Wireless - Mastering Mobile Madness

You like to be in control. What executive doesn’t? But mobile and wireless devices, for all their potential and allure, introduce an element of lawlessness to your carefully crafted systems. They take data outside the walls of the enterprise, and the moat you’ve dug around your digital castle—the hardwired firewalls and virus protection that guard your desktops—means less than nothing to them.

And there’s no controlling the demand for these handy new gadgets. Everyone wants a Wi-Fi-enabled laptop or handheld so they can e-mail their colleagues while sitting in the airport lounge or access critical sales applications on their network while meeting with customers. And now everyone wants a smart phone, a converged device that combines cell phone and handheld functions. At worst, these gadgets are status symbols. At best, they increase your workforce’s agility and improve productivity. And since all these geegaws have become relatively cheap, how can you say no?

But the problem, says Richard LeVine, global lead for mobile security at Accenture, is that CIOs can only “try to align [their policies] with the users or butt heads with them.

“And if you butt heads, the users are just going to go around you.”

What CIOs need desperately is a strategy for managing mobile and wireless devices. Elements of a good strategy include: first identifying if there’s a business need for a device; segmenting your employees by job function; deciding on a list of devices that IT will (and will not) support; and last, devising a training plan for users and help desk staffers as well as enforcement mechanisms that will ensure device security.

If you try to fly without such a plan, you’re sure to end up sitting amidst the charred ruins of a security and privacy disaster. Cautionary examples are multiplying daily. The recent incidence of laptop loss and theft—including the MCI financial analyst’s laptop that went missing in April 2005 containing 16,500 names and Social Security numbers of current and former MCI employees—underscores the importance of securing devices with much more than a password. And then there’s one of the more infamous accounts of BlackBerry boneheadedness: the Morgan Stanley exec who sold his dead BlackBerry on eBay for $15.50 after he left the company. Turns out the batteries had just run out, and the new owner found hundreds of confidential Morgan Stanley e-mails still on the handheld.

“If you allow people to bring in devices off the street, you are going to have a loss of control,” says John Killeen, director of global network systems at UPS, which supports nearly 200,000 wireless devices worldwide. “You need policy, standards and enforcement.”

If CIOs can maintain a visible and enforceable policy, and involve users in the process from start to finish, then the security of the devices will almost take care of itself. “At least 70 to 80 percent of adherence to corporate security policies is self-enforced by the people,” says Roger Entner, vice president of wireless telecom company Ovum. “If they have a positive attitude, you will have much more cooperation [with security].”

What follow are lessons from CIOs in four industries that cover the entire lifecycle of mobile and wireless devices. Through some preplanning, risk management and training, they’ve gained a measure of control over mobile devices while still allowing their employees enough flexibility to get their jobs done. “Our challenge is to support multiple devices with multiple operating systems and capabilities so [that our users] are not constrained by the device,” says Steve Novak, CIO of law firm Kirkland & Ellis.

Which sounds like a goal to which every CIO can subscribe.

Do the Cost-Benefit Analysis

When CIOs begin evaluating a mobile and wireless device, they must first ask themselves, Is there a business need?

“You have to look at the benefit of what that person can get with the tool versus the added overhead cost of accommodating the tool,” says Brian Bonner, CIO of Texas Instruments (TI). Bonner and TI take a pretty hard line on adhering to their mobile device standards. TI’s users know that if a new toy doesn’t correlate to TI’s customer base or products, or if it creates an unnecessary risk, then Bonner isn’t going to go for it. “It has to relate to how we serve a customer better or get a product to market quicker,” he says.

So if the cost of the device, or the risk it generates, doesn’t equal the business benefit, CIOs should just say no.

“It’s no different than use of desktop PCs or laptops,” says Eric Maiwald, a senior analyst for Burton Group who published an extensive report in March on handheld device security. “CIOs should use those same requirements and analyses with handhelds.” In the Burton Group report, Maiwald points out that handheld devices are expensive for companies, both in terms of the direct cost of the devices as well as the added costs of protective mechanisms, such as encryption and authentication features, to secure them. “The use of handheld devices may increase employee productivity, but it may also increase the risk to the organization,” he says.

So just what devices should CIOs roll out? Today’s untethered knowledge worker usually needs a wireless laptop, and a handheld and cell phone—or a smart phone. Sales of mobile PCs, PDAs and phones grew 66 percent in 2004, according to In-Stat/MDR, and 90 percent of laptop PCs are now shipped with WLAN cards. Also appearing on the CIO’s radar: camera phones, tablet PCs, Wi-Fi broadband connections for home workers, handheld scanners and RFID devices, and new hybrid Wi-Fi/cell phones arriving in North America from Asia.

Clearly, CIOs have a lot of options and need to decide which device will work best, what capabilities are needed, what security features will be critical and where the hidden costs lie.

For example, David Rensin, CEO of wireless and mobile consultancy Reality Mobile, says that the first step most companies take is to offer a wireless e-mail solution, frequently the BlackBerry. What happens next is that one group in the company will decide that having access to, say, the CRM system through a Treo device would really improve productivity. And then you end up with what Rensin calls “mixed deployments” in which the various devices don’t share a common infrastructure. BlackBerrys require a BlackBerry Enterprise Server, while Treos usually use a GoodLink server. Rensin says that’s why the deployment of multiple device types can double costs.

On the flip side, Burton Group’s Maiwald says, while handhelds have a number of communication options, not all of them may be necessary. For example, a device that a salesman for a distribution company uses to take orders from customers may not need WLAN connectivity if the orders can be synchronized when the salesman returns to the office. “The added communication capability may introduce a higher cost and [security] risk without materially benefiting the organization,” Maiwald asserts.

Decide Who Tests What and When

Deciding who should be in the beta testing group is just as important as what device the group will test. “The first group of guys [in the beta test] is always the technology savvy, geeky testers,” Rensin says. “That’s usually a recipe for disaster.” The problem is that the geeks will troubleshoot problems on their own and make sure whatever you give them works. “The last guy you want to do the testing is the technology geeky guy,” Rensin says.

CIOs should divide their users into buckets. Here’s how Rensin breaks it down: First, the techno-geek power users. Second, the adventurers willing to try the new gadget. Third, the executive and management ranks. And fourth, the Luddites who will probably fight using it all the way. Then, take a small group (anywhere from 3 percent to 5 percent of the total) from two of the buckets—the adventurers and executive/managers—train them, and have them test the device over a couple of weeks, using it for at least 15 minutes a day. Next, survey them regularly about how the device is working. Here CIOs can look for patterns in features that aren’t working. If all goes well, then CIOs can start rolling out to the other buckets, saving the power users—the geeks—for last.

At Texas Instruments, Bonner set up a group for testing mobile devices three years ago. By design, it’s a combination of average users from marketing, sales and other knowledge workers, as well as some technical staffers. “You don’t just want gearheads,” he agrees.

Bonner’s group has been able to keep tabs on the needs of the users and decide on appropriate devices and testing mechanisms. For example, the group discovered that because TI is a global operation, any new smart phone would need functionality that could work for both voice and data all over the globe. “And when they traveled,” says Bonner, “people wanted to carry just one device.”

Segmenting your employees also allows CIOs to designate who will get what device, as well as what kind of access to the network and applications each employee will have. “You don’t just willy-nilly give the devices out. You have to do the proper requirements analysis [of each group],” says Burton Group’s Maiwald.

When Less Is More

Today’s users are clamoring for even greater wireless access to corporate databases. Gartner estimates that 60 percent of Global 2000 workers have mobile access to corporate applications.

So does the executive suite really need souped-up laptops with access to CRM and the latest finance metrics, or can they make do with just a BlackBerry or Treo with e-mail and calendar access? “Most executives are oblivious to the security challenges,” Ovum’s Entner says. “You have to disarm all the security stuff because the executive can’t figure out how to work it.”

Therefore, less device (and less functionality) is becoming the norm, though security challenges persist because the smaller the device in physical size, the more easily it can be lost. Just because a device may be small doesn’t mean it’s any less important to secure.

At UPS, Killeen, as well as most of the top executives, have recently switched from laptops to either a BlackBerry or Treo handheld for purely functional reasons—the new devices enable execs to securely and easily check their e-mail, schedules and the Web, and make phone calls. Killeen’s segmentation plan is simple: If the user’s primary need is to access e-mail and the Web, she gets a smart phone. If the user needs to access business applications to do her job, she gets a laptop. “I don’t use my laptop any longer,” says Killeen, who has deployed about 3,000 BlackBerrys and 500 Treos.

Killeen has rolled out BlackBerrys to 1,800 field technicians in UPS’s 2,400 facilities. “Before, they were running around with what we called utility belts—cell phones, pagers, all kinds of devices,” says Killeen. The BlackBerry performs all those various devices’ functions—voice, e-mail, access to intranet and work orders—in one device, and Killeen says the drivers are able to accomplish more while reducing wireless expenses by more than 10 percent.

The Standardization Wars

Pushing standardization too overtly may raise user hackles (it feels oppressive), and when it comes to deploying mobile and wireless devices, CIOs need to pick their battles carefully. The risk of alienating users (who, if frustrated, will try to go around IT with their own devices) is high. “You need to find a balance between minimizing the support costs and making your people happy and cooperative,” Entner says.

CIOs Bonner, Killeen, Novak and Intelsat’s Joe Kraus have all standardized on their laptop offerings—there’s no choice permitted there. “It allows us to eliminate one variability in the mobile device environment,” says Kirkland & Ellis’s Novak.

But for cell phones and smart phones, these CIOs offer options. For Novak, his strategy takes into account the realities of his industry. His law firm’s partners work with many clients, who have differing technology needs. So he tells his users what he can support now, letting them know that IT will do its best to work with the partners on any new device that they may need to use with a client. In return, he asks that his users let him know if they’re using a device that he hasn’t authorized. “What you don’t know will come back to haunt you, so we’re much more proactive,” Novak says. “We set expectations that IT is an open-minded organization.”

Right now, the firm officially supports BlackBerry devices, but Novak still provides limited support for Palm and Windows CE devices necessitated by attorney-client requirements. However, Palm and Windows CE users don’t necessarily get all the functionality of the BlackBerry. Right now, there’s no Palm and Windows CE device for

e-mail access that is supported by the firm. “You’re always seeing the latest and greatest technologies,” Novak says. “But what we’ve rallied around is standardization of what we can support.”

1 2 Page 1
Page 1 of 2
The CIO Fall digital issue is here! Learn how CIO100 award-winning organizations are reimagining products and services for a new era of customer and employee engagement.