Afraid of BYOD? Intel shows a better way

In Twitter chats, conference halls, reader comments, and the interminable flow of vendor “scareware” white papers, I keep hearing about IT pros’ fear of their companies falling apart because someone lost their smartphone or an employee copied and pasted the intellectual crown jewels in an email from their Mac. It’s easy to deride these anxieties as paranoia, but it’s hard to convince IT pros — for whom securing information is what they get hired and fired for — to relax.

Maybe they’ll relax if they talk to Kim Stevenson. She’s the CIO of Intel, a company that’s embraced PC and mobile heterogeneity in general and the BYOD movement in particular perhaps more than any other large firm subject to regulations and compliance requirements. Of Intel’s 100,000 employees, 19,000 participate in the company’s BYOD program, which means they’re free to bring in their own mobile devices. In fact, 58 percent of mobile devices used at Intel belong to the employees.

[ The war between IT and users: Why users are winning. | Subscribe to InfoWorld’s Consumerization of IT newsletter today. | Get expert advice about planning and implementing your BYOD strategy with InfoWorld’s in-depth “Mobile and BYOD Deep Dive” PDF special report. ]

On their BYOD devices, employees also bring in their own apps. “Personalization is a fact in this world, and in any event, I can’t provide an app catalog that satisfies everyone,” Stevenson notes.

The result: about $150 million a year in increased productivity (57 extra minutes per day at Intel per BYOD employee) and cost savings, she says. Intel gets $3 in return for every $1 invested in supporting consumerization, Stevenson tells me. By my calculations, that means a return of about $7,500 per BYOD employee for a cost of $2,500 per employee to enable, manage, and secure. And Intel does this without imposing draconian technology restrictions on users.

Intel’s radical concept: Trust your users Instead, Intel does something rare in IT today: It trusts users. That trust is not absolute, of course: Based on the person’s role, Intel figures out how much it can trust each person, then extends that trust. And that trust means expecting the user to do the right thing no matter the device, app, or storage system used.

I’ve talked to more than a dozen security consultants, CSOs, and CIOs in recent weeks, and nearly all of them have revealed that they don’t really trust users, so they use technology to contain or neutralize them. A few believe the BYOD phenomenon, including its close cousin of letting users choose from multiple formally supported devices, is a fad that foolish employees adopted, wasting time and money (they often blame Apple). More believe that employees mean well but when push comes to shove will make mistakes that cost IT staff jobs, because IT is responsible when all is said and done.

Stevenson doesn’t see her role as the “father knows best” patriarch, as the stifling East German police force, or as the little boy with the finger in the dike keeping the kingdom from drowning. She sees herself as the enabler of and educator about using technology. And she sees employees and their managers as responsible for how they manage the information they are entrusted with. (Fortunately, so does Intel’s executive leadership.)

This progressive attitude isn’t just Stevenson’; she’s been CIO less than a year, and the open, empowering approach at Intel predates her by several years, with BYOD efforts starting in late 2010. In other words, this is no fad at Intel but a cultural shift it had already made.

“We made the decision to move the trust point to the user,” Stevenson tells me. She doesn’t believe there is a rational choice not to. The younger generation is fairly savvy about technology, so “they’re going to use their own technology anyway.” But it’s not just the 20-somethings. So will older workers — after all, the PC has a popular history of more than 40 years and the Internet is approaching 20 years as a part of everyday life. Computer technology is now normal in our personal lives, so why act as if employees are ignorant about it or that the workplace is the only place they encounter computer systems? They may not be experts, but they’re hardly newbies.

Plus, all the fears you hear expressed about data loss and compromised user systems are old news, Stevenson notes. The threats of email forwarded to personal accounts, of information copied to files and other apps, of stolen or lost computers and storage media have been around as long as there has been a PC. “They exist today on the laptop and PC. They’re not new.”

So why act as if an iPhone, iPad, Kindle Fire, Xbox, personal Mac, home PC, Windows Phone or RT tablet, or Android device introduces a new risk? It doesn’t. That realization has freed Intel to take advantage of consumer technologies and individual employees’ personal technology preferences. Why not tap into users’ expertise and the contexts they find themselves most comfortable in if it helps them do their jobs? Assuming an employee has legitimate access to information, “We want to see data move seamlessly through devices, no matter what you have, in an open ecosystem,” Stevenson says.

If you think Intel is an exception because as an engineering company it has unusually tech-savvy employees, think again. Stevenson notes the engineers are hardly alone in wanting to use their own technology. It’s admins, accountants, operations managers, and pretty much every type of employee — the same kinds of people found in every other company. “The familiarity they have with the technology is very important to them and a great part of their personal productivity,” she says. (Stevenson does admit that the engineers love their gadgets more and tend to spend more on their personal equipment, both for higher-end gear and for frequent refreshes as new products come on the market.)

Of course, with 100,000 employees to provision, Intel hasn’t crossed the line into letting employees bring in their own PCs to use instead of the corporate laptops. Employees can buy their own computers, including Macs (a popular option for employees, even in traditional Windows roles such as admins and accountants, Stevenson says) and use them for work. However, the company wants to minimize the number of install images, so employees get to choose from a handful of Windows PC models (those on the Apple account can get Macs). Employees with corporate-issued mobile devices also have a prescribed selection.

Prove you mean it: Proactive BYOD support when you walk in the door It’s one thing to allow BYOD and technology choice; it’s another to promote it. Intel promotes it. For example, it has set up technology vending machines in many of its lobbies that employees can use to replace a cable or other peripheral when needed. Not only is it convenient for the employees and reduces IT support efforts, it sends the message every time an employee walks in that Intel really wants them to make their technology choices.

Another company that is progressive about user technology choice is SAP, which is putting help stations in some lobbies modeled after Genius Bars in Apple Stores. Intel is likewise experimenting with friendly help stations in lobbies. One benefit is the reinforcement of Intel’s commitment to technology diversity.

But there’s a pragmatic benefit, Stevenson notes: “On average, a tech problem exists for seven days before someone reports it for help, so we’re looking to reduce that by making a more friendly, Starbucks-like support environment.” Earlier support reduces the risk of a tech problem, both on information security and employee productivity, she notes. And it can help reduce support costs by catching a problem earlier, before it escalates or cascades.

Empowerment and security aren’t contradictions Intel hasn’t confused technology freedom with “anything goes.” Instead, it’s realized the goal of information security needs to be about information, not devices. Intel protects its information using both people and technology. After all, people handle the sensitive information, so making them aware of information security is a necessary step to ensure that safeguard.

Unfortunately, too many companies try to exclude users from security efforts, relying only on technology, then wonder why users make mistakes or act as if security isn’t a concern — because it isn’t!

Stevenson shrugged when I described that people-averse approach and reiterated that you can’t take people out of the equation. That’s why Intel has an active education program, including monitoring and verification, and it both trains people and holds them accountable for the information usage. It’s not IT’s problem; it’s everyone’s problem.

For example, new employees complete four awareness classes, and every employee takes an annual refresher course. Plus, there are required classes for those who handle sensitive information. Another company, the nonprofit Sesame Workshop, which produces education shows like “Sesame Street” and “The Electric Company,” takes a similar approach. It requires employees to attend two classes on information policy before letting them participate in its BYOD program.

Of course, Intel uses technology to help protect information security. It deploys mobile device management (MDM) tools to make sure that devices confirm to basic policies, such as enforcing the use of passwords and encryption. Such enforcement goes a long way to satisfy the fear over lost devices, as do the controls for remote wipe when someone with sensitive data access loses their device. And Intel uses application development tools that let it embed and manage information permissions in internal apps, such as the ones allowing employees to access their payroll information, that it provides to PCs, Macs, mobile devices, and Web browsers.

Intel’s BYOD usage policy gives it the right to wipe and remove contents from a device, such as when an employee leaves. In countries where privacy laws forbid such corporate access to personal equipment, Intel doesn’t allow BYOD; there is no mixing of personal and business where local sensibilities discourage it. But in the United States, this blending is desired my many employees, who are willing to opt in to such policies in return for freedom of choice.

Intel is setting up Wi-Fi networks for personal use in parallel to its internal Wi-Fi networks. Personal devices not granted BYOD access can still connect to the Internet at the office but not commingle with business traffic or access business resources.

But Intel’s main focus is not on device-level tools — rather, it’s on the information. “You have to think about the data primarily,” Stevenson says. The best way to ensure that information is not misused is to control its access in the first place, regardless of the devices. To this end, Intel has adopted the notion of trust zones.

A trust zone is essentially a classification for information access. As CIO, Stevenson has the highest level of information accessibility — essentially, trust — so she can access information in any of the three zones when she’s in Intel’s Santa Clara, Calif., headquarters or other trusted environment. But if she connects from, say, a hotel overseas, she loses access to the top trust zone’s information because she is connecting from a lower trust zone — despite her credentials. And the top trust zone’s information is simply not made available to some devices. “[The information management system] dynamically adjusts user access and monitoring based on user privileges, data, application, device type, and location,” she says.

That approach limits access to sensitive information before it gets to a smartphone, tablet, Mac, PC, or whatever. After all, even a trusted device could be safe or unsafe depending on what connections it uses. That upfront limit removes many concerns over what happens to information once it reaches a device — it only gets there if the device, context, and user are all trusted.

Stevenson notes the tools exist to manage information this way across the new breeds of user technologies, though they are fairly new and not that familiar to IT. There’s also an upfront deployment cost, and the hassle of the tools being highly fragmented by not just operating system but even OS version.

This fragmentation is not just in devices. For example, you can buy consumer apps that have embedded information security controls that work with one cloud storage service or one MDM tool, but not others. Stevenson wishes the tools were more unified at least within each platform, and ultimately she’d like to see the tools work across all platforms. Until then, it means more work and initial expense for IT — a barrier she says colleagues at other companies frequently cite.

But Stevenson says it was easy to justify that investment, given the proven benefits outweighed the costs by a factor of three to one. And the users who want the freedom of technology are the ones who ultimately have to approve the investment.

Make profits, not war It’s easy to think about user technology and information security in a binary way. Many IT pros tend to view them as a choice between chaos and control. Users tend to think of it as a choice between productivity and red tape, and users’ power to cut the red tape has increased remarkably in recent years. At many companies, this is devolving into a war between users and IT.

Progressive companies such as Intel show that the war is unnecessary. You can have some technology freedom while protecting information security. You can have standard practices while enabling personal preferences. You can make more money for your company by trusting and enabling your employees to use their brains.

Just ask Kim Stevenson.

This article, “Afraid of BYOD? Intel shows a better way,” was originally published at InfoWorld.com. Read more of Galen Gruman’s Smart User blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.