Bring Your Own Device investigate

BYOD: Tech chiefs still split on the benefits, concerned about security

CIO Jury: While bring your own device might be an idea that appeals to staff, CIOs are not so sure, as concerns about data security remain.

The bring your own device (BYOD) trend continues to gain momentum as execs at the top of businesses, and younger workers at the bottom, demand the right to use their own smartphones, tablets and laptops in the office.

But for CIOs, BYOD is a bit more complicated, as they have to balance the potential benefits of higher productivity and lower spending on hardware with the risks to corporate IT security.

When asked, "Are you encouraging the use of BYOD inside your organisation?" TechRepublic's CIO Jury was evenly split, with some CIOs keen to roll out permission for employee-owned gadgets accessing their systems, while others taking a more cautious approach.

Adam Gerrard, group CTO, The LateRooms Group, was enthusiastic and pointed to an unexpected side benefit: "We actively encourage BYOD. With such a complicated array of devices available to consumers, a BYOD policy that provides control and security yet still offers enough flexibility to remain attractive means we have effectively amassed a large number of testers.

"They now provide us with a fresh customer perspective on the performance of our consumer applications in the real world, as well as highlighting potential areas for improvement in our products."

Gavin Megnauth, director of operations at Morgan Hunt, said the security and management tools for BYOD "are coming of age," and security of core systems and data is understandably a priority for CIOs.

Brian Wells, associate CIO at Penn Medicine, said his organisation insists users install its mobile device management package to gain access to corporate resources. He added: "We must maintain [Health Insurance Portability and Accountability Act] compliance and the ability to track and kill/wipe lost or stolen devices."

Graham Yellowley, CTO of equities, risk and client service at LCH Clearnet, said: "We are encouraging the use of BYOD - but only for Apple's iPad at present as we have included this device within our standard device list and have the ability to support it fully."

Shawn Beighle, CIO at the International Republican Institute, said BYOD was part of his future plans: "We will be opening up the use to whatever smartphone staff wish to use [in the first] quarter 2013, then we'll move onto tablets shortly thereafter. Laptops - that's going to take a while longer."

Similarly Richard Storey, head of IT at Guy's and St Thomas' NHS Foundation Trust, said: "We are conducting a high-level design to provide the environment necessary. Small-scale testing is underway to contribute to a determination of the right security model needed."

Afonso Caetano, CIO at J Macêdo, said BYOD is permitted once the employee agrees with the adaptation of the equipment for the internal processes of information security. But he added: "Most employees don't realise some advantage with that and end up carrying the two devices daily."

And not all CIOs were so keen on BYOD. Mike Roberts, IT director at The London Clinic, said: "The concern is both the Data Protection Act/Patriot Act and who is responsible for accessing the applications. If we do not own and maintain the access device, we cannot guarantee that patient data is properly maintained and secured."

John Robinson, director of technology at Bloomfield Public Schools, said: "We have added capability for users to connect their own devices natively for email, but are still evaluating the security implications of allowing access to other systems on the network."

This week's CIO Jury is:

  • Shawn Beighle, CIO, The International Republican Institute
  • Afonso Caetano, CIO, J Macêdo
  • Adam Gerrard, group CTO, The LateRooms Group
  • Jerry Justice, IT director, SS&G Financial Services
  • Gavin Megnauth, director of operations, Morgan Hunt
  • Jürgen Renfer, CIO, Kommunale Unfallversicherung Bayern
  • Mike Roberts, IT director, The London Clinic
  • Joel Robertson, director of IT, King College
  • John Robinson, director of technology, Bloomfield Public Schools
  • Richard Storey, head of IT, Guy's and St Thomas' NHS Foundation Trust
  • Brian Wells, associate CIO, Penn Medicine
  • Graham Yellowley, CTO of equities, risk and client service, LCH Clearnet

Other members of the CIO Jury pool also made their opinions heard on BYOD.

Kevin Leypoldt, IS director at Structural Integrity Associates, said: "I am not sure I would use the term 'encouraging'. I think that we are more than tolerating BYOD, but not launching marketing campaigns in its favour. We have policies, procedures and instructions for configuring and using personal devices. It's been incorporated into our on-boarding and training agendas. However we are not asking or encouraging our users to bring/use their own devices."

But Smith C Scott, director of technology at 32Ten Studios, said the security, management, support and liability for the device "are all too difficult to parse".

Meanwhile John Gracyalny, VP IT at SafeAmerica Credit Union, said: "I can't imagine it ever being allowed in our industry - banking - due to security and privacy regulations. We do, however, provide a wi-fi connection via a DSL circuit that does not touch the corporate network anywhere, for senior managers and board members who want access for their smartphones and tablets. They can get to the net, but not to our systems."

Want to be part of TechRepublic's CIO Jury and have your say on the hot issues for IT decision-makers? If you are a CIO, CTO, IT director or equivalent at a large or small company, working in the private sector or in government, and you want to join TechRepublic's CIO Jury pool, or you know an IT chief who should, then get in contact.

Either click the Contact link below or email me, steve dot ranger at techrepublic dot com, and send your name, title, company, location, and email address.

About

Steve Ranger is the UK editor of TechRepublic, and has been writing about the impact of technology on people, business and culture for more than a decade. Before joining TechRepublic he was the editor of silicon.com.

5 comments
aubreedonatelly
aubreedonatelly

I know the CIO's were split on the benefits of BYOD, but once we got our doctors to use Tigertext for text messaging in HIPAA envioronments, we saw a big increase in productivity. I agree that BYOD is one of the biggest issues now facing CIO's. We are dealing with this issue in the healthcare industry and it is a big issues because of the HIPAA compliance issues. Biggest being that doctors use thier cellphones and tablets to send confidential info by text message, such as patient discharge times. We ended up solving the problem by getting the doctors to use Tigertext so their text messages would auto delete after a certain period of time. This is not a big IT solution, but it was cost effective and took care of the issue we are most likely to be sued over. Still, the IT industry as a whole really has several large issues to deal with concerning BYOD, and it may take companies implementing several software and services to deal with it.

VerivoSoftware
VerivoSoftware

While there are certainly mixed views out there about BYOD, the benefits in terms of mobilizing the workforce outweigh the security issues. A sensible BYOD policy is potentially a great way to get more people in a company to use mobile business apps, and have them running on devices they’re already comfortable and familiar with. And many of the security issues that BYOD creates can largely be resolved if the apps are built using a platform with integrated security capabilities that allow IT to easily wipe the data or remove the application from the device, should a device be lost or stolen. Here is a blog that may be of interest to you: http://www.verivo.com/mobility-watch/the-rise-of-mobile-app-management/

Dyalect
Dyalect

Between peoples personal information and work information. As an end user do you feel comfortable that your personal photos, contacts, rants etc won't be subject to corporate policy / scrutiny? What about data that goes from a corporate environment onto a personal device? What risks arise when you remotely wipe and non-work device and someone loses some valuable information? Too many headaches to count.

Originalbob
Originalbob

CIOs interested in BYOD should check out Rover Apps, which solves the BYOD dilemma by delivering secure access to enterprise resources without the need for VPNs or mobile device management. The Rover solution has two components: Rover Gateway and Rover Retriever. The Rover Gateway publishes existing intranet sites (such as SharePoint), line-of-business applications, documents, and internally developed apps to any popular personal device running Rover Retriever. Publishing can begin within minutes of installation, and IT has full control over policies and which devices are allowed to connect. Rover Retriever is an app that mobile users install to access information published by Rover Gateway. Retriever is a “container” solution that doesn’t affect the rest of the device, and communications occur over a private communications link with high levels of encryption, with all mobile devices kept off the enterprise network. This scenario empowers IT to easily extend application access to any personal device while retaining full control over the “secure island” of corporate data. With company information Isolated from other mobile device information and settings, users are free to use their personal apps at will. For more info, and to download a demo, visit www.roverapps.com. Note: I work for Rover Apps.

Michael_Spears
Michael_Spears

I think sometimes we muddy the waters mixing issues together. Is the real question, mobile devices, cloud storage, and other consumer focused technologies? We all have to struggle with these issues. I don't think BYOD makes it any better or worse. My company enjoys the benefits of BYOD, but still has to focus on issues like keeping corporate data out of personal Dropbox-like services, mobile security, etc. The issue of who owns the device is increasingly irrelevant. Management tools are readily available and mature enough to manage the devices. BYOD can actually help focus on the core issues instead of pretending that your users aren't working around your controls and using personal e-mail accounts, cloud services, etc. just because you don't have a BYOD program.