Summary:Say BYOD, and CIOs cringe. They complain of security, supporting a flood of devices and losing control. But the CIO of Essar Group just proved his peers wrong. Here\u2019s how.Highlights:Prabhu realized that allowing people to bring and manage their own devices would help IT too. It would allow the IT team to focus on strategic innovation instead of fixingTo make his BYOD strategy successful, Prabhu also needed to ensure he fulfilled all user needs. Like checking if users could multi-task on their devices. Reader ROI:Why you need a BYOD StrategyStriking a balance between security and User ExperienceHow VDI can helpIf there\u2019s anything that\u2019s defined our political and corporate lives in recent times, it\u2019s people power. So much so that it\u2019s beginning to influence how countries are run and how business is done.Ask IT leaders of corporate India, who are in the midst of a consumer-powered IT revolution, under the less sexy title, BYOD (Bring Your Own Device).According to a 2010 IDC-Unisys report, consumer-powered IT is being touted as the principal driver behind the fourth wave of corporate productivity. The first wave was inspired by Henry Ford's invention of the assembly line (between 1908 and 1915). The Japanese collaborative model, Kaizen, was the second wave. The third was driven by the Chinese model of mass production, low prices and global domination.Today, the fourth wave is driven by a network of constantly connected workers. A network connected by mobiles, laptops, smartphones and the like.It\u2019s a market that\u2019s exploding. IDC predicts that the smartphone market will grow by nearly 50 percent in 2011, taking the number of smartphone users to over 450 million. It's only a matter of time, say experts, before a large number of these consumer devices find their way into enterprises.But that\u2019s a problem. While employees are enthused at the prospect of bringing their preferred device to work, CIOs aren\u2019t too excited about losing control. An IDC report points out that 95 percent of employees use self-purchased technologies for work,but a majority (70 percent) of CIOs still want to buy standardized technologies for their employees.But one CIO in the minority\u2014and from the not-so-technology-savvy manufacturing sector\u2014set out to prove that the majority isn\u2019t always right.The Essar WayIn early 2010, BYOD was still a new kid on the block, but N. Jayantha Prabhu, CTO, Essar Group, was picking up early signs of this disruptive trend. It was a trend that was hard to ignore in an organization where the average age of employees ranges between 28 to 30 years. Prabhu realized that this squad of power users was far ahead of their peers when it came to adopting whiz-bang technology.\u201cThe younger generation may not mind putting in an extra hour of work, but they expect the freedom to work from anywhere they wish, on devices that they are comfortable with,\u201d says Prabhu. \u201cDenying them that freedom could possibly lead to an unpleasant dissatisfied-users situation.\u201dAt the same time, Prabhu was also being pushed to provide C-level business users with anytime, anywhere access to data.And Prabhu realized that allowing people to bring and manage their own devices would help IT too. It would allow the IT team to focus on strategic innovation instead of fixingIT issues. Keeping the IT team enthused is an imperative at a time when attrition is rampant and work pressure is mounting. According to the Mid Year Review 2011, 46 percent of CIOs say that their IT departments are shrinking in size and about 18 percent state that their team sizes are likely to remain the same. Worse\u2014especially for Prabhu\u201446 percent of CIOs in the manufacturing sector confess to significantly increasing work pressure.For all those reasons, this was the right time for Prabhu to come up with a BYOD strategy. \u201cIt would free my IT resources from managing non-strategic assets and help me focus on high business value initiatives. It would also provide a more attractive and flexible workplace environment for employees and increase user productivity,\u201d says Prabhu.But what Prabhu set out to do would defy conventional wisdom. And that would take fighting the three devils of BYOD: Security, infrastructure and a flood of devices.Setting the StageFirst steps are hard. They shake you out of your comfort. For Prabhu, it meant stepping out of the four walls of his air-conditioned cabin.A walk down the work stations at Essar gave Prabhu a picture of employees\u2019 work profiles. He tried to figure out the kind of devices they were likely to adopt, and the applications that were critical to them. Based on user inputs, Prabhu sketched two different tables.One table listed the kind of devices that were the most common and likely to be adopted by a large number of users. Essar had an existing footprint of 3,500 company-owned Blackberries that were being managed by 15 Blackberry Enterprise Servers. Additionally, Prabhu chose the top three and most popular mobile platforms: iPhone OS, Blackberry and Android.In the second table, he prioritized the applications that needed support, starting with basics like e-mail, collaboration, productivity, and communications. And later, he would layer on more complex applications like BI dashboards and MIS reporting as per user requirements.Prabhu\u2019s seven-man technical innovation team set up a lab to test eight different devices at the same time. These devices included a desktop, a thin client, laptop, and a mix of various tablets and smartphones. \u201cEvery time a new device, OS or application enters our IT systems, we like to assume that the device is hostile till proven otherwise,\u201d says Prabhu.In early 2011, the team began testing the company\u2019s applications on various mobile platforms. Over the next one-and-a-half months, the IT team tested latency lags and developed user friendly interfaces.Finding its feet at Essar, Prabhu\u2019s BYOD strategy was just beginning to feel at home. Now it was time for some real action.Enter the DevicesThe BYOD concept is simple: Everyone is invited. But that makes life complicated for CIOs who struggle to support different devices, looking for ways to standardize.To handle these devices in their various avatars, says Prabhu, he would require a team of in-house experts to incessantly monitor every new OS and, \u201cmake adequate changes to make our applications compatible,\u201d he says.But that contradicted with one of the basic advantages of BYOD. The resources that Prabhu would have freed would now have to be directed towards managing application support\u2014not actively engaging in innovation.Prabhu found a way out. Because he was an early mover, Prabhu noted that most technology providers were eager to develop and test mobile and tablet-friendly versions of their products and check their compatibility with the enterprise.\u201cOver the years, these organizations have built the kind of infrastructure, R&D, support and skill-sets that would help us during the nascent stage of application, platform and infrastructure testing,\u201d says Prabhu.Companies like SAP and Apple readily agreed to Prabhu\u2019s proposal of constant knowledge sharing with the technical innovation team for app development, eliminating the need for an extensive in-house team. \u201cIt\u2019s a quid-pro-quo relationship. With active help from our technology partners, the actual amount of development done by us is minimal and the partners also get a platform to test how enterprise friendly their solutions are,\u201d says Prabhu.But handing the ropes of app development to his providers wasn\u2019t enough. To make his BYOD strategy successful, Prabhu also needed to ensure he fulfilled all user needs. Like checking if users could multi-task on their devices. So, his team tested a Blackberry Playbook with four windows open simultaneously, each one performing an independent task. They played a phantom movie, accessed e-mail, played a Need for Speed game and ran a local app, all at the same time. It worked like a charm.But Prabhu was yet to confront BYOD\u2019s biggest enemy.Don\u2019t Leave the Door Open\u2018Anything that can go wrong, will go wrong,\u2019 that\u2019s Murphy\u2019s Law and a party pooper for BYOD. Because the one thing that can go terribly wrong and scares CIOs away from BYOD is security. Prabhu was certain that he wouldn\u2019t go ahead with BYOD till he was sure that, \u201cthe security from our end was the closest to absolute,\u201d he says.That\u2019s a concern voiced by many of his peers. According to ISACA\u2019 2011 IT Risk-Reward Barometer report, 47 percent of businesses feel that the risks associated with employees using personal mobile devicesfor work activities outweigh the benefits.Prabhu knew that he needed a new weapon to fight security. And he didn\u2019t have to look further than desktop virtualization.\u201cThe surest way in which I could secure data transfer on mobile devices is through VDI because this prevents enterprise data from being stored on the user\u2019s personal device,\u201d says Prabhu.But VDI is expensive and it\u2019s often difficult for CIOs to prove ROI and get management buy-in. Fortunately for Prabhu, the year 2010 was refresh cycle time for over 15,000 users at Essar. Done the conventional way, the refresh cycle would lead to an investment of Rs 37.5 crore and the IT team would spend months securing data. And worse, the whole rigmarole would have to be repeated during the next refresh cycle.A VDI implementation would check-mate all of Prabhu\u2019s woes. It would save Essar from a large investment during the refresh cycle, all the while putting an end to security problems hindering his BYOD plans.With VDI, a client hypervisor sitting on a user\u2019s device generates a partition in the device, creating two virtual devices completely alienated from each other. The user logs into the Essar system from one virtual partition and gains access to enterprise and work related data. However, this partition prohibits users from saving any corporate data on their device due to restrictions enabled on the enterprise\u2019s virtual image. The other partition acts as the user\u2019s personal device independently allowing the user to download, multi-task and, run personal applications.Though VDI managed to reduce security issues, it replaced that with a different problem: Bandwidth. Many businesses have come to rely on leased lines to link remote offices back to the datacenter over the WAN. And these links are often shared by multiple technologies within the enterprise. Prabhu brought in WAN optimization and managed to reduce projected bandwidth requirement by 50 percent. Not only that, he had another smart move up his sleeve to put an end to bandwidth worries. He ensured that users accessed their e-mails and applications from a local VDI server sitting at their location and, \u201cIt\u2019s only when users travel that they are directed to access VDI over WAN,\u201d he says.Every time a new device, OS or application, enters our IT system, we like to assume that the device is hostile till proven otherwise.But VDI alone can\u2019t shield an enterprisewide BYOD project. Prabhu needed to increase his troops on guard. And those came in the form of Mobile Data Management (MDM), DLP and remote wipe tools. A digital certificate is installed on each mobile device for authentication purposes. Two- factor authentication allows users to gain secure access via a VPN and gives IT a record of user access behavior patterns. Applications other than e-mail may require additional forms of authentication. While these security tools take care of authentication and access, MDM efficiently manages mobile data through its lifecycle. It takes care of asset inventory, application deployment, patch management, data and voice usage and remote wipe. It also enables IT to deploy security policies on devices grouped by device type and OS. Prabhu also enjoys the freedom to customize security policies like application restriction, password restriction and camera usage. He also deployed DLP tools that use a combination of keywords and file property of a document to block sensitive information from leaving the organization. Prabhu didn\u2019t ignore the basics\u2014like data encryption\u2014either. This ensured that data from one end user device is not read on other devices due to device-specific encryption. But at the same time, Prabhu and his team acknowledge the fact that hardware and software are just one layer of security policy. Most security threats boil down to people, who become the weakest link. So, Prabhu wanted to devise a policy framework that encapsulates and communicates security guidelines to end users. Today, mobile device usage at Essar is governed by a contract. Users are required to sign the contract before they can add their devices to the enterprise\u2019s system. And that\u2019s extremely crucial for CIOs contemplating BYOD. \u201cCIOs should make it clear to users that the complete management of their devices, patching, upgrades and managing SLAs with their OEMs rest with the users,\u201d he says. To strengthen Essar's security posture, the IT team frequently shares in-mails and sends reminders to users, warning them of possible security threats. Currently, the project is being rolled out to about 5,000 users at Essar. In the coming six months to one year, Prabhu plans to extend more core applications like BI to mobile devices. Prabhu aims to allow employees to do much more on the devices they choose, from places they like to work, in a style that suits them best. \u201cBut most importantly, I wanted to build a forward looking organization for the younger employees, to provide them a work environment that does not restrict them from following harmless desires of freedom and endless opportunities,\u201d says Prabhu.Every time a new device, OS or application, enters our IT system, we like to assume that the device is hostile till proven otherwise.