Executive Briefings

Three Industry Experts Discuss What BYOD Is Doing to Your Enterprise

More and more, companies are finding that employees not only want to bring their own internet-connected devices into the workplace, they want to do it at their own expense. While that sounds like a cost-saver for many companies, the ramifications of the bring-your-own device (BYOD) phenomenon cannot be overstated in their importance: corporate security and privacy interests rest on having appropriate BYOD policies in place.

To learn more about the need for BYOD strategies and initiatives, SupplyChainBrain convened a Power Lunch - a roundtable discussion - with three experts in the field: Martin Jack, Chief Technology Officer, Barcoding Inc.; Matthew Montgomery, Associate Director, Enterprise Partnerships, Verizon Wireless; and Bruce Willins, Senior Director, Technology Solutions Group, Motorola Solutions Inc. The three met with Russell Goodman, SupplyChainBrain editor in chief.

Q: Is this something that's here to stay?

A: Jack: I believe the BYODs are here to stay, so rather than fight them, we have to embrace them. And one thing I would recommend to companies is to establish a baseline for security and privacy polices to start with.

When we talk about a baseline, we're looking at the IT department trying to determine what requirements I need to enforce on these BYODs that are being brought into the company. It could be something as simple as I'm only gonna to allow you to check email or only allow you to download documents. Once that's established by the IT department, I think we can then start analyzing what BYODs will I allow you to bring.

Q: As for privacy?

A: Jack: It's important to establish privacy policies as well. Unfortunately, if you have to terminate an employee, you want to be able to retrieve and delete that information that was downloaded. You want to be able to, at some point, remove all applications installed. I believe  establishing a baseline and a guideline for privacy as well is a good start when it comes accepting BYODs.

Q: What about the cost of this?

A: Montgomery: I think from an industry perspective you're seeing the idea of providing you with a bucket of data to be manged on the end points of the devices that you want. We launched that in the consumer space. You'll pay a recurring charge and from that you get access to whatever devices you want, up to a certain amount. You can share those devices, and share them anywhere.

That's a good point because it means managing that cost profile. It's not just a security issue but also a cost issue as well.

Q: But what about security?

A: Montgomery: The enforcement of security and part of that enforcement is in the delivery of applications. Applications worry me the most. It's using things like private apps that we would manage in the cloud. That gives some level of enforcing those IT restrictions you talked about. Coping with that, that's kind of a unique role for us, not just being a transporter but almost an arbitrator of the IT asset - and then delivery of those security profiles down to the device itself.

A: Willins: I hear from execs who say they bought an iPad for their spouse and one for themselves, and they want IT to deal with it. But we deal more with the corporate devices - devices that are bought by a corporation, not a BYOD model, typically. At some point, IT has to justify and do a TCO analysis. And the numbers that we've been working [suggest] about 20 percent of the cost of the device is actually in the acquisition cost. There's a big cost center in the back end to support the device, to manage it, to have maintenance support, security profiles and the like.

This is formidable when dealing with a consumer device that wasn't really designed and doesn't really focus on that particular segment.

Q: What are the challenges involved if you have multiple devices, multiple operating systems, being brought into the enterprise? How does that impact the IT department?

A:
Jack: There is a cost involved, and it can be pretty high if not handled in the right way. At some point, it does create a problem for the IT department. We find that happens a lot. One thing we try to do is say, 'Look, we aren't going to train you on how to turn your iPad on, or on how to do every single thing with your iPad. We're focused on the business requirements with that iPad, what do you need to learn? What do we need to train you on in order to do the day-to-day business duties and features and actions at the workplace?'

We're not going to be training employees on things that are non-business tasks.

Another thing to help with this is device management. It's a big part of what a lot of people are focused on today, especially with large roll-outs. In order to support the IT department and help reduce costs, they are turning to device management tools.

Q: These are hardly new.

A: Jack: Traditionally, they were used for workstations and rugged devices, but now we're seeing IT departments pushing device management tools down to BYODs as well. What that does is help with management of these devices, it helps basic security of devices. You can remove data from devices, you can lock down devices when they are on a VPN, you can restrict access to certain things. So the IT department can actually help reduce costs.

When it comes to training, there are interactive videos that they can now utilize a lot more efficiently than they did five years ago. They always had them, but now they can push them directly down to the devices. You can put them out in certain media repositories to allow users to go and be trained by looking at these interactive videos.

A: Willins: Corporations need device management from handhelds or rugged devices in a warehouse all the way out to field staff personnel. Mobile device management needs to be comprehensive. MDM needs to span from that warehouse all the way out to that field employee, and you can't separate it from security. We can have application lockdown. Most of our customers in the retail environment will whitelist the device so only select applications will run.

I assume from the carrier perspective that may ultimately will move into the cloud.

A: Montgomery: It starts with MDM. I agree that any device that touches corporate data needs to be managed. That's good IT policy. But what about the IT team? We're putting so much pressure on them, but consumerization is driving it because of these devices.

A: Willins: We get hit with regulatory all the time. Whether it's retail, healthcare or critical infrastructure, we get hit. Actually, most people don't know it, but 46 states have efforts to enact legislation for even private information. So it's no longer just security records or healthcare records. The legislation is over private information, where they will require that if you lost a device that is not protected, that doesn't have encryption or necessary protection mechanisms, you have to report that. That gets posted on a public website. So now all of sudden, there's a brand problem because I'm having personal information that's been exposed. Security now has to be end to end, which is just the basic security paradigm: It's only as strong as the weakest link.

Q: What about the legal aspect? Is there now a world of litigation?

A: Willins: Dual persona - all three of us are talking about dual persona at one point or another.

A: Montgomery: They are legally responsible. Even if their assets end up with any type of information, personal or business, it really becomes an issue. It gets back to multiple device management.

A: Willins: We're asked constantly by customers about selective wipe. They want to make sure that we wipe the business part but not the personal. So there's that dual persona. Whether it's BYOD and it's mostly your personal device, but then once in a while it's a business device - or whether it's a corporate device and it's primarily your business tool and only slightly personal - it still has that dual persona and needs to be managed.

Q: How much does MDM cost the enterprise?

A: Jack: The device management tool keeps inventory of your devices. It's able to ID things down to a very low level, of what's out there in the field. That's the recommended way. You want to manage the devices, you want to know when they're being used, not being used, or if they're being used in a certain area. You may want to block access when that employee is in a certain area of company or building.

Another area, when it comes to expense, is the software side of things. One thing we have seen is that traditionally the software was built to last on an enterprise level, on rugged devices for four or five years. Now we're seeing where employees are bringing in BYODs and guess what - the version they brought in, the model they brought in, is no longer supported six months later. Yet the software that we pushed down to those devices must run on the next version six months later, and then six months later after that. So we're seeing that companies are now having to make a decision on how they handle and maintain software for the future of smartphones, etc.

One thing we are recommending companies do is put aside money for maintenance and support of software. And for research and development as well. That way they have a comfort level that their software, their applications, will run on future versions of these smartphones that are coming. And one way to do that is to focus on solutions that will run on multiple devices. You want to invest in software going forward that's going to run on multiple platforms.

A: Montgomery: We're seeing thinning out of the software to a point where it's almost virtualization. You're not as bound by the hardware, but it's really delivered on the device that the IT department will let in. We're seeing, or starting to see, virtualization is really become reality. Thinning out the application so it's just one that sits in the browser experience. That way you're not as concerned as much about something that's on the device itself.

A: Willins: What we're saying is, first and foremost do you support the portfolio of devices you have in the field? So that could be CE, Windows Mobile, Android, iOS and so many others. And then the question is, how do you deal with the fragmentation? Because you have so many different devices on so many different operating systems, with so many applications you brought into the ecosystem - how do you administer that and manage that? It's a formidable challenge.

Q: Perhaps there are some devices you shouldn't allow in under any circumstances? Certain employees who shouldn't be allowed to BYOD?

A: Jack: Based on the baseline you established, there are devices that you will say, 'You know, they shouldn't be on my network.' Security-wise they wouldn't have the features built in to support the security policies that you want to push down to these devices. I think it's always going to be a challenge in determining 'Do I allow every device on the network or don't I?' And I think the easy answer is, you really don't. But it depends on your baseline, your privacy policies.

A: Montgomery: IT policies will define the device allowed. It's up to the organization, but I do think there is absolutely a device that shouldn't be allowed.

Just the fact that we're talking about whether there is a device that we wouldn't allow tells you how far we've come in a year.

A: Willins: Pre-2009 we kind of break things down that pretty much everything was either Windows Mobile or a BlackBerry device, which had fairly comprehensive, robust sets of enterprise capabilities and that pretty much met the security profile. We've now gone into this phase where anything and everything is open.

I actually met with a CIO of a major parcel delivery company, who said it was the first time in his career that he's had employees asking to use their devices that they bought with their money for work purposes. But to Martin's point, you have to have a minimum baseline.

The concern there is that there is a security boundary between a contacts database for work, but now you've loaded up a piece of Android malware, and it just looks across the boundary and says, 'Oh, great, I'll send these contacts to anybody.'

A: Montgomery: It's happening today.

A: Jack: You are definitely behind the curve if you're haven't put some BYOD policy in place at this point in time.

A: Willins: It's interesting to see companies that have a mobile security officer now. You never had that title before. It was never a position.

A: Montgomery: I just read that in London people lost 60,000 handheld devices in cabs in one month.

A: Jack: But the good news is that the tools we have today allow us to manage these always-connected devices. We can reach out and shut down a device. That's encouraging.

To view video in its entirety, click here


Keywords supply chain jobs, BYOD strategy in the workplace, BYOD security issues

To learn more about the need for BYOD strategies and initiatives, SupplyChainBrain convened a Power Lunch - a roundtable discussion - with three experts in the field: Martin Jack, Chief Technology Officer, Barcoding Inc.; Matthew Montgomery, Associate Director, Enterprise Partnerships, Verizon Wireless; and Bruce Willins, Senior Director, Technology Solutions Group, Motorola Solutions Inc. The three met with Russell Goodman, SupplyChainBrain editor in chief.

Q: Is this something that's here to stay?

A: Jack: I believe the BYODs are here to stay, so rather than fight them, we have to embrace them. And one thing I would recommend to companies is to establish a baseline for security and privacy polices to start with.

When we talk about a baseline, we're looking at the IT department trying to determine what requirements I need to enforce on these BYODs that are being brought into the company. It could be something as simple as I'm only gonna to allow you to check email or only allow you to download documents. Once that's established by the IT department, I think we can then start analyzing what BYODs will I allow you to bring.

Q: As for privacy?

A: Jack: It's important to establish privacy policies as well. Unfortunately, if you have to terminate an employee, you want to be able to retrieve and delete that information that was downloaded. You want to be able to, at some point, remove all applications installed. I believe  establishing a baseline and a guideline for privacy as well is a good start when it comes accepting BYODs.

Q: What about the cost of this?

A: Montgomery: I think from an industry perspective you're seeing the idea of providing you with a bucket of data to be manged on the end points of the devices that you want. We launched that in the consumer space. You'll pay a recurring charge and from that you get access to whatever devices you want, up to a certain amount. You can share those devices, and share them anywhere.

That's a good point because it means managing that cost profile. It's not just a security issue but also a cost issue as well.

Q: But what about security?

A: Montgomery: The enforcement of security and part of that enforcement is in the delivery of applications. Applications worry me the most. It's using things like private apps that we would manage in the cloud. That gives some level of enforcing those IT restrictions you talked about. Coping with that, that's kind of a unique role for us, not just being a transporter but almost an arbitrator of the IT asset - and then delivery of those security profiles down to the device itself.

A: Willins: I hear from execs who say they bought an iPad for their spouse and one for themselves, and they want IT to deal with it. But we deal more with the corporate devices - devices that are bought by a corporation, not a BYOD model, typically. At some point, IT has to justify and do a TCO analysis. And the numbers that we've been working [suggest] about 20 percent of the cost of the device is actually in the acquisition cost. There's a big cost center in the back end to support the device, to manage it, to have maintenance support, security profiles and the like.

This is formidable when dealing with a consumer device that wasn't really designed and doesn't really focus on that particular segment.

Q: What are the challenges involved if you have multiple devices, multiple operating systems, being brought into the enterprise? How does that impact the IT department?

A:
Jack: There is a cost involved, and it can be pretty high if not handled in the right way. At some point, it does create a problem for the IT department. We find that happens a lot. One thing we try to do is say, 'Look, we aren't going to train you on how to turn your iPad on, or on how to do every single thing with your iPad. We're focused on the business requirements with that iPad, what do you need to learn? What do we need to train you on in order to do the day-to-day business duties and features and actions at the workplace?'

We're not going to be training employees on things that are non-business tasks.

Another thing to help with this is device management. It's a big part of what a lot of people are focused on today, especially with large roll-outs. In order to support the IT department and help reduce costs, they are turning to device management tools.

Q: These are hardly new.

A: Jack: Traditionally, they were used for workstations and rugged devices, but now we're seeing IT departments pushing device management tools down to BYODs as well. What that does is help with management of these devices, it helps basic security of devices. You can remove data from devices, you can lock down devices when they are on a VPN, you can restrict access to certain things. So the IT department can actually help reduce costs.

When it comes to training, there are interactive videos that they can now utilize a lot more efficiently than they did five years ago. They always had them, but now they can push them directly down to the devices. You can put them out in certain media repositories to allow users to go and be trained by looking at these interactive videos.

A: Willins: Corporations need device management from handhelds or rugged devices in a warehouse all the way out to field staff personnel. Mobile device management needs to be comprehensive. MDM needs to span from that warehouse all the way out to that field employee, and you can't separate it from security. We can have application lockdown. Most of our customers in the retail environment will whitelist the device so only select applications will run.

I assume from the carrier perspective that may ultimately will move into the cloud.

A: Montgomery: It starts with MDM. I agree that any device that touches corporate data needs to be managed. That's good IT policy. But what about the IT team? We're putting so much pressure on them, but consumerization is driving it because of these devices.

A: Willins: We get hit with regulatory all the time. Whether it's retail, healthcare or critical infrastructure, we get hit. Actually, most people don't know it, but 46 states have efforts to enact legislation for even private information. So it's no longer just security records or healthcare records. The legislation is over private information, where they will require that if you lost a device that is not protected, that doesn't have encryption or necessary protection mechanisms, you have to report that. That gets posted on a public website. So now all of sudden, there's a brand problem because I'm having personal information that's been exposed. Security now has to be end to end, which is just the basic security paradigm: It's only as strong as the weakest link.

Q: What about the legal aspect? Is there now a world of litigation?

A: Willins: Dual persona - all three of us are talking about dual persona at one point or another.

A: Montgomery: They are legally responsible. Even if their assets end up with any type of information, personal or business, it really becomes an issue. It gets back to multiple device management.

A: Willins: We're asked constantly by customers about selective wipe. They want to make sure that we wipe the business part but not the personal. So there's that dual persona. Whether it's BYOD and it's mostly your personal device, but then once in a while it's a business device - or whether it's a corporate device and it's primarily your business tool and only slightly personal - it still has that dual persona and needs to be managed.

Q: How much does MDM cost the enterprise?

A: Jack: The device management tool keeps inventory of your devices. It's able to ID things down to a very low level, of what's out there in the field. That's the recommended way. You want to manage the devices, you want to know when they're being used, not being used, or if they're being used in a certain area. You may want to block access when that employee is in a certain area of company or building.

Another area, when it comes to expense, is the software side of things. One thing we have seen is that traditionally the software was built to last on an enterprise level, on rugged devices for four or five years. Now we're seeing where employees are bringing in BYODs and guess what - the version they brought in, the model they brought in, is no longer supported six months later. Yet the software that we pushed down to those devices must run on the next version six months later, and then six months later after that. So we're seeing that companies are now having to make a decision on how they handle and maintain software for the future of smartphones, etc.

One thing we are recommending companies do is put aside money for maintenance and support of software. And for research and development as well. That way they have a comfort level that their software, their applications, will run on future versions of these smartphones that are coming. And one way to do that is to focus on solutions that will run on multiple devices. You want to invest in software going forward that's going to run on multiple platforms.

A: Montgomery: We're seeing thinning out of the software to a point where it's almost virtualization. You're not as bound by the hardware, but it's really delivered on the device that the IT department will let in. We're seeing, or starting to see, virtualization is really become reality. Thinning out the application so it's just one that sits in the browser experience. That way you're not as concerned as much about something that's on the device itself.

A: Willins: What we're saying is, first and foremost do you support the portfolio of devices you have in the field? So that could be CE, Windows Mobile, Android, iOS and so many others. And then the question is, how do you deal with the fragmentation? Because you have so many different devices on so many different operating systems, with so many applications you brought into the ecosystem - how do you administer that and manage that? It's a formidable challenge.

Q: Perhaps there are some devices you shouldn't allow in under any circumstances? Certain employees who shouldn't be allowed to BYOD?

A: Jack: Based on the baseline you established, there are devices that you will say, 'You know, they shouldn't be on my network.' Security-wise they wouldn't have the features built in to support the security policies that you want to push down to these devices. I think it's always going to be a challenge in determining 'Do I allow every device on the network or don't I?' And I think the easy answer is, you really don't. But it depends on your baseline, your privacy policies.

A: Montgomery: IT policies will define the device allowed. It's up to the organization, but I do think there is absolutely a device that shouldn't be allowed.

Just the fact that we're talking about whether there is a device that we wouldn't allow tells you how far we've come in a year.

A: Willins: Pre-2009 we kind of break things down that pretty much everything was either Windows Mobile or a BlackBerry device, which had fairly comprehensive, robust sets of enterprise capabilities and that pretty much met the security profile. We've now gone into this phase where anything and everything is open.

I actually met with a CIO of a major parcel delivery company, who said it was the first time in his career that he's had employees asking to use their devices that they bought with their money for work purposes. But to Martin's point, you have to have a minimum baseline.

The concern there is that there is a security boundary between a contacts database for work, but now you've loaded up a piece of Android malware, and it just looks across the boundary and says, 'Oh, great, I'll send these contacts to anybody.'

A: Montgomery: It's happening today.

A: Jack: You are definitely behind the curve if you're haven't put some BYOD policy in place at this point in time.

A: Willins: It's interesting to see companies that have a mobile security officer now. You never had that title before. It was never a position.

A: Montgomery: I just read that in London people lost 60,000 handheld devices in cabs in one month.

A: Jack: But the good news is that the tools we have today allow us to manage these always-connected devices. We can reach out and shut down a device. That's encouraging.

To view video in its entirety, click here


Keywords supply chain jobs, BYOD strategy in the workplace, BYOD security issues