For Dell Software CIO Carol Fawcett, "BYOD" is not about being an expert on every mobile device in the world; it's about giving workers secure access to the apps and data they need on whatever device they are using. Fawcett reveals more BYOD tips in this CIO.com Q&A.
By Tom Kaneshige
Shortly after the iPad debuted two-and-a-half years ago, the CEO of Quest Software (now Dell Software Group) arrived at work with an iPad wanting to hook it up to the network and receive sensitive email, such as Salesforce.com reports.
“That’s when we realized we had a problem,” says Carol Fawcett, CIO of Dell Software.
Like many CIOs, Fawcett suddenly had to deal with two trends hitting her corporate network at once: tablets and bring-your-own devices, or BYOD. She admits to stumbling early on by concentrating too much on devices but then quickly regained her footing by focusing on the end user.
This led to some 40 Web apps available to employees, depending on their roles. Employees can access apps, data and email on virtually any device running a popular browser, which Fawcett believes that this kind of flexibility and freedom is vital to employee satisfaction in the new era of mobility and BYOD.
Today, Dell Software has a couple hundred tablets tapping into its network. A vast majority of them are BYOD iPads. In addition, there are 4,300 smartphones that fall under the company’s BYOD mandate.
CIO.com sat down with Fawcett to find out her secrets to BYOD and iPad success.
What is the biggest mistake most people make with BYOD?
Fawcett: I just talked to my admin group the other day, and they said, ‘You know, Carol, we don’t really have a BYOD program.’ What we’ve really got is just the enabling of end users to access applications and data on whatever devices and within certain security boundaries.
We didn’t start with a BYOD project, rather with some tablets, Droids and smartphones that came in. And so we started out by saying that our technicians who come to your desk will be proficient in, say, 10 to 12 different devices and OSes. We said we’re only going to do so much with the device you bring in.
With this approach, you’ll only satisfy about 80 percent of your internal employees.
You need to recognize your limitations. In the end, you can’t support the physical aspect of it, you can’t support every device somebody will bring in. You have to step back and recognize that if you attempt to support every single device, your cost for an IT department will just raise up so high.
After working the device angle, we quickly realized that if we continued down this path we would be forever firefighting devices.
So we decided to turn this upside down and stop focusing so heavily on devices. Instead, we’re going to focus on security and access rights for an individual, and then give them a flexible ways of accessing applications.
If someone chooses to enter an Oracle expense report from the local car wash on whatever machine happens to be sitting there, we’re going to allow it while making sure they come in with the right user name and password.
This really isn’t a device conversation but a role-based conversation, recognizing that an individual has one set of access rights across the environment based on that person’s role within the company. The different devices they use should be an afterthought.
Is this one of your BYOD secrets?
Fawcett: You have to remember that an IT organization is a service provider. It’s all about our employees. You want to give them a great user experience. And this means giving them the ability to get to the right data and the right applications. You really have to know your use cases. You have to keep your users at the forefront, defining the current state before trying to shape the future.
Believing that your environment today is locked down and secure and that you don’t already have tablets and smartphones in your environment would be a misnomer. Discovering what’s out there is your best path to sanity—that is, understanding what you’re up against before you kick off the project.
It’s really one of the secrets: You can’t attack something that you don’t understand.
Speaking of user experience, what do you lose by not building native apps for specific devices?
Fawcett: Most of the enterprise applications are coming ready these days to be run on just about any browser. For the external customer, we develop for just about any browser you can think of. For the internal applications, we’ve found that most apps running on Internet Explorer also will run on Safari, as well as some on Firefox. We’ve limited it down but try not to exclude.
I think that goes with employee user satisfaction because, again, they get to use what they want to use and what they’re familiar with.
How does access to the Web app work?
Fawcett: We have a product called Webthority, which allows you to publish applications to the user interface. It lets us serve up only those applications based on their network login and password. It then acts as a single sign-on going forward—a portal to all applications—so the person doesn’t need to remember their Oracle user login. No VPN is needed.
Are you concerned about data leakage to the local device?
Fawcett: I’d be lying if I said no to that one, but there are different ways to mitigate risk.
With Web apps that are mostly transaction-based, you’re not pulling anything down onto the device. Most people using tablets don’t pull data down and work on content. They are getting email, which we can cut off and wipe as long as they have connectivity.
You can decide to make applications that have critical data in them only accessible via a VDI-type service [virtual desktop infrastructure]. We’re either going to allow them to come into a desktop that is in essence in the data center, or we’re going to stream the application, or we’re going to put a bubble around it so that people can’t pull the data down onto the desktop itself.
It does go back to access rights: making sure people have a clear understanding of what happens if they do anything with the data that they shouldn’t. That’s where your policies come into play and also monitoring where people are going in the environment and what they’re doing.
If you have your alerts set correctly and somebody goes someplace they shouldn’t—bam!—an alert goes off, someone is notified and connectivity is cut. We can pretty much wipe any device as long as the person hasn’t cut connectivity.
What about employees who need to work offline?
Fawcett: As far as Web apps go, you definitely need connectivity. But they tend to be more transactional programs. In some cases, we use our own product called Dell vWorkspace with MokaFive that allows you to check out of your desktop, work offline, and then check in with all your work transferred back in.
It goes back to roles.
Desktop in the data center would be best for a data entry person. You know their data is backed up and secured and that they can’t take anything home with them. Someone in finance who is heavy in Excel spreadsheets probably should just get a desktop.
A tablet would be good for a traveling salesperson, because they’re doing things like going into Salesforce.com and entering in contacts, quotes, orders, updates and activities. They could do any of this from a tablet, anywhere they need to do it.