BYOT, or bring your own technology, is more than code for “my CEO bought an iPad.” BYOT refers to a strategy for letting employees choose and purchase the devices they want to use to do their jobs—everything from PCs and laptops to smartphones and tablets. The machines belong to the employees, who take them along with them if they leave the company.
CIOs who enact BYOT policies are plowing new ground in the consumerization of IT. They seek to cut costs, perhaps — though whether the policy creates hard savings is debatable — and change the way IT and non-IT staff interact. They also expect to improve the productivity of both the IT staff—newly freed from some support tasks—and colleagues who should require less technical training if they use the same machines at home and at work.
Plus, BYOT can boost morale by acknowledging the growing demand from employees to use the technology they like over what IT wants to support, says Leslie Jones, CIO of Motorola Solutions, which since 2008 has reimbursed employees for one personal smartphone and allowed them to use the devices at work. BYOT is a “great acknowledgement of reality,” she says.
Some CIOs, however, say BYOT is a nonstarter: an empty idea that saves no money but brings potentially expensive security and control problems to corporate IT. Companies that offer full-fledged BYOT programs are still in the minority. In an exclusive survey of 476 IT leaders, we found that 69 percent don’t allow employees to buy their own equipment for work while just 24 percent do.
Yet of the 131 companies that allow BYOT, most only suggest which products employees should use, leaving the decision up to the individuals. Just 22 percent require employees to choose devices from a specific list. Another 38 percent let employees pick any devices they want.
Those intrepid CIOs face complex decisions about technology and policy, as well as challenges measuring the true value of BYOT. No one wants to create a BYOT program larded with rules and overhead; it’s supposed to simplify work life, after all. Plus, employees are pushing for freedom of choice as consumer devices outpace corporate ones in features and usability. Your mobile workers are tired of carrying around different machines for work and personal use. Whirlpool, for example, doesn’t want employees to feel they are taking a step down the technology ladder when they come to work, compared to the technology they use at home, says Daren Fairfield, a director in global information systems at the $18.4 billion appliance maker.
BYOT, ideally, helps merge an employee’s home and work life in a way that corporate IT can manage. But Mike Cunningham, CTO of Kraft Foods, says careful planning and methodical testing are necessary to draw conclusions about what needs to be controlled and what can be set free.
Some rules that already govern the use of corporate technology might translate directly to BYOT programs, such as prohibiting employees from using a device used for work to view notoriously insecure sites featuring gambling or pornography. But BYOT requires other nuanced considerations that go beyond the common sense called for in protecting a work-provided device that is occasionally used outside the office.
1. Don't balk for security's sake.
Squashing the BYOT idea because of security concerns is a knee-jerk reaction, says Doug Caddell, CIO at Foley and Lardner, a law firm where 400 iPads are in use as part of a BYOT program that started in February. (For more on Foley and Lardner’s BYOT program, see “The Inside Scoop on Foley & Lardner's BYOT Policy.”) “You hear a lot about why you can’t do something rather than why you can do something,” he says. Caddell has users protect their iPads with passwords, which he sets to time out after so many idle minutes. Generally, attorneys working with sensitive material are required to store documents on company servers, not personal devices, through Citrix or VMware. “Security is not insurmountable,” he says.
As personal devices get smarter and better able to store and do more with corporate data, they also become a bigger target for hackers, says Joe Oleksak, a security assurance and consulting manager at consultancy Plante and Moran. “Smartphones and tablets haven’t had antivirus and anti-malware programs installed to protect them. You’re seeing a big rush in malware writing to take advantage of that.”
The corporate network, however, can become a key means of enforcing security policy. For example, the network can detect which devices are running what antivirus and anti-malware tools and deny access to those that don’t comply with the company’s standards, Oleksak says.
2. Webify, virtualize and mobilize first.
Security concerns do mean that employees using their own laptops, tablets or smartphones for business should not store data locally. In-house counsel would hyperventilate should intellectual property be exposed when someone’s kid grabs mom’s laptop to Skype his pals about homework. This sort of threat may be equally possible with a work device that is allowed outside the office. But if a laptop is now viewed as personal property under a BYOT program, users may be tempted to forget company policies designed for security. Companies should be sure to re-emphasize that certain rules still apply, such as those pertaining to sharing a device.
The most secure solution is to permit access to data only through virtual, mobile or Web-based applications on central servers, on a secure network. Users should then also agree not to store data on their devices. The laptop—or tablet or smartphone or netbook—acts merely as an interface allowing a user to work with corporate information.
That architecture has to be in place before a CIO can consider implementing BYOT, says Whirlpool’s Fairfield. Whirlpool is testing BYOT with 200 employees and aims to get at least half the company’s users working in a virtual environment, regardless of whether they use their own device or one issued by the company, Fairfield says. Many companies are virtualizing applications anyway, to save on server and device costs, among other reasons. Virtualization makes all the more sense in a BYOT situation, Fairfield says. There is no sense in allowing BYOT without first having set up enterprise applications so they can be easily accessed by mobile devices, he adds. That means creating either Web versions—or at least Web interfaces to back-end systems—or purely mobile applications.
3. Get infrastructure in top shape.
Whirlpool’s pilot quickly showed Fairfield that data storage capacity needed to be upgraded to handle more data now that information that had been stored locally was being moved to central servers, he says. Connectivity interruptions have also occasionally cropped up. That’s a critical concern: If people aren’t connected to central applications and data, they can’t work. To cope, Whirlpool has asked local telecommunications carriers to prioritize their tower upgrades to improve access. “They’re cooperating, but can’t go as fast as we’d like them to,” he says. “Still, they are doing what they can to make heavy-traffic areas better.” As the IT infrastructure is tweaked, Fairfield plans to roll out BYOT to the rest of the company in waves over the next 18 months.
At Kraft, on the other hand, CTO Cunningham has noticed an improvement in network throughput. Because people in the program log in to the network and use their devices to access virtual applications and data stored centrally, there is far less data flowing out from servers than there is in a client-server setup, he says, making the network faster.
4. Decide who does what.
From the start, IT leaders must convey to BYOT participants that they, not IT, are responsible for learning about and caring for their smartphone, tablet or laptop, says Jared Mittleman, CTO at AG Semiconductor, a privately held company that resells machines for building computer chips. And some devices may be harder for IT to hook up to a corporate network than others.
For example, BlackBerrys are among the most commonly used devices at AG and are therefore some of the easiest to support. But Mittleman’s boss purchased an iPhone last year. Mittleman OK’d the purchase—wouldn’t you?—but explained that accessing corporate applications may be bumpy because IT was inexperienced with iOS. He also stipulated that his boss had to help work through any technical issues. “I’m a BlackBerry guy. I do my best. But you, as the BYOT owner, have to be willing to contribute. That’s the deal.”
At Foley and Lardner, employees are advised to purchase an extended warranty for their devices. The company also keeps loaners on hand for when personal machines are being repaired. “Attorneys can’t be without a computer,” Caddell says.
5. Say no sometimes.
While 800 employees participate in the BYOT program at the $49.2 billion Kraft Foods, not everyone can partake. At factories, for example, workers have to use specific computers to control the making of cereal or macaroni, Cunningham says. “We’re not going to have someone showing up at plant and plugging [a personal device] into our production line.”
Legal and human resources staff who work with sensitive, confidential information will likely need to use fully loaded, company-issued machines to protect and store that data. Working with a thin client, such as a tablet or netbook, over a network may not be feasible. Generally, it’s your remote and mobile staff—the ones more likely to be using mobile devices and laptops now, such as field managers, salespeople and marketing staff—that are the first and best candidates for BYOT programs.
6. Indoctrinate — politely, of course.
Careful training is a must, either one-on-one or in small groups, before anyone connects a personal device to the corporate network. Users eager to fire up their snazzy new machines must first understand the Dos and Don’ts of the BYOT policy, Mittleman says.
Automated training makes it too easy to breeze through and miss critical security considerations. IT staff should look people in the eyes and know that they get it, he says. Oleksak, the security consultant, agrees a passive approach to training puts your company at risk. “Your users are your weakest link,” he says. “They have physical control of the device and logical access to corporate data. They are the front lines against attack.”
Whirlpool is finalizing its policy as it continues its pilot. The document will stipulate that users keep data on servers and not stored on their devices, Fairfield says. However, in cases where a user may leave data on his smartphone, the policy will advise that it be stored in folders separate from personal information. That way, if the phone is lost or stolen or the employee leaves Whirlpool, it can be cleanly wiped of corporate data remotely, leaving personal data in place. Motorola’s policy includes similar provisions.
Another good practice: State that although the device is personal, the employee agrees not to visit sites known for spreading malware, such as pornography and gambling sites, Oleksak says. And iPhone and iPad users must agree not to jail break their devices to install software that hasn’t been vetted by Apple, he advises. “That’s how intruders gain access.” Likewise, users of Android and other devices should understand that Flash is a common way for hackers to deliver malware, so avoid Flash-heavy sites, he suggests.
After those sessions, though, CIOs expect to do less training than they did historically when introducing new technology. Fairfield expects a more rapid adoption thanks to people working with a smaller number of interfaces. The company now supports 48,000 different desktop computing configurations. The huge variety is caused by employees frequently downloading software from the Internet. “To get that number down to a standard set of virtual applications administered centrally will be a huge performance and productivity improvement,” Fairfield says.
7. Decide who pays and how much.
Whirlpool is contemplating offering a reimbursement of a few hundred dollars for a personally purchased device; the company hasn’t finalized the total amount per employee yet. Also being debated is whether it would be a one-time payment or on a refresh cycle of every few years, similar to a traditional PC upgrade cycle. One of Fairfield’s concerns is fairness. “Executives can afford it, but for people in our plants who need laptops, to spend a few thousand dollars is a major purchase for them.” Fairfield and his team are also considering offering company-issued netbooks that cost just a few hundred dollars but would remain corporate assets.
Foley and Lardner offers reimbursement of up to $3,800 every three years, rather than a stipend, which is considered taxable income for the individual. “All of a sudden you see something on your W-2 and you’re not a happy camper,” Caddell says. CIOs should confer with the accounting department about how best to administer the funds for BYOT programs, he says.