I just stumbled upon a couple of great articles over at my friends Mobile Enterprise Magazine talking about who owns the device that's glued to your hand and/or head. The first article (a very good read by the way) was a bit of a WES recap - focused on one of the sessions that took place there. The follow-on article was based upon a poll that Susan Nunziata took of MEM readers. It got me thinking about how complex the whole question of who owns the device is...and also what the implications are to an organization in terms of Governance, Risk and Compliance (GRC).
So let me start off by saying that I actually don't fully agree with Susan's methodology for her poll (Still love ya, Susan!). Ownership/reimbursement of mobile devices and services has (too) many permutations. The ones that instantly come to mind are (I'm sure there are innumerable variations that I have overlooked):
- Completely corporate liable - Someone gave me a device and I never see the bill;
- Personally liable, corporate reimbursed #1 - This one's great. I buy a device, I expensed that cost and then expense the monthly contract, but it's all under my name. Basically, only my boss has a clue what I am doing (and even that's not guaranteed);
- Personally liable, corporate reimbursed #2 - A variation. I still pay for the device myself, but my company only gives me a fixed amount per month. If I'm smart, I'll actually find a way to make a couple of bucks on that deal (I'm cheap like that); and
- Completely personally liable - This is what my incredibly generous former employer did. I pay for the device myself and that's it. Vaya con Dios.
The fun begins especially when there's no one answer within a company. A company I worked at a few years ago had a policy where the old boys network, uhm, I mean the executive team, never saw their bills (even though they would rack up $1,000 in roaming charges in a couple of weeks), while shlubs like me got a monthly stipend. Let me now exacerbate the "fun" when I throw into the equation the fact that in each of the four scenarios above, I'm hitting (at the very least) the Exchange server. It's so easy. Username.....password...domain. I'm on. It's obviously a different matter if I am using a BES or if the company has something like Good Messaging.
But it gets worse. Susan's second article is dead on when looking at the pain points from various approaches. This is exactly the chaos that companies are dealing with. I'm not suggesting that any of the four options in terms of financial liability is best. However, a company MUST develop business and IT policies that it will actually enforce. Some of the research I just published shows that only 1 in 2 employees on average follows IT's policies around device selection and procurement methods. Gotta love it.
This is why I believe the best course of action is for a company to develop something along the lines of what Ameriprise has done. Employees can pick from a set of supported platforms / devices. At the end of the day, companies need to find a balance in terms of how they support devices. They have to make a decision around what extent they will cover and support the devices and service. There's no right answer and there's no wrong answer. The same, however, does not apply to the data that either lives or passes through that device. That's 100% the company's data - even if you choose to use your corporate email for personal use (bad idea, by the way).
Here's where GRC kicks into high gear. Your company can and should have the ability to do whatever the hell it wants from a policy perspective with regards to the data on "your" device. This especially applies to industries such as Finance and Healthcare that MUST comply with certain key regulations. That's somebody else telling them "tough cookies, pal." If someone is saying that to them, I can guarantee they'll be saying it to you too. Learn to deal.
And that's the rub right there. Today, there's more chaos than calm. The chaotic nature of mobility never ceases - and it will probably only increase with the continued consumerization of enterprise mobility. That said, companies will need tools to manage these solutions and services. This will only create a boon for mobility management vendors offering device management and expense management solutions.
