Estimating The Economics Behind BYOD Security

Find the hidden costs of BYOD to make appropriate financial and risk decisions
Even as bring your own device (BYOD) policies and programs have opened up a world of opportunity for organizations, the risks and additional operational burdens imposed have changed the economic realities of mobility more than many in IT realize. As organizations weigh the costs and opportunities offered by BYOD compared to issuing company devices, they need to be aware of the hidden costs of BYOD -- particularly within high-risk environments.

According to Rainer Enders, CTO, Americas, at NCP engineering, organizations looking at BYOD sheerly as a cost-savings initiative need to rethink that mentality.

"I think it could well be at the end of the day that BYOD devices are more expensive than if you have full control and the company owns the device," he says. "Companies sometimes only look at the cost of the device, but when it comes down to it, [BYOD] is more expensive if you look at the total picture."

According to Enders, too few organizations factor risk into their cost considerations, making it one of the most costly hidden costs if proper precautions aren't taken.

"In my mind, the biggest hidden cost lies in the worst-case scenario -- when bigger issues arise like a lawsuit or a major security breach," he says. "It really comes down to the standard security question about what the assets are. What do I need to protect from a company point of view? My legal situation -- how is my IP sufficiently protected? I think that is where the main costs are: This is something that is often overlooked. Companies don't really do a good job at assessing this kind of risk."

As such, Enders suggests that organizations start implementing risk assessment formulas into their dollars and cents estimates for mobile costs in a BYOD model. There are other tangible costs that are often overlooked, as well, many of which have to do with managing a more diverse infrastructure and enforcing security and privacy policies that will eventually reduce risks.

"From an IT perspective, the hidden monetary costs principally revolve around enforcing security and compliance at scale. In the corporate-liable BlackBerry world -- which many IT organizations are now moving away from -- it was relatively simple to predict and manage risk," says Dan Dearing, vice president of marketing at Enterproid.

When only BlackBerry was synonymous with enterprise mobility, organizations understood and could trust the security of the NOC framework and BlackBerry Enterprise Server (BES). Now that the market is so segmented among consumer devices, it takes a lot more work to even come close to the same sort of peace of mind, Dearing says.

"Along with the introduction of consumer-oriented devices into business settings comes the complexity of IT integrating multiple mobile platforms into a single environment," Dearing says. "Often, IT must rely on multiple MDM [mobile device management] platforms or approaches to unify these disparate mobile devices into a single solution. That translates into more data center resources -- both people and server infrastructure -- to address policy management, device deployment, and compliance enforcement for each silo. The resulting environment is much more complex and diverse than IT required to support just BlackBerrys."

Not only that, but Dearing says that organizations now have to deal with scaling issues. Back in the day, BlackBerry deployments typically spanned only about 20 percent of the employee user base.

"The number of mobile users, empowered by the use of their personal smartphone or tablet device, will very quickly exceed the BlackBerry norm of 20 percent of employees and will most likely reach 50 to 60 percent of employees," he says. "This will be exacerbated by the trend that employees use multiple devices to perform different job-related tasks as they move seamlessly between smartphones, laptops, and tablets, depending on their setting and task."

As organizations consider how to manage that increase in scale, organizations that place too much emphasis on the cost savings of transferring device ownership may be missing the boat on fully grasping the financial analysis of mobility, both Enders and Dearing warn. Even though the hardware may no longer be on IT's expense sheet, it very often ends up as an expense somewhere in the business through reimbursement programs.

"The overhead is just pushed to some different department," Enders says.

As such, organizations need to really worry more about policies regarding which platforms will be supported, how many devices will be supported per user, and who pays for the service behind the devices.

"As CIOs mobilize more of their workers to enhance the competitive position of their business, the infrastructure cost will be sunk regardless of device ownership," Dearing says. "The real cost variable will be how many devices are used by each employee and who pays for them and their monthly service. IT can control infrastructure costs by limiting the number of devices per employee that require support."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.