As bring-your-own-device approaches become mainstream, are organizations seeing the expected benefits?
Some CIOs have struggled in the face of the rogue technology onslaught of BYOD (Bring Your Own Device) and have attempted to avoid any threat of chaos by locking down IT usage within their organizations. But the consensus among most now is that the tide of consumerization is unstoppable, and must be embraced rather than denied.
A number of enterprises, across sectors that ranged from media and pharma to education and engineering, recently shared their experiences of BYOD with I-CIO. So what can these pioneers teach other IT leaders looking to start exploiting the cost savings and flexibility BYOD that proponents claim is in easy reach?
The media firm
A few years ago, Noah Broadwater, CTO of Sesame Workshop, noticed an alarming tendency in his organization. Employees at the New York City-based educational media company where he works, most famous for the children’s TV show Sesame Street, were buying almost any device they liked for use in the workplace and having the cost of it signed off on expenses by their departmental managers.
Stunned, Broadwater went to his CFO and told him, “You’ve got a huge problem. You have a lot of people buying a lot of devices that aren’t being inventoried — and it’s costing you a lot of money.”
Broadwater offered a two-step solution to his board. First, he implemented a policy where users could select a device from an approved list (as long as they had a valid business case for needing one). This would then be purchased at a reduced rate by his organization. Then, he allowed users to bring their own devices into the workplace, where they would be fully supported by his IT department.
Either way, Broadwater points out, the business saved money, and employees were able to use the IT they needed to do their jobs effectively in a secure, managed environment. “We all know consumers in every organization are bringing their own devices into the office. This is something that happens every day whether we like it or not,” he says. “So we decided we would leverage this change.”
A key first step along the path to BYOD for Sesame Workshop has been to establish simple, easily understood policies to ensure difficulties related to device management are pre-empted. Every employee who wants to participate in the BYOD scheme has to attend two lunchtime training sessions where the policy is clearly set out, for example. Explains Broadwater: “We say, ‘You can use your own device, but here are the rules if you do. This is what you agree to: If you lose it, we’re wiping your whole device. Are you OK with that?’ Most employees say yes. For those who don’t, we say, ‘OK, you don’t get to use your own device.’ It’s that simple.”
Such clarity, combined with user input, is key when devising a policy, he advises. “Don’t create policies that look like a lawyer wrote them, or are 10 pages long that nobody’s going to read. Have your users help you draft it, and create something that’s easy to understand.”
And he sums up, forthrightly, “IT is there to serve the company. Saying ‘no’ keeps the company from doing its business. Saying ‘yes’ or ‘maybe’ or ‘let’s find a better solution’ gets the company to do their business better.”
Or, as he sums up: “It’s time to stop the ‘no’.”The pharmaceutical company
Brian Katz, global head of mobility engineering at French pharmaceutical giant Sanofi says he has also fully embraced BYOD. For him, the approach is rooted in the conviction that IT exists first and foremost to enhance business performance. “We’re all about enablement,” he stresses. “You partner with the business, you figure out what their need is, and that’s how you move forward — because if you don’t, you’re not going to be the IT [provider] for the company much longer. The business is going to go around you.”
Katz explains that his company’s BYOD policy, like many others, lists precisely which devices will or will not be supported — via its mobile device management solution — and this depends on the degree to which it is possible to remotely manage the hardware. “We figure out the capabilities of each device, and let people know up front, ‘You buy this one and you’re fully supported in our ecosystem; you buy this other one and all we’re giving you is email,’” he explains. “We found that very quickly people moved themselves to a device that’s supported.”
Katz has a clear understanding of the reasons why such a situation may occur in the first place: “When it comes to an application they’re using that you don’t know about, it’s for one of two reasons,” says Katz. “Number one, the application you offered them is what I call a ‘crapplication’ and they don’t want to use it — and let’s be clear, a crapplication is anything that’s got a UI or UX that makes it harder for you to do your work. Or, number two, you don’t offer something.”
Simply telling the employee to stop using the application is not an option, says Katz. “You’ve got two choices,” he argues. “You can say, ‘Let’s take a look at your solution,’ or, ‘Let’s see if we can offer a better one that fits our corporate policy better.’ But you have to do one or the other.”
The engineering multinational
Meanwhile Steve Damadeo, US IT operations manager at German engineering multinational Festo, is finding that employees are increasingly approaching his helpdesk expecting support for applications or services that they have deployed without IT’s knowledge. He strongly believes that turning away such users is counterproductive in the long run.
“There really is, in my opinion, no line between supporting the application and supporting the device. It’s supporting the individual,” he says. “You really need to say, ‘I understand this is not where it came from, but we’re going to do what we can to help you.’ My people are given the responsibility to support as much as they can. The words that are most likely to get someone screamed out of my office are ‘It’s not my job.’”
Security is, of course, a big barrier for many CIOs. An increasingly common solution is to shift the emphasis on security away from the hardware at the periphery and towards the place where business value is really created: corporate data. Damadeo agrees – and offers some simple, pragmatic advice on how to get there: “Secure the data, not the device. You don’t really have control over the device security except for some minor elements. What you do control is your data, and that is the crown jewels of your environment. That is what is going to make your money and what differentiates you from your competition.”
George Baroudi, CIO of Long Island University (LIU), one of the largest private academic institutions in the US, follows a similar approach. His organization recently gave iPads to 16,000 of its students — as long as they paid their tuition fees on time and provided the necessary paperwork required to study at the university, such as vaccination certificates. Because LIU holds a lot of sensitive data — proprietary research as well as student records containing sensitive academic, financial and medical information — security is of paramount importance to the organization.
Baroudi’s solution has been to secure all sensitive data in a private cloud that can only be accessed by approved users on approved devices. And by maximizing the chances that students are using devices deployed by the organization — even though ownership, and therefore maintenance costs, are passed on to the students themselves — management of the program has been relatively straightforward. “We made sure that all the devices are configured in such a way that we know who’s looking at the information,” he says. “The enterprise can control every breath they take if they are on our cloud.”
Another benefit of the iPad deployment, Baroudi finds, is decreased use of memory sticks (which, of course, cannot be plugged into an iPad). “One of the biggest problems in our sector is that somebody can walk up to any machine, plug in their USB key and walk away with all the information on that device. But that is no longer an issue,” says Baroudi.
When embarking on LIU’s BYOD program, Baroudi admits that his own CSO was the hardest person to persuade that this was the right policy to adopt. He advocates involving the security team from the outset, but, ultimately, not allowing security to get in the way of the huge benefits BYOD makes possible. “The CSO has to be told, ‘Figure it out instead of slowing it down,’” he says.
Many commentators suggest that BYOD can be a way to foster grass-roots innovation – and it seems in Baroudi’s case, this is no empty slogan. “Faculty were quick to innovate,” he confirms. “For example, some started classes on digital photography through the cloud.”
Although this kind of autonomous action caused a few problems for IT that had to be resolved (some of the apps deployed had not yet been cleared for security, for example), he considers this a small price to pay in return for the added business value created.