Bring your own risk?
There seems to be a little disagreement on the Interweb about the meaning of the term "BYOA". To be fair, it was inevitable that the "BYO" tag, having been successfully applied to BYOPC (bring your own PC), would find greater use beyond the domain of desktops and laptops. Indeed the more generic term BYOD could be seen as a more accurate reflection of the growing numbers of non-corporate mobile devices in use in business situations.
From a security and compliance perspective, neither bodes particularly well. Anyone old enough to remember the arrival into the enterprise of Microsoft Access knows the challenges that caused by having pockets of unmanaged data springing up are nothing new. The difference now is three-fold:
- First, unauthorised applications may be running on unauthorised hardware
- Second, devices are mobile by their nature
- Third, the "apps" in question are frequently little more than front-ends onto cloud-based services.
Another, underlying difficulty is in the way such apps are adopted. When we referred to below-the-radar technology adoption in the past, it was possible to see it follow a half-structured process. In the case of Blackberries or Salesforce.com, for example, a department might run a pilot and then adopt a solution, then expect IT to take over when things became too complex.
In the "A=app" case, however, things are far more fragmented. People try stuff out; they suggest it to their colleagues; they use it for a while and then move on to something else. Of course there may be examples of more structured adoption, but these will be cluttered by the noise of experimentation and chit-chat about, say, a "simpler" way of managing tasks.
The difference between "bring" and "build" adds another layer of complexity to the situation. "Bring" happens in all cases - and the chances are that "build" will refer more to a level of customisation than any down-and-dirty application development. All the same, this can change the data being manipulated - for example the addition of a custom field concerning a customer's personal information may turn an innocuous application into one which needs a higher level of protection.
The challenge, as ever, is for IT to decide what to do in the face of mounting pressure from the business wanting to do things for itself. No doubt there is competitive advantage to be gained from using certain apps in a certain way, but equally, there will be distraction and risk in equal measure. If there's one thing we can learn from history, it's that BYOS, that is, bring your own security, isn't likely to be a facet of business any time soon - and IT will be left carrying the can if and when things go wrong.