BYOD: Get Ahead of the RiskIntel CISO: Policy, Accountability Created Positive Results
Had the company not addressed the issue, employees would have continued to bring devices into the enterprise anyway. "They would connect it up in different ways," says Intel CISO Malcolm Harkins. "It would just be done in an unmanaged fashion."
So, Intel embraced BYOD and made it part of a strong mobile policy that revolves around accountability. "We really want to make sure that not only the IT organization is accountable for providing the right technology footprint on those BYO devices, so that we can manage reasonable controls on it," Harkins says. "But the employees themselves have a level of accountability in understanding the risk that brings to the company."
Since developing a policy around BYOD, Intel has seen the amount of mobile devices its employees use for work double at an incrementally small cost to the company.
"We're getting feedback from the employees that they're happy about being able to use their devices," Harkins says.
In an interview about BYOD, Harkins discusses:
- Why Intel embraced the BYOD trend;
- Steps it took to manage the risks;
- Policy tips for organizations struggling with BYOD.
Don't miss Malcolm Harkins' new webinar on BYOD, entitled Mobile: Learn from Intel's CISO on Securing Employee-Owned Devices.
Harkins is vice president of Intel's Information Technology Group and CISO and general manager of information risk and security. The group is responsible for managing the risk, controls, privacy, security and other related compliance activities for all of Intel's information assets. Before becoming Intel's first CISO, Harkins held roles in finance, procurement and operations.
TOM FIELD: To get started, why don't you tell us a little bit about yourself and your work with Intel, please?
MALCOLM HARKINS: I'm a vice president in Intel's Information Technology Group, and Intel's chief information security officer, so I pretty much have worldwide responsibility for anything and everything you can imagine that's an information risk, security controls or compliance-related item for the company.
BYOD: Intel's Experience
FIELD: Everybody's talking about bring your own device - BYOD - today, but when did the BYOD trend first strike Intel, and what was your initial response?
HARKINS: Well, you can go back and look at it actually from a historical perspective. When you said this, it honestly dawned on me - at the dawn of the personal-computing revolution back in the early '90s, it wasn't a "bring your own" necessarily into the office, but at that time, we allowed people to login to our network, so they were using their home systems to logon to our network to do work remotely. So in essence, 15-17 years ago, I could argue that we had a BYO-type model, though we removed that because of risk concerns quite a number of years ago, but the new trends really took off over the past 24 months.
FIELD: So in those 24 months, as people have started to introduce their smart phones, their tablet computers, even USB removable storage devices, how have you come to treat this phenomenon of employee-owned mobile devices?
HARKINS: There are two approaches: one is the initial reaction that I think is pretty common from a risk and security professional, where you see the risk and you want to shy away from it. But we recognize that if we did that, we'd probably create and generate more risk for ourselves because people would bring it into the enterprise anyway. They would connect it up in different ways. It would just be done in an unmanaged fashion. Once we kind of got past the recognition that we really couldn't stop that BYO trend, we said we've got to essentially run to the risk in order to shape it, and so we started with the small form-factor and smart phones and said, "Let's figure out how to enable that for the enterprise," which we did almost two years ago. It was late 2009 when we started the first kind of pilots on that, and then by January of 2010, we opened it up broadly across the enterprise.
Advantages of BYOD
FIELD: Now you talk about the risks and certainly it's not all risks, there are rewards here as well. What are some of the advantages that Intel has gained from employees using their own mobile devices?
HARKINS: It's actually been quite tremendous. Back in the late 2009 time period, we had maybe close to 10,000-12,000 small form-factor, hand-held cell-phone devices, all of which Intel paid for. We paid for the cellular contract and the service and support. As of today, we have close to 30,000 that are connected in and employees are using, and that growth - 90-plus percent of it - has primarily come from BYO.
What we've seen is we've more than doubled the amount of mobile devices and small form-factor devices in the environment at incrementally a small cost to the company, so we've contained our costs for the most part because we don't have to pay for the device, we don't have to pay for the service contract, but the employees are much more productive. We're getting feedback from the employees that they're happy about being able to use their devices, plus we're finding that they're connecting in and checking for meetings, checking their calendars. They're not missing opportunities to help the business. And to be honest, they're also more reachable and we've used the growth in the mobile devices when we've had disaster events or emergency issues where we can get a much broader reach across different employees because they now have more mobile devices that the enterprise is aware of because we've embraced them.
The Mobile Policy
FIELD: Policy has been one of the challenges for organizations in enabling BYO. What are some of the highlights of Intel's mobile policy?
HARKINS: I think the big highlights of it are accountability. We really want to make sure that not only the IT organization is accountable for providing the right technology footprint on those BYO devices so that we can manage reasonable controls on it, but the employees themselves have a level of accountability in understanding the risk that that brings to the company, as well as to some extent, the risk it might bring to themselves. As we layer a footprint on the device, if it's lost or stolen we'll remotely wipe it, which means that the employee's data might get wiped out as well. So again, there are obligations that we expect the employees to do to safeguard that asset, understand what the usage models are in accordance with our policies and our code-of-conduct expectations; but again, use it in a good fashion.
One of the key items that we focused on as well was for hourly employees and wanting them to understand that if they're doing work on that small form-factor device off network and not in the building, they need to report the hours that they've worked. Their managers, who manage hourly employees, need to understand that by enabling that, there may be extra hours that an employee might log, and so between the manager and employee, they need to understand that because it could count for overtime, it could count for other expenses, and so that awareness between the manager and employee, particularly for hourly employees, is quite important.
Enforcing the Policy
FIELD: What have you found to be some of the challenges of enforcing your mobile policy?
HARKINS: The big challenge in enforcing it, to be honest, is a couple things. One is, again, that upfront awareness, but one of the things that we did when we were shaping our policies is we engaged the employees in kind of the consumerization BYO debate, and we hosted some webjams, essentially cyber chats, with thousands of employees across the company to explain how we were thinking about enabling it and to get their input on how they wanted to use the phones and what issues they saw with the policies we were trying to put into place. Some of it is just that understanding and interpretation of what it means and that's one challenge.
The work differences, as I said, particularly for hourly employees and accounting for any time that they might be doing e-mail or checking their calendar, responding to something - that's certainly a challenge that isn't necessarily an information security challenge. But it's certainly an enterprise-risk issue that needs to be thought about with the introduction of this type of usage model.
And certainly, there's the challenge of data protection and privacy, particularly, privacy of the individuals because it's their device and we need to make sure that we're appropriately respecting the privacy of the information that they have on those phones and only collecting and using what we really need, and essentially creating a border between that personal side of the device and the enterprise side.
FIELD: Now as you mentioned, this has really been a trend that's developed over the past 24 months as the technology's developed. How do you expect elements of your policy to evolve as the technology continues to evolve?
HARKINS: I think there's going to be a few different things, and some of it is beyond just the technology evolution. In the privacy space and in some countries, even employment law - the legal and regulatory environment - even if the technology stayed the same, the legal and regulatory environment may evolve in a way that would cause us to evolve our policies. We think that we've thought through that well enough that we have the appropriate ways to essentially manage those things, but that's certainly one thing that's going to evolve that could further restrict or tighten essentially the border we need to keep between the personal information and the corporate information.
There could be evolutions where, from a discovery perspective, if there was an incident and we needed to get an image off of the device, if the legal and regulatory environment evolved where we needed the employee's permission to do that and the permission that they granted at the time that they signed the agreement wasn't sufficient and we needed to get the agreement at the time we needed to conduct the investigation, that could certainly evolve some of our policies and practices. But then, like you said, as the technology changes and as the technology essentially has more geo-location information, the device itself knows more about you and where you're at and what you're doing, and so does your service provider. That will definitely change how we evolve our policies because we'll need to protect the privacy of the individual. But the context of where they're at and what they're doing and are they proximal to their laptop, are they in the building - there's certainly use cases that could add a tremendous productivity benefit, as well as trust benefit, by knowing that they're in the building and you can grant them potentially more access to sensitive information because you know where they're at.
BYOD vs. Corporate-Issued Devices
FIELD: You touched on this to some extent. What's the argument for employees bringing their own devices versus the company issuing mobile devices?
HARKINS: I think the argument for BYOD, in my mind, is simply put: it's going to happen because everybody has them in their pockets today. They're already bringing them into your enterprise. The question is ... whether or not they're hooking them up and taking information onto those devices in a way that's actually unmanaged risk; or are you just not getting the benefit of it and the employee's not getting the benefit of the device that's in their pocket. I think we saw this with the tremendous growth; by just enabling it, we more than doubled the amount of small form-factor devices in use.
Now I still think there's always going to be an argument for some company-issued devices, whether it be because we need full oversight across everything on the device for data protection or other compliance purposes, or if somebody's job category really does require them to always be on, always connected, always reachable. It makes - to some extent - a lot of business sense that the company would incur the cost to provide that capability. And so I think you're going to end up in this model where it's relatively mixed.
For some jobs and some roles, I have them in my team. We have individuals that are responsible for managing events and investigations and that type of stuff. We give them a company-issued device, we pay for the contract on that and we pay for the data because it's a part of their job and their work. But also, if they chose those saying, "Hey, I want this other device that I want to pay for myself," they have the choice to do that. But that's where I think it'll end up with many companies, a choice where the company goes for work that's required. The company will likely choose to pay for the device and pay for the service contract. Everything else, it'll just be a choice of the employee - do they want to bring that in, do they want to use it and do they see a personal benefit in doing that? And then it's just going to be managing that spectrum across the enterprise.
FIELD: Final question for you. For organizations that are now or soon will be struggling with this whole concept of BYOD, what advice would you offer to them?
HARKINS: Don't shy away from the risk issues. Figure out how to run to the risk in order to shape it. If you ignore it, you're going to have the risk and it's going to be bigger than if you go and be in front of it. I think the other thing that I mentioned as well, beyond just the traditional information security or privacy and those types of control and compliance requirements that an IT organization and my peers normally contemplate, is [to] go engage other parts of your business: the HR team, the HR legal team. Explore the wage and hour-risk issues of hourly employees, explore employment-law issues in different areas and look at it across the geographies you're in, because each geography has slightly different legal and regulatory requirements. I would suggest that people go do that so that way they don't encounter an issue because they didn't think far enough or broad enough about the risk considerations beyond just the obvious data-protection ones.