If you have not provided flexible working, Bring Your Own Device, working from home - or whatever else you want to call it - I guarantee at least some of your workforce will have found a way to do it themselves.

We all know there are ways and means, especially if you know a friendly IT administrator - who by the way will have been using it for years - and gradually more and more people will be using the unofficial flexible working capability.

What does this tell you about the technology team? They are moving too slow and are out of step with their user base by not supporting them with tools and processes to make their lives easier and more productive. So how do you ensure you implement flexible working correctly and deliver a top class service to your customers? First off, don't go headlong into thinking about the technology, there are other aspects that are arguably more important and can define the success or failure of this initiative.

You will need to consider the legislation for your region. In the EU, The Data Protection Regulation is due to come into force in 2016 or 2017 depending on who you believe. This will introduce some stringent fines, up to a maximum of 5% of global turnover, not profit, if you fail to comply and a requirement to notify the regulator within 72 hours of a breach. The US can have different laws per state and the rest of the world is a patchwork of different regulations, so it is important to work closely with your legal teams on implications for flexible working.

What are the enablers and concerns for flexible working?

Users prefer using their own devices, they are familiar with them and they have the consumer orientated features they need. This, it is claimed, makes users more productive, able to balance home and work lives better and even less stressed. Overall it provides increased satisfaction scores.

As for concerns, employees are generally uptight that the company will "snoop" their personal device, looking at browsing habits, social media posts or personal photos; but even more of a concern is that the company may wipe all the personal data on their device. From a company perspective, they absolutely do not want to see the employees personal data as this opens up a bag of worms around liability should they see something inappropriate or even illegal. The company is also concerned about corporate data leaking out of the device in cloud backups or synchronisation between devices. Support costs and increased bandwidth also need to be considered, as does training both of the IT team and users. Other cost areas are migration costs, software licences and network costs.

So how should you approach flexible working? Here are some tips that I learned the hard way and have the scars to show it:

  • Over communicate: Ensure you have executive team support and an executive team sponsor, but not the CTO or CIO. It should be someone from outside the technology organisation.
  • Assign line of business champions to help you get your message out.
  • Don't forget the need to address behavioural aspects and training and develop your acceptable use policy with input from the business champions.
  • Clearly define the requirements so people know what they will get and importantly what they will not get. I cannot overstate how important this is and it will avoid a lot of pain and misunderstanding later.
  • Partner with Audit, Risk Committees, Legal and HR; and involve them early!
  • Concentrate on the data and not the device, and use your data classification and handling criteria to identify data that you do not want on a personal device.
  • Treat this as a strategic project rather than reacting to demands from executives that see their counterparts with shiny new toys. You will end up in a mess with a very ad-hoc solution that may satisfy people in the short term but will quickly become unsustainable.

In summary, flexible working can provide real advantages for an organisation and should be embraced otherwise you risk people going around you. Lack of communication or crystal clear requirements are the number one reason for an unsuccessful project.

A final word of caution, flexible working impacts people personally and can become a very emotive subject. It has the potential to showcase the technology organisation as an innovator and a team that really supports the business. But if not handled correctly technology can become the "whipping boy" and it can take years to recover credibility.

Phil Sheehan is an experienced Chief Information Security Officer and worked in C-level security roles at payment processing companies Worldpay and First Data Corporation.