navigating the legal and compliance -...

Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA 02140 USA

Tel: +1 617.613.6000 | Fax: +1 617.613.5000 | www.forrester.com

Navigating The Legal And Compliance Implications Of BYODby David K. Johnson, December 4, 2013

For: Infrastructure & Operations Professionals

Key TaKeaways

ByOD Freedom, Regulatory Compliance, and Legal Risk Mitigation Can all CoexistTechnology complexity and difficulty assessing true risks make it difficult to open the door to BYOD for business. Our work with technology lawyers and auditors demystifies the boundaries.

Ignoring ByOD Increases RisksWhen you are aware of BYOD in your organization, you must take action. For many firms, the actions they take only drive employees further underground.

a successful ByOD strategy addresses Culture, education, and TechnologyBYOD requires a holistic approach that builds a culture of trust, educates employees on their obligations, and encourages them to meet them. It applies technology controls with extreme care and discretion.

www.forrester.com

© 2013, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, RoleView, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. To purchase reprints of this document, please email [email protected]. For additional information, go to www.forrester.com.

For InFrastructure & operatIons proFessIonals

why ReaD ThIs RepORT

Consumerization of IT helps drive better employee engagement and innovation because it gives people in your firm the freedom to choose the tools that work best for them and find better productivity. Sadly, we live in a world rife with zero-sum games of litigation where suffocating regulations are the norm, and failure to comply with their directives can draw millions of dollars in fines and lawsuits. Technology diversity multiplies the challenge of maintaining compliance — it’s no wonder so many IT shops take a one-size-fits-all approach to workforce computing and forbid bring-your-own-device (BYOD). The correct solution is a strategy that brilliantly achieves the conflicting goals of embracing BYOD and consumerization while slashing the risks and costs at the same time. This report focuses on what the biggest legal and compliance implications of BYOD are based on our research with lawyers and auditors who specialize in technology law and compliance, and makes actionable recommendations for strategy, technology, and policy.

table of contents

IT Is Three Times More worried about ByOD Risk Than Innovation

ByOD and Os Diversity Outpace Formal audit standards

you still have To act, But Too Much Cure Is worse Than The Disease

pCs and Macs Require a Different strategy Than pure Mobile Oses

recommendatIons

Take a holistic approach with your ByOD enablement strategy

supplemental Material

notes & resources

Forrester interviewed lawyers, auditors, and It professionals on the implications of BYod. this report also uses data from the Forrsights security survey, Q2 2013.

related research documents

Habitat For engagement: unleash Workforce potential With agile enablementmay 10, 2013

Build Your Workforce computing strategic planseptember 27, 2012

redefine Your Workforce computing policy to empower employeesaugust 28, 2012

Navigating The Legal and Compliance Implications Of ByODa practical Guide For the I&o professionalby david K. Johnsonwith christopher Voce, christian Kane, renee murphy, and thayer Frechette

2

2

3

10

12

14

decemBer 4, 2013

www.forrester.com

http://www.forrester.com/go?objectid=RES89382






http://www.forrester.com/go?objectid=BIO2751





navigating the legal and compliance Implications of BYoD 2

© 2013, Forrester Research, Inc. Reproduction Prohibited December 4, 2013

IT Is ThRee TIMes MORe wORRIeD aBOUT ByOD RIsK ThaN INNOVaTION

IT is accountable for ensuring compliance and reducing risk but is not typically accountable for business innovation. In fact, 29% of IT decision-makers state that they are very concerned about the risks associated with employee-provisioned devices, while only 11% are very concerned about the risks associated with the business’ need for innovation (see Figure 1). In practice, this makes IT organizations naturally resistant to BYOD, even though the link between the consumerization of IT and innovation is clear.1 Forrester believes that two of the defining characteristics of top IT organizations are how supportive they are of business innovation and how ready they are to embrace consumerization.

Figure 1 How IT Perceives The Relative Risks Of BYOD And Business Innovation

ByOD aND Os DIVeRsITy OUTpaCe FORMaL aUDIT sTaNDaRDs

Many of the standards in use (e.g., PCI DSS, DISA-STIGs, FDCC, USGCB) to audit personal computers map to ISACA guidelines — often COBIT — because they encompass topics beyond the technology itself while keeping business alignment front and center. Such topics include organizational structure, culture, process, and leadership, which many deem necessary for effective technology and risk management. Such guidelines are helpful because they represent a broad range of inputs and provide a defensible foundation for policy and guidance for auditors, regulators, and infrastructure and operations (I&O) professionals.

Source: Forrester Research, Inc.95343

“How concerned are you with the risk that the following initiativesor technologies could introduce in your firm?”

(5 on a scale of 1 [not at all concerned] to 5 [very concerned])

Employee-provisioned devices

Employee-provisioned applications

Cost pressures on IT

Consumer-oriented �le sharing toolson personal devices

The business’ need for innovation

29%

26%

23%

22%

11%

Source: Forrsights Security Survey, Q2 2013

Base: 2,134 IT decision-makers




But there’s a fatal flaw with audit standards: Employees don’t read the standards because they’re busy doing their jobs, and technology innovation continues to outpace the release of more standards. Yet the more constraints and policies we enforce, the fewer options people have to use personal computing technology to adapt to an ever changing business environment. If history is a reliable guide, we can expect an ongoing cat-and-mouse game of technology innovation followed by rules and technical controls, then more innovation followed by more rules and controls, and so on ad infinitum. The solution is not more rules and controls but rather a combination of culture, education, and appropriate controls for each situation while being aware of the end goal — productivity, efficiency, engagement, and, by extension, innovation.

yOU sTILL haVe TO aCT, BUT TOO MUCh CURe Is wORse ThaN The DIsease

The technology attorneys we interviewed for this research agree — once you learn that BYOD is happening in your organization, you have a legal obligation to do something about it, whether you have established industry guidance to draw on or not. The answer is seemingly simple: Take action to stamp out the risk. However, the answer isn’t that straightforward because:

■ The rise of consumerization correlates directly with the rise of controls. Over the past three years, the rise of regulations like the Sarbanes-Oxley Act (SarBox) and HIPAA have driven I&O to take actions like stripping away local admin rights on PCs and the freedom to install software. The percentage of employees willing to spend more on technologies for work has risen in kind. In 2010, 21% of information workers were willing to contribute their own money for a work PC

— two years later, that percentage increased to 36%.2

■ There is no data leak prevention tool for the human brain. In open societies, people have free will and the power of reason. So far, we’re not aware of any tools that can prevent the human brain from recording what it knows on any device or media it wants. Keep this in mind as you consider the potential value and effectiveness of your BYOD policy and any technical controls. The best way to promote security and the right behaviors is to create an environment that people find easy to use, convenient, and most of all, fast. When workers continually find a system frustrating to use, they’ll find another way, secure or not.

■ The happy medium between risk mitigation and worker productivity isn’t obvious. Not knowing precisely where the legal or audit risks are or how the characteristics of different technologies will affect those risks means that CIOs often feel extreme pressure from others in the organization to take controls and policies to the max, just in case. Unfortunately, for some IT shops, that means making the use of a personally owned device an offense for which to terminate an employee.




IT Must achieve The Conflicting Goals Of Freedom and security

Top companies like Cisco Systems, Citrix Systems, and Genentech are learning the secrets of achieving the conflicting goals of more freedom of choice for employees, more efficient operations, and better security at the same time. Success isn’t about trading one thing for another; it’s about getting as much as you can of both. Resist the urge to apply the same logic and controls to employee-owned devices that you apply to company-owned PCs. Doing so will push BYOD even further underground. Why? Because leaders are demanding that employees get more efficient while taking away the flexibility they need to get there. When IT has a mandate to act but limited visibility into all of the factors affecting BYOD decisions, there is a natural tendency to over-rotate on security controls to compensate for unknown risks. To understand the factors affecting BYOD decisions, IT employees must find out (see Figure 2):

■ IT’s precise responsibilities under the law and how to minimize exposure to legal risks.

■ Which audit standards apply to their situation and how to interpret the standards for the business.

■ The true needs of employees and what will help them reach their potential.

■ The technology available and how it helps or hinders engagement and productivity.

■ Where to make the best tradeoffs, and what’s necessary to make it all work.




Figure 2 Comprehensive Inputs To BYOD Strategy Research

Risks: Top ByOD Risks Include Intellectual property Misuse, accidental Data Loss

For this report, Forrester interviewed attorneys who specialize in intellectual property and technology law and auditors who work across industries to help firms maintain compliance with regulations and industry standards. Charles F. Luce Jr., partner at Moye White in Denver, says that the legal exposure of a firm is the same regardless of who owns the device. What matters is the information and intellectual property on the device and whether you can show that reasonable measures are in place to prevent both inadvertent and willful misuse or loss of either one should enforcement action or litigation occur. David Navetta, an attorney at InfoLawGroup, agrees with Luce and adds that most violations of the law are accidental — primarily because employees don’t understand the risks or what they can do to manage them. What should you know about BYOD risks?

■ Intellectual property law violations can have especially severe repercussions. Patent, trademark, and copyright infringement are all very common but very difficult, if not impossible, to police with technical controls. For example, the willful and illegal misuse of someone else’s property — misappropriation — sometimes comes into play when software is in use for business that isn’t properly licensed and the attorneys can demonstrate that employees knew it


BYODstrategy

Auditorperspective

NIST, PCI,ISACA

Vendorperspective

Engagementperspective

BT clientperspective

Technologylandscape

Attorneyperspective Data trends




and still continued to use it anyway. According to the law, not only can the firm be liable for past licensing fees, it can also owe damages equivalent to the value of every sale made after the first violation using the unlicensed software (see Figure 3).

■ Lawyers will look for willfulness and weaknesses in IT governance for leverage. When a firm learns that there is a reasonable likelihood of litigation against it, it may have to comply with a legal procedure called “litigation hold” or face sanctions. Litigation hold means that the violator must preserve all data relating to the case — even if it’s on an employee-owned device. In such a case, the plaintiff ’s attorney will likely try to demonstrate that the defendant’s security apparatus “has more holes than Swiss cheese,” according to Luce. Further, if some of the information resides on a personal cloud service like Dropbox or a Gmail account, the Stored Communications Act comes into play and can make it difficult or impossible to enforce the litigation hold. This can also bolster the plaintiff ’s case for poor governance — especially if the service is nonsecure.

■ Violations and information loss are usually accidental, but agreements can aid recovery. Navetta reports that inadvertent loss or theft of information is the most common scenario he sees with his clients. Even so, breaches of contracts, including nondisclosure agreements (NDAs), are serious, and without a signed BYOD agreement, it may be difficult or impossible to recover the device to investigate. Worse, if it turns out the loss of data was a willful act, even if you can get the device and hold the employee liable, the cost of the damages may exceed what they’re able to pay, so you need to consider other means of indemnification, such as insurance, as well.

Figure 3 Risk Exposure For Software Licensing Violations


Cost of license

Cost of misuse




Context: Formal ByOD Guidance Is Immature and Open To Interpretation

Chris Gray, practice manager for Accuvant’s risk and compliance business, says that regardless of who owns the device, when it’s used in a regulated business, in theory it needs to adhere to the same regulations and industry standards as company-owned equipment. But he also notes that specific guidance for BYOD mobile device policies and technical controls are practically nonexistent. On the surface, this suggests that you should employ the same management and security program in use for company-owned devices, but that’s not the case. The early published official guidance for BYOD from US National Institute of Standards and Technology (NIST) strongly recommends having a security policy but also makes it clear that “each organization should make its own risk-based decisions about what levels of access should be permitted from which types of mobile devices.”3 I&O pros should also know that:

■ Regulations are weak on technical controls, but ISACA, NIST, and PCI fill the gaps. Taking HIPAA as an example, the HIPAA Security Rule offers just four high-level technical safeguards. The “access control” technical safeguard requirement reads: “A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information.”4 Auditors look to NIST technical control specifications for guidance, and it’s often subjective because device and platforms evolve so quickly that it renders the guidance obsolete almost immediately (see Figure 4).

■ Tablets and smartphones live by a simpler set of rules. NIST Special Publication 800-124, published in July 2012, is the first official guidance to cover employee-owned mobile devices, and it applies only to devices with “an operating system that is not a full-fledged desktop or laptop operating system,” including smartphones and tablets (see Figure 5). It also rules out devices with limited computing capacity, such as “basic cell phones.” This means that there’s a different set of considerations for Windows 8 tablets for BYOD — because Microsoft tablets such as the Surface Pro have a full-fledged laptop OS.

■ PCI compliance standards specifically allow virtualization. Payment Card Industry (PCI) standards are prescriptive for device configuration, management, security, access, and more, but PCI also has provisions specifically permitting the use of virtual terminals. Auditors interpret this as applicable to terminal services (e.g., Citrix) and hosted virtual desktop infrastructures as long as the system meets some additional criteria. For example, a third-party provider who complies with PCI standards must host the underlying data center infrastructure. No payment card data actually resides on the device at any time.




Figure 4 NIST Technical Considerations For Securing Mobile Devices


Source: National Institute of Standards and Technology

Development• Architecture• Authentication• Cryptography• Device con�guration

requirements• Application vetting and

certi�cation requirements

Implementation• Connectivity to the

organization’s resourcesand systems

• Information protection• Authentication methods• Applications• Management• Logging• Performance• Ongoing security assurance• Review default fallback

settings

Operations and maintenance• OS and application upgrades,

patching• Clock syncing with reliable

time source• Recon�guring access control

if needed• Detecting and logging anomalies• Threat training and awareness• Proper disposal

The spreadsheet associated with this �gure contains additional information regarding the source.




Figure 5 NIST — Defining Characteristics For Mobile Devices

action: Clear policy and education Form The proper Foundation

When forming your BYOD strategy, remember that:

■ Relying on technical controls alone is not effective. Gray says that culture and employee education play significant roles in positive audit outcomes. A few factors he looks for are whether employees receive training on the rules that apply to them, what their responsibilities are for maintaining compliance, and how to do it. He also looks at the culture of the organization and how it impacts risk factors. For BYOD, Gray says that employee training should include guidance for acceptable use of employee-owned devices, what they need to do to comply with the policy, and how to use any of the tools necessary to maintain information security and device integrity on their own.

■ Effective BYOD governance starts with a clear policy and education. Attorneys Luce and Navetta agree that a signed BYOD agreement with each employee, along with adequate education on the risks and employees’ responsibilities, are the absolute minimum. However, they also counsel that reasonable technical controls in line with industry standards for data


Small form factor (e.g., phone or tablet)

At least one wireless interface for Internet access (3G, Wi-Fi, etc.)

Local, nonremovable data storage

An OS that is not a full-�edged desktop or laptop OS

Apps available through multiple methods (app store, web browser, etc.)

Built-in data sync features

Optional: additional network services like Bluetooth, NFC, or GPS

Optional: one or more digital cameras

Optional: microphone

Optional: removable media or support for use as a storage device

Source: National Institute of Standards and Technology

The spreadsheet associated with this �gure contains additional information regarding the source.

A




security and appropriate for the situation should also be in place. If the firm is too small to afford the proper technical controls, then clear guidance and education for employees on their responsibilities can be sufficient, as long as the employees can reasonably meet them — both technically and financially. Of course, this might be feasible for a small engineering firm, but it won’t be for a larger organization.

■ Enforcing policies for employees incapable or unwilling to do their part is wise. A policy of “trust but verify” is legitimate and defensible when you can show that employees are capable of complying with your BYOD policy if they’re equipped with the proper tools and willing to do so. However, if you find that some employees are either unwilling to comply or incapable of complying with the policy or become untrustworthy, you have to be willing and able to enforce the rules. It’s helpful to have qualifying criteria for a BYOD program that you can use to screen candidates upfront and conduct spot checks to ensure that employees are properly equipped and complying with the policy. For example, you can use a master data management (MDM) tool to make sure employees aren’t jailbreaking their devices and a laptop utility to check that hard drive encryption is always turned on.

■ Determining which regulations and audit guidelines apply to a firm is a research project. Audit firms such as Accuvant and Ernst & Young earn money by analyzing the compliance needs of their clients for Sarbanes-Oxley, FINRA, HIPAA, and other regulations to determine which standards should apply. In some cases, they perform mock audits, emulating a real government audit to find flaws and make recommendations. Gray says that the goal of this process is to stress test the organization’s likelihood of surviving a formal government audit should it happen. The output of the test will be recommendations for area improvements, and the industry standards are the benchmarks.

pCs aND MaCs ReqUIRe a DIFFeReNT sTRaTeGy ThaN pURe MOBILe Oses

Mobile operating systems are proving reliable and are mostly self-supporting once the initial configuration for corporate access is done. This is not the case for employee-owned PCs and Macs

— partly because desktop applications are far more widespread and comprehensive, but also because the Windows and Mac operating systems can require more management and maintenance. Also, PC and Mac software license compliance can be difficult, and they must conform to more stringent controls under audit guidelines. It’s not practical for firms to try to manage employee-owned laptops by applying corporate standards, so access to company resources needs to come through secure channels and virtual containers that limit exposure and prevent sensitive or large amounts of data from being at rest on an unmanaged PC or Mac. To enable Windows and Mac devices for BYOPC, Forrester recommends that you:




■ Avoid adding employee-owned computers to your trusted corporate network. Since there is no reliable, simple way for employees to self-manage their PCs to the same standards as IT, and IT can’t effectively monitor compliance anyway, your BYOPC strategy should assume that all employee-owned devices will remain outside the firewall and will access resources and systems through encrypted, secure channels.

■ Not manage employee-owned Windows devices directly. Incubate a self-support model instead. Provide guidance to employees for any reasonable measures they should take, such as turning on native hard drive encryption, keeping antivirus software up to date, and protecting their PCs with passwords. Update agreements with vendors so you make any paid software that employees will need freely available to them. Use tools like wikis or enterprise social platforms to allow people to collaborate on best practices and problem solving. Incentivize IT and application support pros to monitor the collaboration site and offer solutions and best practices when needed. Reward them once in a while when you see them providing great mentoring and support.

■ Accelerate and expand desktop and application virtualization programs. Auditors agree that client virtualization technology from Citrix, Microsoft, VMware, and others goes a long way toward achieving compliance goals. Virtualization allows a clean separation between a tightly controlled desktop or application environment and the employees’ personal apps and data. Embedded policies govern how data and files can enter or leave the virtual container. The client and application virtualization spaces are vibrant with innovative technologies that enable you to build a rich portfolio of capabilities you can match precisely to the needs of nearly any work style and device.

■ Prioritize software-as-a-service and cloud projects. While companies usually embark on software-as-a-service (SaaS) initiatives initially to cut costs, simplify infrastructure, and reduce IT management workload, there is a wonderful side benefit: SaaS is a great fit for BYOD because it lives outside the firewall where many of your people are also working. Enterprise SaaS providers such as salesforce.com were among the first to offer a rich array of mobile apps for smartphones and tablets. Employees value these tools highly and use them to speed collaboration and enrich customer relationships.

■ Revamp your identity and access management strategy for cloud and mobile. As less and less of what people need in their daily work is inside the firewall and more of it moves to the cloud and social networks, your strategy for identity and access management will need to expand to the extended enterprise and employee-owned PCs.

■ Follow and manage the flow of data. In an environment with an increasingly diverse setup of endpoints and owners of those endpoints, the need to control data becomes paramount. Most firms have chosen to ignore controlling the data in favor of the blanket device management




approach. As BYOD continues to break down this model and users continue to crave more and different ways to access company information, progressive firms will move to get a better handle on their data. This is the utopian dream for anyone involved with risk, development, and innovation: A future where the flow of data can be easily tracked, managed, and distributed to those who need it, when they need it. But today, most firms have no real data classification, little to no data monitoring, and therefore no real data control. Given the “Dropbox challenge” that so many firms are going through, adopting an enterprise-grade file sync and share solution becomes the first step toward a data-centric approach to management and enablement.

R e c o m m e n d at i o n s

TaKe a hOLIsTIC appROaCh wITh yOUR ByOD eNaBLeMeNT sTRaTeGy

A viable BYOD strategy addresses culture, responsibilities, education, policy, and technical controls.5 It recognizes the value that BYOD brings to employee engagement and performance and features a clear agreement between the organization and each BYOD employee that outlines what each is responsible for. Technology’s role is to help foster safe behaviors, control information access, and verify ongoing compliance — all without getting in the way of creativity, productivity, collaboration, or other daily activities. To craft a viable governance strategy:

■ Recognize that BYOD is an important business capability. There’s nothing inherently wrong or dishonest about employees seeking new technologies and ways to work outside of those available from their employers, so why do we treat it like a crime and employees like suspects? Our research on employees using their own devices for work reveals that often they believe they have no choice. We also see many cases where employees see an opportunity to do something to improve their work, like trying out a new design software, task management tool, or method of productivity like the well-known Getting Things Done (GTD) methodology.6 If innovation and growth comes in part from employees thinking outside the box, then that has to be a calculated and acceptable risk and not something IT is actively fighting against. Your organization adapts to a changing competitive environment and learning at the individual level — minute to minute, every day. BYOD gives employees the chance to improve their working lives and adapt.

■ Build a culture of responsibility and trust. Dr. Kaoru Ishikawa, founding member of the Japanese quality movement, author of 647 articles and 31 books on company culture, quality, and innovation, observed: “We make people untrustworthy by not showing them enough trust.” Indeed, a culture of trust may well be the most important hallmark of firms with successful BYOD programs. Conversely, environments that erode trust incubate behaviors that increase risks. According to Accuvant’s Chris Gray, assessing the culture of an organization — including employee incentive pay, executive behaviors, and policies — is a big part of what happens during an audit.




■ Craft a clear BYOD policy to codify responsibilities and establish agreement. A BYOD policy is a living agreement that outlines benefits of BYOD, the potential risks, and the governance needs for the organization.7 It provides qualifying standards for the BYOD program, educates employees about their responsibilities, outlines the organization’s responsibilities for supporting BYOD employees, sets the terms for information ownership and software licensing responsibility, and clearly explains procedures in case of device loss, theft, or misuse. Done properly, a BYOD policy increases flexibility for workers by offering multiple ways to comply, making it easier for them to understand their responsibilities and what steps to take.

■ Actively and regularly educate employees about the reality of risk and their obligations. BYOD shifts significant responsibilities to workers to safeguard information, comply with the law, and manage their personally owned technology to higher standards than they may be ready for. Educate them on regulations and industry standards that apply to your industry and offer practical guidance for device security, information security, and device management. New service rollouts provide great opportunities for reinforcement of these ideals. For example, when rolling out a new app to users, make sure to include messaging about sharing corporate data.

■ Create a technology approach that promotes engagement while enforcing the policy. In most cases, this means keeping employee-owned devices off of the corporate trust network while allowing access to information through secure proxies and interfaces. In regulated environments, it also means sensitive data is never stored on employee-owned devices, but in less stringent environments, it can mean simply controlling access to systems of record such as customer databases to prevent anyone from walking away with a data dump. Firms doing this well know a lot about the nuances of a wide range of technologies and develop capabilities for offering a wide range of services and access.




sUppLeMeNTaL MaTeRIaL

Methodology

Forrester’s Forrsights Security Survey, Q2 2013, was fielded to 2,134 IT executives and technology decision-makers located in Canada, France, Germany, the UK, and the US from SMB and enterprise companies with two or more employees. This survey is part of Forrester’s Forrsights for Business Technology and was fielded from March 2013 to June 2013. Research Now fielded this survey online on behalf of Forrester. Survey respondent incentives include points redeemable for gift certificates. We have provided exact sample sizes in this report on a question-by-question basis.

Each calendar year, Forrester’s Forrsights for Business Technology fields business-to-business technology studies in more than 17 countries spanning North America, Latin America, Europe, and developed and emerging Asia. For quality control, we carefully screen respondents according to job title and function. Forrester’s Forrsights for Business Technology ensures that the final survey population contains only those with significant involvement in the planning, funding, and purchasing of IT products and services. Additionally, we set quotas for company size (number of employees) and industry as a means of controlling the data distribution and establishing alignment with IT spend calculated by Forrester analysts. Forrsights uses only superior data sources and advanced data cleaning techniques to ensure the highest data quality.

We have illustrated only a portion of survey results in this document. To inquire about receiving full data results for an additional fee, please contact [email protected] or your Forrester account manager.




eNDNOTes1 For more information on the linkage between consumerization and innovation, see the May 23, 2011, “How

Consumerization Drives Innovation” report.

2 Today, many of the processes and controls I&O depends on to support users require complete control of the device. This is not realistic in tomorrow’s world of employee-owned devices. As it turns out, 36% of laptop users and 48% of tablet users are willing to pay some or all of the costs for a work device of their choice. See the May 10, 2013, “Habitat For Engagement: Unleash Workforce Potential With Agile Enablement” report.

3 Source: “Guidelines for Managing the Security of Mobile Devices in the Enterprise,” NIST Special Publication 800-124 Revision 1, National Institute of Standards and Technology, June 2013 (http://csrc.nist.gov/publications/drafts/800-124r1/draft_sp800-124-rev1.pdf).

4 Source: “Guidelines for Managing the Security of Mobile Devices in the Enterprise,” NIST Special Publication 800-124 Revision 1, National Institute of Standards and Technology, June 2013 (http://csrc.nist.gov/publications/drafts/800-124r1/draft_sp800-124-rev1.pdf).

5 The strategic plan should be grounded in dialogue with other stakeholders in the business to make sure that it clearly supports the most critical priorities. The plan should also reflect prominently the mission and values of the organization as a whole. This is essential for holding everyone involved accountable to the same set of values, such as quality, employee empowerment, collaboration, and innovation, something that is particularly important as you expand operations to new regions and cultures. See the September 27, 2012,

“Build Your Workforce Computing Strategic Plan” report.

6 Getting Things Done, or GTD for short, is a method for organizing work and tasks for better personal productivity made popular by the book by David Allen called Getting Things Done: The Art of Stress-Free Productivity. Source: David Allen, Getting Things Done: The Art of Stress-Free Productivity, Penguin Group, 2001.

7 Workforce computing technology and supporting policies are desperately out of date and in need of transformation. Thankfully, I&O managers are embracing desktop modernization projects and redefining their next-generation mobility strategies to meet expectations for more flexible workspaces among empowered workforces. See the August 28, 2012, “Redefine Your Workforce Computing Policy To Empower Employees” report.







Forrester Research, Inc. (Nasdaq: FORR) is an independent research company that provides pragmatic and forward-thinking advice to global leaders in business and technology. Forrester works with professionals in 13 key roles at major companies providing proprietary research, customer insight, consulting, events, and peer-to-peer executive programs. For more than 29 years, Forrester has been making IT, marketing, and technology industry leaders successful every day. For more information, visit www.forrester.com. 95343

«

Forrester Focuses On Infrastructure & Operations Professionals You are responsible for identifying — and justifying — which technologies

and process changes will help you transform and industrialize your

company’s infrastructure and create a more productive, resilient, and

effective It organization. Forrester’s subject-matter expertise and

deep understanding of your role will help you create forward-thinking

strategies; weigh opportunity against risk; justify decisions; and optimize

your individual, team, and corporate performance.

ian oliveR, client persona representing Infrastructure & Operations Professionals

About Forrestera global research and advisory firm, Forrester inspires leaders,

informs better decisions, and helps the world’s top companies turn

the complexity of change into business advantage. our research-

based insight and objective advice enable It professionals to

lead more successfully within It and extend their impact beyond

the traditional It organization. tailored to your individual role, our

resources allow you to focus on important business issues —

margin, speed, growth — first, technology second.

foR moRe infoRmation

To find out how Forrester Research can help you be successful every day, please contact the office nearest you, or visit us at www.forrester.com. For a complete list of worldwide locations, visit www.forrester.com/about.

client suppoRt

For information on hard-copy or electronic reprints, please contact Client Support at +1 866.367.7378, +1 617.613.5730, or [email protected]. We offer quantity discounts and special pricing for academic and nonprofit institutions.

mailto:[email protected]

www.forrester.com

navigating the legal and compliance -...

Documents