In addition, since the need for building custom apps for both clinical and business use is apparent, the question is how to start this software-development process in a way that will enforce a high level of security assurance both in-house and with outside software developers. Kaiser Permanente currently is in negotiations with mobile-software vendors, asking them to define what processes they use to identify and track business flaws in software. This takes the whole process beyond the iTunes and Android store approach, in an effort to define strict coding practices for an in-house apps store. There is huge momentum around BYOD, and Kadrich acknowledges that one day it is likely to be a component in Kaiser Permanente's IT strategy.
Like Kaiser Permanente, a number of IT consultancies have expressed doubts about whether BYOD is truly cost-effective. Although it may look at first glance as though a company is saving money by having employees buy their own mobile devices, perhaps with a corporate stipend, there are management costs that may not work out to the company's advantage. Aberdeen analyst Hyoun Park, for instance, notes that telecom rate plans, for example, cost less through traditional contract negotiations than through individual contracts.
As far as cost-savings go, "the jury is still out on BYOD," says Joe Nocera, principal in the IT security risk practice at PricewaterhouseCoopers. He thinks the BYOD "promise of cost-savings" is largely "unrealized" today.
BYOD raises questions about security controls and how forensics will be done on a device owned not by the company but by the employee, Nocera notes. He also is skeptical about how far MDM software goes today to meet strict security requirements. "Its functionality is very limited," he says of current MDM packages. "All they do is secure email fairly well."
The main goal has to be securing the data on the device and having a way to validate it through risk assessments, he says. In regulated industries, such as healthcare and finance, there are going to be audits of these BYOD mobile devices and the apps that are used, Nocera points out. Unfortunately, in too many cases, businesses are thinking about these questions only after they've rolled out BYOD practices.
Some user discussion groups have taken up the topic of BYOD so that IT and security managers can share ideas. Austin-based Wisegate IT community, for example, a group in which Kadrich participates, recently published a report titled, "IT Peers Share Advice on Effective 'Bring Your Own Device' Strategies." The upshot: There appears to be little consensus so far.
Some 27% in the survey on BYOD said they'll only allow "fully managed and secured devices to utilize corporate services," while 24% said, "We are moving from a 'device centric' strategy to a 'user centric' strategy and don't think that devices can be fully secured. We focus on securing the sensitive transactions." Another 20% claimed to have a "hybrid approach" in which more secured devices get more access and less secured/managed get less access.
Tellingly, 6% revealed how painful dealing with BYOD is by answering, "This issue just gives me a headache, and I'd really like it to go away."
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.
Read more about wide area network in Network World's Wide Area Network section.
This story, "The BYOD Struggle: From Writing Custom Apps to Defining Security" was originally published by Network World.