Role-based management is not an uncommon practice in IT security programs. IBM CIO Jeanette Horan, however, is taking this technology strategy management approach to a whole new level. She is experimenting with it as part of an IT strategy that touches 180,000 users in 170 countries and that is being carried out by several thousand IT workers.
The idea for role-based management began to take shape about a year ago, with a "day in the life of" project in which IT staff were asked to walk in a user's shoes, Horan said. Specifically, she asked them to choose 20 job roles to shadow.
We are thinking about what's the right tool for these people in these different roles.
"This was a representative sample of different job categories in different countries. We interviewed them and asked, 'What do you do?'" Horan said. The aim of the interviews was to get a detailed sense of how these representative employees spent their days. "Somebody might start by saying, 'I'm traveling, and I go into Starbucks in the morning and I log in and talk with my kids on Skype.'"
Her team came away with patterns of behavior -- what IBM people did, the tools they needed to do their jobs and the security risks in the ways they used them. The data collected has formed the basis of a role-based management strategy that could bring about some pretty big changes in how the company provisions IT. "We are thinking about what's the right tool for these people in these different roles -- everything from the physical device to the operating system," Horan said.
One result of the project so far is the provisioning of some users -- the ones who "have the most potential to do damage if they got infected," Horan said -- with hardened Linux operating systems. But she's quick to point out that this is not a blanket policy: "If I tried to impose that set of policies and technologies on my research community, I'd have complete anarchy -- mutiny."
Role-based management influencing BYOD
Horan's role-based management approach has helped her to refine IBM policies for smartphone use (see sidebar). Tablet use policies, on the other hand, are a work in progress.
IBM's BYOD smartphone program
- One-third of IBM's 180,000 employees are part of the corporate managed-smartphone program. ("In reality, we provide them to about half of the IBM population because we have a lot of exceptions," CIO Jeanette Horan said.)
- Most employees get only basic functions: email, calendar and contacts.
- Virtual private networks are being evaluated for broader access to all IBM internal applications. About 5,000 users are using VPNs now.
- Only a limited number of BlackBerrys, Androids and iPhones are covered. Employees have to buy devices that aren't covered, but IBM will pay the bill if they are eligible for the corporate plan.
As it stands, IBM does not buy tablets for employees. But Horan recognizes that "a ton of" employees are using them, and even foresees a day when tablets could replace laptops at IBM. In the meantime, by looking at bring your own device (BYOD) from a role-based management perspective -- she also calls it "segmenting the workforce" -- IT is moving away from the one-size-fits-all user strategy that has predominated at IBM.
"We are really trying to think much more about those different employee segments and what people's roles are, and really think, is there a class of people for whom a tablet could become their primary device?" Horan said.
Tablets, for example, could make sense for IBM's strategic outsourcing job functions -- data center and business process outsourcing, businesses with a lot of help desk employees, who by job definition are not mobile. A tablet designed to be a "kind of virtual desktop" would make sense for these employees, primarily for security reasons, Horan said. "The other attribute with that [type of] employee is higher turnover, so I have more sensitivity around what [company intellectual property] walks out the door," Horan added.
For now, Horan is determining the workforce segments she believes need a mobile device to get their jobs done and could be eligible for IBM's corporate managed-BYOD plan.
More about mobility strategies
Even these roles have plenty of nuances, however. "If I told some people they must bring their own device, in some countries I'd run into work council issues or privacy concerns," she said. Then there are the legal issues around wiping data on a lost device that also contains personal data.
And BYOD at IBM -- at least for the foreseeable future -- will come with rules, regardless of the job role. Or, to put it in Horan's words: "Here are my rules. Agree to my rules or don't connect to my network. In your case, it's an IBM device and if you choose to put personal information on it, I'm sorry. I didn't give it to you for personal reasons; I gave it to you for business reasons. So right now, we have that separation."
Let us know what you think about the story; email Christina Torode, News Director.