amounts of information for mere pennies, or even devices embedded in clothing (to say nothing about prototypes18) that can be added as a second skin. 16 http://www.techandinnovationdaily.com/2013/12/05/worlds-firstwireless-pacemaker-approved/ 17 http://spectrum.ieee.org/nanoclast/semiconductors/nanotechnology/gra phenebased-ink-promises-future-flexible-electronics 18 http://spectrum.ieee.org/tech-talk/semiconductors/materials/tissuethinelectronics-that-float-on-the-breeze 20
  • The business side of BYOD - cultural and organizational impacts In October 2013, The Wall Street Journal reported that “68% of employees say their organization doesn't take steps to ensure that employees don't use competitive information”. BYOD in the future will not necessarily be intentional: already in the early 2010s some clothing was revealed to contain RFID. To say nothing about shops offering as a service to VIP customer to “chip them up” (i.e. to put a chip under their skin), so that their purchasing history and status could be visible to any of their shops. A gigabyte, the minimum amount of memory on any device these days, might be too small for next generation videos, but it can accommodate most databases holding enough sensible business information to affect the long-term business viability of any organization losing it. In the near future, all these “new” technologies will become ubiquitous, and it will be next to impossible to identify devices, as they could be embedded in any object. Moreover, you will not necessarily know that you will have them along with you, as “wearable computing” does not need to be a choice: stores routinely add RFIDs labels that aren’t removed from what you buy. In few years, it will be really cheap to mass produce chips using various technologies (from recharging by induction, to reusing your kinetic energy) to power them up, and “embed” them within any object. Each one of those devices will be constantly collecting and exchanging information, and will maybe even carry its own IPv6 identification, available for a “hook-up” with any device with an open connection). By 2020, when 5G will be available in many countries19, journalists will be able to disclose confidential ongoing negotiations by simply using inhouse capabilities to “track down” clothes bought by, say, the US Secretary of State, and monitor 24/7 when and where they do appear online. 19 http://www.lemonde.fr/technologies/article/2014/01/22/la-coree-dusud-investit-plus-d-un-milliard-d-euros-dans-la-5g_4352231_651865.html 21
  • http://www.linkedin.com/in/robertolofaro If you think that that scenario is, again, science fiction, think again: extending the access points for “contactless” payments and wireless implies that you will never be too far away from devices able to read whatever the devices that, willing or not, you will carry on you (literally) will “broadcast”. And who does decide which information is relevant? We already started having the first “spam” delivered by… house appliances20! Instead of considering all these devices as “Internet-enabled”, i.e. able to pass information across the network, and monitor them accordingly but surrendering to the idea that you lost control and are living in a “glasshouse”, at least in business environments you could do something better. Internet 1.0 was passing data packets around, while Internet 2.0 should be able to trace each packet. The new architecture proposed for the Internet-outside-Earth is based on a “catch-and-release” approach, so that data packets to be sent from A to B are held until device B is able to receive it. For the time being the availability of software managing these features is limited, but by 2013 most portable devices had enough computing power to enable them to act as “Wi-Fi repeaters”, which could add a further threat: an embedded “catch-and-release” architecture in mobile devices provided by unreliable sources (or just sources trying to extract more revenue), with data being collected during the day, and released when it is less conspicuous. A corporate solution merging the 5G (1GB per second, i.e. downloading a movie in one second!) availability with the new architecture could be to “loan”, “rent”, “buy” communication resources from Telcos, but to reroute traffic through your own servers, i.e. having “unencrypted” traffic only within your own private network.. This would also allow to dynamically buy from the most convenient provide the resources needed if and when needed. 20 http://bigbrowser.blog.lemonde.fr/2014/01/22/guerre-froide-lesrefrigerateurs-aussi-peuvent-envoyer-des-spams/ 22
  • The business side of BYOD - cultural and organizational impacts 2.2 Impacts on the delivery of ICT services The increased use of mobile devices will make any new “privatecorporate” mixed use device constantly exposed to external accesses. Moreover, consider the expanding number of channels for micropayments: how do you manage security when your own staff can use your own servers as a “bridge” to reach, with encrypted transactions, servers that supposedly deliver e-cash services, but could just be Trojan horses to open up channels between your computers and somebody beyond your “security fences” (firewall, etc.), and transfer data that your system cannot identify? A devious mind could think that, in the future, the best way to have a successful second job as an e-cash money launderer is to have a job in a large corporation that manages an intense traffic on the web- including micro-e-payments: whatever (s)he will do, will be the famous needle within a larger haystack of… needles. If you wonder how these quixotic diversions can develop in my mind… it isn’t just a couple of decades in and around banking, their providers, and software to report, control, monitor, audit, etc. When drafting a book, moreover when writing something about potential issues, nothing is a better provider of “serendipity opportunities” than sitting in the middle of a (relatively) quiet public library within the “reference books” section. Ubiquitous computing will require the same “cross-domain” approach whenever designing a new service, while also increasing the need for more people used to straddle across the divisional and functional boundaries, constantly updating their own knowledge, and possibly still retaining a highly developed, absolutely shameless curiosity. Moving your ICT to the cloud isn’t simply a technological shift, as you must adapt your SLAs (Service Level Agreements) and associated OLAs (Operational Level Agreements). Actually, your own organization could end up being a structure whose boundaries are “on demand”, integrating external elements that aren’t completely (or at all) under your control, or for your exclusive use. 23
  • http://www.linkedin.com/in/robertolofaro Looking from an historical and “hands-on” perspective that starts with time-sharing, evolves with in-house computers and data centers, continues with outsourcing, and ends-up with “on-demand cloud scalability” (i.e. get the resources when needed and be billed accordingly), there is a constant trend. We moved from a need to accept a certain degree of lack of transparency on the use of resources (to enable time-sharing providers to manage their own “way” to deliver your services), except for billing purposes; to complete control (in-house); a degree of control with outsourcing (e.g. through SLAs and OLAs that created a set of constraints for all those involved); limited control with ordinary cloud. All this converged on the adoption of “standards”- but the global nature of those services implies that then you need to have a degree of trust in the ability of your suppliers to deliver, as enforcing by law a standard globally across your supply chain is, for the time being, a pipe dream. At the same time, the memory of portable devices is increasingly becoming coupled with a decreased transparency in its use, as shown by questionable practices both by phone makers and other service providers. In the future, more objects and accessories, through the “Internet of Things” (IoT, see section 2.4), will communicate with devices in their environment. A key issue will be how to make your own environment less “chatty”, i.e. providing what is needed, when is needed, and only to those and for how long is needed. Any technological innovation since the introduction of “remote communication without loss of information” (telephone, fax, etc.) altered decision-making processes- some would even say that those changes actually enabled modern corporations. Personal Computing was no exception, thanks to the ability to deliver on any desk information-processing abilities, while BYOD, coupled with innovations in communication networks, could probably force a further and more dramatic redesign of business processes. 24
  • The business side of BYOD - cultural and organizational impacts What happens if not only your customers, but also your own staff can access your services anywhere and at any time, as discussed in the first chapter, but without knowing that they are doing so? An interesting development is the lowering in cost of various “telepresence” solutions. We haven’t yet reached the level of development described within Clancy’s “Netforce”, but it is only a matter of computing power and network speed plus reliability- maybe by 2020, with 5G. If your workforce is mobile, even the “office” concept has to change, and there are already signs of new trends in HR management, e.g. trying to redefine the acceptable boundaries between private and business life of your own employees, to avoid information overload, excessive “instant reaction” attitudes and, of course, just plain exhaustion (to say nothing about fraud, intellectual property theft etc.). In many business environments, over the last couple of decades I often observed an increase in the resources used to deliver more information more often to more people. Maybe my perception is distorted, as I worked for a couple of decades also on business intelligence, data warehousing, and decision support or management reporting projects, but it cannot be denied that widespread computers within business organizations increased the amount of data that we provide to our suppliers (State included), sometimes as soon as it is received. Did this quantitative increase improve the quality of decisions? Frankly, in many cases I saw that more data lowered the quality of decisions, as data was often converted into information (i.e. connect to existing information) mainly using “static”, “true and tried” schemas, with reports, dashboards, KPIs, etc. are based on past experience (including from other sources, the so-called “best practices), striving to achieve a “steady state”, instead of focusing on performance- there was never enough time to “think it out”. Adding more information and faster ways to integrate with further information while cutting down on the time devoted to understanding generally creates an “instant reaction” attitude, while lowering the feeling of “ownership” of the decisions taken. 25
  • http://www.linkedin.com/in/robertolofaro In some cases, this happened even when, by accident, data were mixedand-matched in the wrong way: few managers dared to complain, also if many had perceived that there was something quixotic in that information. It isn’t just cloud- and “Big Data”-related: Enron provided information that was formally correct, but few analysts questioned its ability to really describe operations, i.e. credibility. “Peer pressure” is often the best enemy of innovation, and it doesn’t take that much to convert “team spirit” into “team stasis”, where continuity of the team is more important than the task for which it was set up. In reality, a technology dumping massive amounts of data on managers that are still trained, coached and measured using approaches developed for less technological, less data-intensive times, is bound to generate a constant “re-assessment”. “Big Data” does not generate “big decisions”- but eases generating “big blunders”, as mere humans find themselves into a larger forest of data whose boundaries they cannot identify. Some companies managed to embed the 1990s “learning organization” mantra within their structure, but many simply used a shortcut: becoming the early adopter of any new technology, and then trying to cope. Alternative approach: to wait until others get burned, benefit from the lessons that they learned, and then adopt and adapt those lessons. I am obviously referring to the usual “adoption attitude” model: innovators, early adopters, etc. (see any marketing book). Frankly, neither solution is really useful: the former risks to move from crisis to crisis generated by technological prowess that has no relevance to their business.; the latter risks missing plenty of opportunities, as “fence sitting” in business implies often to accept to enter only when something is mature- i.e. when the costs to enter are higher, and margins are shrinking. In my over a quarter of a century of experience with various industries, technology had often a chance to be an enabling factor, but that opportunity was turned into reality only provided that customers accepted to cope with reality, i.e. have a clear assessment of where they were before deciding to embrace a technology. 26
  • The business side of BYOD - cultural and organizational impacts As an example: ERP is neither positive nor negative “per se”, but certainly those organizations that I met that were able to identify in which parts should be used “as is” and in which should be simply avoided had lower costs and faster reaction times of those who simply took a software that they assumed would solve all their problems, and then… tried to convert the software into a Xerox of their own pre-existing culture. Even better: when they tried to “adapt” whatever they had bought, often what those delivering the alterations (often, teams of consultants) were provided with ideas, needs, etc. based not on the real, informal organization, but on what had been formally identified as the culture of the organization. Trouble is: technology isn’t yet really as smart as any ordinary human, i.e. in few cases technology can adapt itself to a changed environment, and if you start with false assumptions, it is highly improbable that you will end up with the results that you had expected (the “garbage in, garbage out” paradigm). My first projects introducing technology were at a time when even large organizations were still moving from paper-based transactions to computerbased information, through the introduction first of “dumb” terminal (glorified green-and-white glowing cathode-ray tube TVs coupled with a keyboard and zero memory), then PCs, then connected PCs, and eventually various degrees of “beyond the corporate walls” integration, obviously leading then to Internet. What most people forget is that 5G, devices with tens of GB of memory, and “office-less” activities assume easy access to computing resources needed to integrate information in your pocket with information relevant to your company and your business environment. Cloud computing reminds often the 1960s/1970s time-sharing providers (I saw them fading away in the 1980s, when I started working) when few companies could afford buying their own computing resources, and instead they bought “CPU time”, “lines printed”, etc. There is an obvious difference: now it is a choice to increase flexibility and reduce your capital expenditure (e.g. you will not have to bother with hardware upgrades). If you add the BYOD approach, i.e. user devices owned by users, you can further lower your investments on hardware. 27
  • http://www.linkedin.com/in/robertolofaro Obviously, if you followed the previous pages in this section21, you understand that I advocate a really simple approach: do not just wait, but have somebody that can give you leads on “what’s going to happen soon”. You can have your ICT department subscribe to various “research” sources, but not those who are good at “forecasting the past”. You can even consider sponsoring members of your staff so that they join online or local chapters of various associations that “keep an eye” on the market, science, business and political or social trends, technology, etc. Obviously, the optimal choice, in my experience, is to have somebody on your staff that knows your business and has access to a network of experts that (s)he trusts and that are developing, using, delivering what they can provide expertise on: a business expert able to “bridge” with “domain” experts, from your own corporate culture perspective. In the end, adopting a technology, “obtorto collo” (e.g. simply because others do) as it often happens with BYOD, or by following “trends”, without first assessing how that is going to impact also on your corporate relationship with your stakeholders, is never a good choice. Where should you look to, if you are just trying to assess trends? At a minimum, articles on trends and research that could generate “spillover” effects on businesses and are written for human beings appear on22 IEEE Spectrum, Infosecurity, and CIO Magazine. Caveat: it is better to have a senior manager glance once in a while at those resources, than staffing the “trend spotting” activity with a bunch of interns or junior staff members with almost no understanding and experience of budgeting and your business, churning out a daily report. 21 A more detailed discussion is available within the online book “BFM2013 Knowledge-based Organizational Change”, that can be read for free on http://www.slideshare.net/robertolofaro, or bought (paper and Kindle) on Amazon 22 http://spectrum.ieee.org http://www.infosecurity.co.uk http://www.cio.com 28
  • The business side of BYOD - cultural and organizational impacts 2.3 Business architecture and “virtual” ICT systems As discussed above, when computing and ICT become “virtual”, you have also to redesign the complete “supply chain” of Information Technology- from the concept of “purchasing” (hardware, software, services, and even staff), to that of “design”. In the XXI century, designing a business architecture and operating model for a company within a developed economy while ignoring ICT would be at best an act of lunacy. But equally unusual would be to ignore some risks that are specifically linked to your limited ability to control when, how, and even who will use your systems23. As an old cartoon from the beginning of the commercial Internet said, “on the Internet, nobody can say if you are a dog”: identity is associated with credentials, and credentials, beside the potential for forgery, can also be “loaned”, e.g. as when a staff member asks a colleague to complete a task that (s)he should complete. Any business, no matter how small, will need to cope with a mix of technologies and channels through which your users will exchange information with your information systems. Moreover, you can still use external providers (outsourcing, BPO, cloud) to deliver the service, system integrators to design it, etc. But, in the end, either you will pay somebody to convert in digital form what you keep managing manually, or you will run afoul of an endless list of regulations- no matter how small your business is. Until recently, various competing or partially overlapping standards (e.g. COBIT, TOGAF, ITIL) were chosen only when you were required, e.g. for suppliers in specific industries, or whose customers were, in turn, certified against a specific standard. 23 http://iq.intel.com/iq/41823153/making-wearables-a-tool-for-trust-andtogetherness 29
  • http://www.linkedin.com/in/robertolofaro Moving toward a “virtual” approach (e.g. Cloud and BYOD) in your ICT management activities could benefit by having a common “lingua franca” for both your suppliers and staff. A typical example is the use of TOGAF24: you can design your own business and ICT systems architecture using your own “in-house standards”, but it will be easier (and cheaper) to compare offers and recruit suppliers and staff that will be immediately able to understand what you are willing to do, if your organization were to adopt (and adapt) TOGAF. As discussed in the previous sections, you will need a permanent knowledge update: gone are the old mainframe and pre-Windows times, when you could have a “refresher” once or twice a year (and even IBM, Microsoft, Oracle, Sun, etc. used to hold conferences once a year). The standardization across infrastructure that was delivered by Internet and personal computing enabled a less centralized approach to technology updates and enhancements- including on the market. Add Android, and you can have a new device anytime anywhere, adding features based on sensors, memory, antennas, etc. including technologies that will be interacting with your users’ devices before they will even know that they have access to these new “features” (nuisances would often be a more appropriate name). As an example, consider a recent discussion on new wireless technology that connects devices just by pointing at them25. Obviously: any standard has to be “scaled up/down to your needs”: if 10% of a standard is what you need to have a “lingua franca” that satisfies your needs, just state so e.g. in your requests for proposals (RFPs), instead of doing the typical “naming customization”, i.e. taking a standard, keeping the parts that you need, and renaming everything. 24 A short introduction and history is available within http://www.librarything.com/work/11951174/book/90062908 25 http://spectrum.ieee.org/tech-talk/telecom/wireless/new-look-and-linkwireless-technology-enables-devicetodevice-links-by-pointing 30
  • The business side of BYOD - cultural and organizational impacts As an example, have a look at the Cloud Security Alliance website26, outlining a shared framework not just on cloud security, but also the architecture of cloud-based services and applications. A further element to consider is that you will need to design these new mixed service architectures adopting a systemic approach (see section 1.4), where each element is associated to a specific “degree of freedom”. Whenever an element will be added or considered as potentially available, you will need to assess it not just by using the traditional “risk management” approaches, but also mapping out the degree of integration of those components, their potential impacts, as well as how much control you have on each component. Risk mitigation and risk avoidance usually require compliance with specific procedures, procedures that you can really expect to be followed at best only within your own office buildings. As shown often in the past (e.g. stolen portable PCs, etc.), as soon as a portable computing device leaves your corporate environment, even the most paranoid members of your staff eventually will lower their guard, and misuse it. Since Enron and other scandals, often regulations do not require just a pre-defined result, but focus also on the internal processes that you must adopt. More information on the issues related to various forms of “outsourcing” or externalization of your activities is available on Slideshare27. Before outlining how to manage these external factors, a short “blue sky” discussion on the “Internet of Things”. 26 https://cloudsecurityalliance.org/ 27 http://www.slideshare.net/robertolofaro/bfm2013-knowledgebasedorganizational-change 31
  • http://www.linkedin.com/in/robertolofaro 2.4 Internet of Things: a “blue sky” perspective You are used to Internet connection as based on a choice to connect a specific device: but that is not anymore the case: IEEE societies routinely organize “Internet of Things” (IoT) events since at least the early 2010s. The Internet of Things allows anything with a power source to be connected to the Internet: IPv6, the underlying technology, expands the pool of IP addresses - potentially an individual IP address could be assigned to any present and future device, no matter how small. The real value of the IoT requires a further element, i.e. widespread and cheap access to communication networks- and obviously access to power sources. If you have all these elements, you can then start to design and identify new services, e.g. have a fridge talk with your supermarket (or check prices with many) to keep your stock of milk, etc. always at the optimal level. In a corporate environment, this could enable to reduce the number of, say, chairs, tables, computers, software licenses, by continuously and automatically monitoring their usage- almost a return to the old “timesharing”, with “ICT systems on a pay-as-you-go” model, extending beyond cloud computing or the “as a service” alphabet soup (SaaS, PaaS, IaaS). Anyway, while the “old” ICT had budgets and required investments that could sit unused for a while, the new, brave world of “virtual infrastructure” that you witnessed in the first decade of the XXI century was a mere beginning. In the future, prices probably will be “adjusted” on a continuous basis, and the widespread adoption of standards, maybe with more powerful watchdogs with a technological equivalent of the powers assigned to “preventive police” in a famous movie, will be a huge incentive toward adopting a more proactive approach to the management of services, suppliers, etc. Basically, this could introduce capacity planning based on a continuous monitoring not only of prices, but also of risks, e.g. by looking at how watchdogs assesses failures of a supplier to comply with some technical requirements (say- availability of capacity or disaster recovery facilities). 32
  • The business side of BYOD - cultural and organizational impacts Capacity planning could actually end up taking a page from “day trading” plus portfolio management, or even recycle ideas and software from the retail industry and its “assortment planning”, but extended to anything that can delivered “on demand” (including people for positions that require limited or no training to become productive, i.e. both low-end and highly-specialized jobs). Technology-wise, there is a small catch: the administrative hurdles involved, as some companies already discovered, when they gave to their employees some flexibility in using their own mobile phone or tablet for business purposes. You cannot know which device will be available in, say, 10 years, but you can design a policy based on positive choices, by identifying who can access what and how, without the need to provide “access keys”. A badge, a password, a token generator, or other access tools would need to be recalled, collected, disabled- and that could be transferred to an unauthorized third party. A personal device with its own individual IP address, maybe even associated with the IP address specific for that individual, could alter completely your concepts of access and identity management. Yes, if IPv6 allows a connection with anything with a power source, or able to obtain the energy needed to communicate with other devices from the environment, why should people be exempt from that? It is just a matter of a badge that takes its energy through our kinetic energy28, and you could imagine that, in a not-so-distant future, “identity theft” could take on a very different dimension. Already in 2014 some hotels are starting to accept mobile phones to replace keys, and soon the integration with banking services will enable true “mobile banking” (e.g. in UK a German Telco registered few years ago with the financial authorities). 28 http://www.lemonde.fr/vous/article/2014/01/28/le-corps-humainbatterie-electrique-de-demain_4355913_3238.html 33
  • http://www.linkedin.com/in/robertolofaro A further expansion that could create some issues is the expansion of “virtual currencies”, that are increasingly (and illegally, as in many countries legal tender can be only that issued by the State) being used also in real-life transactions. There have been various attempts in the past (e.g. Second Life’s Linden), and in 2014 the current rage is Bitcoin, which is starting to turn as the others, i.e. raising indictments of money laundering29 and complaints due to lack of transparency on the value and underlying. Incidentally: running afoul of regulations covering those issues isn’t that difficult, when you provide a way to set up untraceable transactions whose value is based on a fight between computing resources crunching numbers to “mint” new coins (and certainly organized crime has access to the resources needed to play that game: a cheap and safe way to “wash” money). Acceptance by the public could take forever- but few regulatory incentives here and there (e.g. expanding the use of “plastic” money to fight counterfeit banknotes and coins, as well as a way to avoid money laundering) are already making cash a nuisance, and any form of electronic payment more the norm than the exception- also in the old Europe. IoT has obviously a side-effect: it could destroy your privacy and confidentiality, as any movement of any device could be traced. Having mobile devices based on operating systems such as Android, shared by countless devices produced by suppliers worldwide can actually create a completely different set of issues. Any device comes with miniature sensors, and “Near Field” technologies extending on the RFID paradigm could end up knowing where each individual page of each individual document is within your building (to say nothing about people), and share that information. IoT will anyway create new ICT management issues, e.g. it will become impossible, also for the smallest company, to keep track of devices, unless they use automated software packages. 29 http://kommersant.ru/doc/2394172 34
  • The business side of BYOD - cultural and organizational impacts At the same time, it will simplify asset and license management, and granting or denying access to specific individuals, as you will be able to know which “set” of devices is associated with which individuals, and you could instantly disable or enable access. The potential issues associated with IoT and social networking30 have already had an impact on regulations, as privacy frameworks are converging on a global scale, as shown by EU (which evolved from a general framework implemented locally in each Member State, to a shared regulation that is applicable EU-wide). A further challenge will be the real integration, on a global scale, of privacy frameworks, including watchdogs. The opportunities are endless, as having a continuous communication between moving devices might help to improve the design and planning of shared resources, public services, and create new business opportunitiesjust by using already existing resources more efficiently. An example? You have a smartphone which comes with more computing power than 1990s desktop computers. When you commute, you and thousands of other proud owners of iPhones, iPad, Android devices use only a minimal amount of the computing resources available. What if, thanks to your 24/7 connection, your device were to “share the time” with the network, so that your resources generate revenue (at least social revenue, by reducing the need to invest on infrastructure) through sharing with the network, or “advertising” to the local antennas the amount of resources available? If you think that this is a “pie in the sky” idea, think again: without the “economic side”, that approach was already tested as long ago as in 201231 30 http://www.slideshare.net/robertolofaro/business-social-networkingpart-1-cultural-and-historical-perspective 31 http://www.gizmag.com/citisense-air-quality-monitor/25512/ 35
  • http://www.linkedin.com/in/robertolofaro 2.5 Essentials of a dynamic security policy The key element? A different, dynamic, systemic approach to security policy development, management, enforcement, and evolution.: have a look at the previous pages, and you will find most of the material needed to author this section. This short book uses the introduction and management of BYOD and IoT as a “business case” in a workshop on what implies introducing a technological change that requires cultural and organizational. Therefore, this section contains only a sample checklist that you can expand and implement to make your BYOD/IoT policy adhere to your own cultural and organizational needs (e.g. see online a description of the approach used within the workshop32):  Motivation Are you choosing to create it- or it has been imposed by external sources?  Stakeholders Did you research and identify all the stakeholders involved, and the impacts on their activities of introducing BYOD?  Degrees of freedom Have you assessed the tolerable level of control that you can keep on those “personal” devices, e.g. according to privacy?  Control Can you enforce rules to monitor the use of devices connected?  Management Have you the ability to update the policy and, accordingly, modify the corporate resources “on loan” on those devices remotely and instantaneously?  Compartmentalization Did you define rules per domain, including how to evolve them within the general policy and within each domain?  Decision points Have you identified who will be the reference decision maker in each unit?  Communication Have you defined how to communicate and ensure feed-back, e.g. to update the rules or to add new devicespecific rules? 32 http://www.slideshare.net/robertolofaro/are-you-ready-for-changeworkshop-presentation-and-concept 36
  • The business side of BYOD - cultural and organizational impacts 37