Wireless – Mastering Mobile Madness

You like to be in control. What executive doesn’t? But mobile and wireless devices, for all their potential and allure, introduce an element of lawlessness to your carefully crafted systems. They take data outside the walls of the enterprise, and the moat you’ve dug around your digital castle—the hardwired firewalls and virus protection that guard your desktops—means less than nothing to them.

And there’s no controlling the demand for these handy new gadgets. Everyone wants a Wi-Fi-enabled laptop or handheld so they can e-mail their colleagues while sitting in the airport lounge or access critical sales applications on their network while meeting with customers. And now everyone wants a smart phone, a converged device that combines cell phone and handheld functions. At worst, these gadgets are status symbols. At best, they increase your workforce’s agility and improve productivity. And since all these geegaws have become relatively cheap, how can you say no?

But the problem, says Richard LeVine, global lead for mobile security at Accenture, is that CIOs can only “try to align [their policies] with the users or butt heads with them.

“And if you butt heads, the users are just going to go around you.”

What CIOs need desperately is a strategy for managing mobile and wireless devices. Elements of a good strategy include: first identifying if there’s a business need for a device; segmenting your employees by job function; deciding on a list of devices that IT will (and will not) support; and last, devising a training plan for users and help desk staffers as well as enforcement mechanisms that will ensure device security.

If you try to fly without such a plan, you’re sure to end up sitting amidst the charred ruins of a security and privacy disaster. Cautionary examples are multiplying daily. The recent incidence of laptop loss and theft—including the MCI financial analyst’s laptop that went missing in April 2005 containing 16,500 names and Social Security numbers of current and former MCI employees—underscores the importance of securing devices with much more than a password. And then there’s one of the more infamous accounts of BlackBerry boneheadedness: the Morgan Stanley exec who sold his dead BlackBerry on eBay for $15.50 after he left the company. Turns out the batteries had just run out, and the new owner found hundreds of confidential Morgan Stanley e-mails still on the handheld.

“If you allow people to bring in devices off the street, you are going to have a loss of control,” says John Killeen, director of global network systems at UPS, which supports nearly 200,000 wireless devices worldwide. “You need policy, standards and enforcement.”

If CIOs can maintain a visible and enforceable policy, and involve users in the process from start to finish, then the security of the devices will almost take care of itself. “At least 70 to 80 percent of adherence to corporate security policies is self-enforced by the people,” says Roger Entner, vice president of wireless telecom company Ovum. “If they have a positive attitude, you will have much more cooperation [with security].”

What follow are lessons from CIOs in four industries that cover the entire lifecycle of mobile and wireless devices. Through some preplanning, risk management and training, they’ve gained a measure of control over mobile devices while still allowing their employees enough flexibility to get their jobs done. “Our challenge is to support multiple devices with multiple operating systems and capabilities so [that our users] are not constrained by the device,” says Steve Novak, CIO of law firm Kirkland & Ellis.

Which sounds like a goal to which every CIO can subscribe.

Do the Cost-Benefit Analysis

When CIOs begin evaluating a mobile and wireless device, they must first ask themselves, Is there a business need?

“You have to look at the benefit of what that person can get with the tool versus the added overhead cost of accommodating the tool,” says Brian Bonner, CIO of Texas Instruments (TI). Bonner and TI take a pretty hard line on adhering to their mobile device standards. TI’s users know that if a new toy doesn’t correlate to TI’s customer base or products, or if it creates an unnecessary risk, then Bonner isn’t going to go for it. “It has to relate to how we serve a customer better or get a product to market quicker,” he says.

So if the cost of the device, or the risk it generates, doesn’t equal the business benefit, CIOs should just say no.

“It’s no different than use of desktop PCs or laptops,” says Eric Maiwald, a senior analyst for Burton Group who published an extensive report in March on handheld device security. “CIOs should use those same requirements and analyses with handhelds.” In the Burton Group report, Maiwald points out that handheld devices are expensive for companies, both in terms of the direct cost of the devices as well as the added costs of protective mechanisms, such as encryption and authentication features, to secure them. “The use of handheld devices may increase employee productivity, but it may also increase the risk to the organization,” he says.

So just what devices should CIOs roll out? Today’s untethered knowledge worker usually needs a wireless laptop, and a handheld and cell phone—or a smart phone. Sales of mobile PCs, PDAs and phones grew 66 percent in 2004, according to In-Stat/MDR, and 90 percent of laptop PCs are now shipped with WLAN cards. Also appearing on the CIO’s radar: camera phones, tablet PCs, Wi-Fi broadband connections for home workers, handheld scanners and RFID devices, and new hybrid Wi-Fi/cell phones arriving in North America from Asia.

Clearly, CIOs have a lot of options and need to decide which device will work best, what capabilities are needed, what security features will be critical and where the hidden costs lie.

For example, David Rensin, CEO of wireless and mobile consultancy Reality Mobile, says that the first step most companies take is to offer a wireless e-mail solution, frequently the BlackBerry. What happens next is that one group in the company will decide that having access to, say, the CRM system through a Treo device would really improve productivity. And then you end up with what Rensin calls “mixed deployments” in which the various devices don’t share a common infrastructure. BlackBerrys require a BlackBerry Enterprise Server, while Treos usually use a GoodLink server. Rensin says that’s why the deployment of multiple device types can double costs.

On the flip side, Burton Group’s Maiwald says, while handhelds have a number of communication options, not all of them may be necessary. For example, a device that a salesman for a distribution company uses to take orders from customers may not need WLAN connectivity if the orders can be synchronized when the salesman returns to the office. “The added communication capability may introduce a higher cost and [security] risk without materially benefiting the organization,” Maiwald asserts.

Decide Who Tests What and When

Deciding who should be in the beta testing group is just as important as what device the group will test. “The first group of guys [in the beta test] is always the technology savvy, geeky testers,” Rensin says. “That’s usually a recipe for disaster.” The problem is that the geeks will troubleshoot problems on their own and make sure whatever you give them works. “The last guy you want to do the testing is the technology geeky guy,” Rensin says.

CIOs should divide their users into buckets. Here’s how Rensin breaks it down: First, the techno-geek power users. Second, the adventurers willing to try the new gadget. Third, the executive and management ranks. And fourth, the Luddites who will probably fight using it all the way. Then, take a small group (anywhere from 3 percent to 5 percent of the total) from two of the buckets—the adventurers and executive/managers—train them, and have them test the device over a couple of weeks, using it for at least 15 minutes a day. Next, survey them regularly about how the device is working. Here CIOs can look for patterns in features that aren’t working. If all goes well, then CIOs can start rolling out to the other buckets, saving the power users—the geeks—for last.

At Texas Instruments, Bonner set up a group for testing mobile devices three years ago. By design, it’s a combination of average users from marketing, sales and other knowledge workers, as well as some technical staffers. “You don’t just want gearheads,” he agrees.

Bonner’s group has been able to keep tabs on the needs of the users and decide on appropriate devices and testing mechanisms. For example, the group discovered that because TI is a global operation, any new smart phone would need functionality that could work for both voice and data all over the globe. “And when they traveled,” says Bonner, “people wanted to carry just one device.”

Segmenting your employees also allows CIOs to designate who will get what device, as well as what kind of access to the network and applications each employee will have. “You don’t just willy-nilly give the devices out. You have to do the proper requirements analysis [of each group],” says Burton Group’s Maiwald.

When Less Is More

Today’s users are clamoring for even greater wireless access to corporate databases. Gartner estimates that 60 percent of Global 2000 workers have mobile access to corporate applications.

So does the executive suite really need souped-up laptops with access to CRM and the latest finance metrics, or can they make do with just a BlackBerry or Treo with e-mail and calendar access? “Most executives are oblivious to the security challenges,” Ovum’s Entner says. “You have to disarm all the security stuff because the executive can’t figure out how to work it.”

Therefore, less device (and less functionality) is becoming the norm, though security challenges persist because the smaller the device in physical size, the more easily it can be lost. Just because a device may be small doesn’t mean it’s any less important to secure.

At UPS, Killeen, as well as most of the top executives, have recently switched from laptops to either a BlackBerry or Treo handheld for purely functional reasons—the new devices enable execs to securely and easily check their e-mail, schedules and the Web, and make phone calls. Killeen’s segmentation plan is simple: If the user’s primary need is to access e-mail and the Web, she gets a smart phone. If the user needs to access business applications to do her job, she gets a laptop. “I don’t use my laptop any longer,” says Killeen, who has deployed about 3,000 BlackBerrys and 500 Treos.

Killeen has rolled out BlackBerrys to 1,800 field technicians in UPS’s 2,400 facilities. “Before, they were running around with what we called utility belts—cell phones, pagers, all kinds of devices,” says Killeen. The BlackBerry performs all those various devices’ functions—voice, e-mail, access to intranet and work orders—in one device, and Killeen says the drivers are able to accomplish more while reducing wireless expenses by more than 10 percent.

The Standardization Wars

Pushing standardization too overtly may raise user hackles (it feels oppressive), and when it comes to deploying mobile and wireless devices, CIOs need to pick their battles carefully. The risk of alienating users (who, if frustrated, will try to go around IT with their own devices) is high. “You need to find a balance between minimizing the support costs and making your people happy and cooperative,” Entner says.

CIOs Bonner, Killeen, Novak and Intelsat’s Joe Kraus have all standardized on their laptop offerings—there’s no choice permitted there. “It allows us to eliminate one variability in the mobile device environment,” says Kirkland & Ellis’s Novak.

But for cell phones and smart phones, these CIOs offer options. For Novak, his strategy takes into account the realities of his industry. His law firm’s partners work with many clients, who have differing technology needs. So he tells his users what he can support now, letting them know that IT will do its best to work with the partners on any new device that they may need to use with a client. In return, he asks that his users let him know if they’re using a device that he hasn’t authorized. “What you don’t know will come back to haunt you, so we’re much more proactive,” Novak says. “We set expectations that IT is an open-minded organization.”

Right now, the firm officially supports BlackBerry devices, but Novak still provides limited support for Palm and Windows CE devices necessitated by attorney-client requirements. However, Palm and Windows CE users don’t necessarily get all the functionality of the BlackBerry. Right now, there’s no Palm and Windows CE device for

e-mail access that is supported by the firm. “You’re always seeing the latest and greatest technologies,” Novak says. “But what we’ve rallied around is standardization of what we can support.”

UPS’s Killeen has pushed hard on standards for the past several years, after spending years with none and hooking everyone’s PDA into their Outlook e-mail application if they so desired. “What happens is that when there are problems, it’s a support nightmare for those company devices that aren’t really company devices,” Killeen says. He now supports BlackBerrys and Treos, and employees can either buy their own or, if it’s a part of their job, UPS buys it for them. “Devices will change constantly,” Killeen says. “And we don’t want to be in the device business.”

For his tens of thousands of cell phones, Killeen and other CIOs take a firmer approach. “People at UPS cannot purchase a cell phone unless they come through us,” he says. “My organization has established contracts with carriers, and everybody’s got to abide by us.”

These CIOs also make it clear that if an employee wants to purchase a non-IT-approved device, they’re on their own if it breaks or fails to work the way they want it to. That’s part of the enforcement function. But that’s not to say that, once a CIO makes a decision on a standard, nothing can change. “If there’s a new need for a product set, we’ll jump on it,” TI’s Bonner says. “Being a high-technology company, we have a lot of savvy users, and we try to run faster than them.”

Running faster also means keeping pace with the security functions that should be on the devices. One of the most critical functions is being able to wipe a device remotely if it’s lost or stolen. According to the Burton Group report, all data can be removed from a handheld device, such as a BlackBerry, by doing a hard reset. For a remote wipe, an administrator sends a command to the device to perform a hard reset, or the administrator can set a policy that a hard reset will occur after a specified number of failed attempts at logging on.

Other risk considerations for CIOs include making sure that basic power-on passwords are on the devices, encrypting wireless transmissions that contain sensitive corporate information, and ensuring that employee devices don’t have cameras on them that they can bring into the office. The camera phone is the CIO’s latest bane. Do you want customer service people taking photos of customer information? Bonner doesn’t want employees taking snapshots of new design work. His policy is simple: “You can’t have that,” so phones need to be shut off when an employee enters the office.

Security and Enforcement

How much training CIOs should do is dependent on how technically proficient their workforce is. For TI’s Bonner, making his users sit through two hours of how to operate their new cell phone or smart phone would be a waste of time, not to mention insulting. Novak’s lawyers simply won’t make the time.

In organizations where users may not be quite so sophisticated (or difficult), CIOs should offer as much training as the user base needs. “Training costs time on the front end, but it really saves a lot of time on the back end because you don’t have 25 people asking questions later, one by one,” Ovum’s Entner says.

CIOs have to ensure that users know how important it is that they follow security guidelines—regardless of their computer proficiency. “You don’t raise your children by yelling at them constantly,” says Accenture’s LeVine. “You explain to them, If you use this device in a compromised way, you may sink the firm and lose your job and your retirement.” That’s not hyperbole, LeVine says, just reality.

This past summer, Intelsat’s Kraus held an information security awareness day for all employees of the satellite communications company, where he made sure that everyone knew about virus protection, identity and password management, wireless devices and protecting home PCs. At his law firm, Novak says he spends a lot of time in coaching sessions for security best practices. He also sends out e-mails of tech tips that take users no more than 10 minutes to read. “Once you can explain in business terms why this is important, they can carve out the time to read it,” he says.

CIOs also need to make sure that the help desk is well-versed in these new devices before they’re rolled out to a single user. “That’s where the disconnect happens,” says Reality Mobile’s Rensin. Far too often, the help desk gets thrown the BlackBerry or Treo training manual after the fact, and then they have to learn it while dealing with cranky users. Time and money lost in that process may be hard to quantify but “there’s never any way to recover it,” Rensin adds.

Enforcement of a device security policy is one of the biggest pieces of any overall mobile device strategy, especially in light of regulations such as Sarbanes-Oxley, HIPAA and Gramm-Leach-Bliley. If CIOs are going to “allow these devices, then they need to make sure their policies are enforced,” says Maiwald.

One way to enforce a security policy is to track rogue devices, especially if you’ve decided not to allow any unapproved devices on the network. Tracking requires security software that can, for example, scan for unauthorized device-to-desktop synchronization, or unauthorized devices accessing your network through your wireless LAN.

If such a policy is in place but is not enforced, the risk to the organization may be greater than if the organization were to simply ignore the problem. That’s because the existence of the policy may give the enterprise (and the CIO) a false sense of security, Maiwald writes in the Burton Group report. And if any employee leaves the company, CIOs have to make sure that his device has been wiped clean of all company information. (See “When the Bits Bite the Dust” for more on wiping hard drives clean at www.cio.com/100105.)

In the end, any mobile device “is only as secure as the human operating it,” Ovum’s Entner says. “No amount of software can change that.”