In my own experience managing corporate IS/IT, this type of wild-card aspect of risk management is what keeps dedicated IS staff up at night. At first blush, the combination of using “Big Data” and BYOD seems to clear some of the limiting hurdles of our current organization-centric approach to managing and using data to its greatest extent. In truth, there is no free lunch. During each attempt to squeeze more out of the IT department by either outsourcing or eliminating perceived bottlenecks (and in doing so, reducing staff internally), there is a concomitant increase in the actual resource support necessary from the IT staff or from the general employee population to keep up with the “improved” infrastructure and services. I’ve seen it in the transition during the 1980’s and 1990’s to eliminate administrative staff to support general office duties (“secretarial” IT support), and during the 2000’s to consolidate and reduce help desk support. In both cases, the reduction of staff actually resulted in less productive work force statistics. In the first case of administrative IT support, every single worker in the organization(s) becomes less productive because they inherit the effort necessary to feed the automation tools directly and must take time out of every day to perform functions that used to be handled by a small but dedicated staff. In the case of help desk automation, every single worker in the organization(s) becomes essentially their own troubleshooter and interpreter of the automated (or outsourced) support function. Overall, the effectiveness of the organization is decreased, but the perception is that the business is running “leaner” because staff numbers are lower.
The “no free lunch” aspect of this particular risk set comes about through the strictly increased monitoring and immediate response capability that will be necessary to reduce this potentially large impact from significantly affecting the business or organization. It is a more difficult risk function to calculate, as there is not yet a set of “rules of thumb” or metrics that capture the indeterminate nature of the possible failures that could come with this type of BYOD failure/impact mode. Making an error on the safe side will increase the burden of IS/IT costs on the organization and may affect in some ways an ability to implement new ideas (limitation of funds/resources). Making an error on the risky side may put the company in a very bad situation when something adverse in fact does happen.
Logically, a more carefully considered policy for BYOD in the enterprise could provide a solid and long-term base for IS/IT strategy, but it will take a more determined approach on the part of the IS/IT management and strategic thinkers to help the business and organization strategists to understand that there really does need to be firm control of some aspects of adding the newest technology to the enterprise networks, and that the risk of adding new technology really does have an acceptance of a larger risk possibility.
As well, the functional-level procedures that are implemented by a company’s IS/IT organization must come with very good automation to support understanding of the condition of networks and auditing/monitoring functions that provide usable and easy to understand statistics on the well-being of the network and resources used by the organization.