In 2007, Ford Motor Co. began exploring bring your own device (BYOD) programs for more than 70,000 salaried employees. By 2009, corporate- and individual-liable device programs had been introduced to employees in 20 countries. In this first part of a two-part interview, Randy Nunez, senior network engineer at Ford's Mobile Computing IT Enterprise Technology Research division, talks about how and why the automaker deployed a BYOD program, the risks involved, and why a participation agreement is so important.
In the second part of this interview, Nunez discusses the security practices behind the BYOD programs; how the consumerization of IT, including mobility, is changing the way IT supports and delivers services to the business; and how users can help keep enterprise wireless network costs down.
SearchCIO.com: Why did you decide to implement a bring-your-own-device program at Ford?
Randy Nunez: It was really caused by what's happening in the corporate environment, especially around the concept of the consumerization of IT. Instead of technology being brought in from a corporate standpoint and people using it, people are starting to be able to bring these types of technologies in from their personal lives. They have direct access to technology, and it's affordable. They're able to use it and assimilate it much faster than the corporate environment can. So, we have a lot of people who have their own smartphones today, and they just want to enable those devices in their work life as well as their personal life.
Do you have more than one type of BYOD program?
Nunez: Initially we just had a corporate-liable program; it's focused on a few device types, and Ford provides the devices, pays for the service and provides help desk support. We looked at alternatives to growing the number of smartphones in the environment because people find it very productive.
One of the alternatives was to expand the corporate program. As we looked at doing that, the cost, from a device, plan and especially from a support standpoint, was very high. So, we started looking at more of an individual-liable device [ILD] program, and that's when we looked at some options of what level of support we could provide, what devices we could support and funding models -- who would pay for what.
We established a program we call ePOD -- email on personally owned devices -- and the structure of the program is [that] the individuals purchase the device, they pay for the plan, and the support model is self- and community support. The idea there is that we have a lot of individuals who understand the technology, and by creating a forum where we can share that information, we can provide more of a community support model versus a rather expensive help-desk support model.
How is it decided which program is better suited for each employee?
Nunez: The ILD program is more one for the casual user. If you need a smartphone that is business-critical for your job function, you should participate in the corporate-liable program. That's very important because if there is an outage, with our community support [with the ILD program], it's [the employee's] best effort to get things back up and working.
We have a profile for each program on one of our forums that lists different attributes for people who would fit into a corporate-liable versus an individual-liable program.
A participation agreement is set up so that users know exactly what Ford's responsibility is and what their responsibility is.
Which devices do you support under the corporate BYOD program versus the individual-liable or ePOD program?
Nunez: From the corporate program perspective, we support a few models of Research In Motion's BlackBerry product. On the ePOD program, we support quite a number of models of BlackBerrys and iOS devices, which can include iPhones, iPod Touches and iPads.
Who needs to be involved in developing a BYOD program to ensure that different groups within an enterprise are comfortable with potential risks and security?
Nunez: We created a cross-functional workgroup; and it was not only IT folks, but we had folks from auditing, from legal, from HR -- groups that would be impacted by this. What that does is give people a sense that their voice is being heard, that their concerns are being addressed and that their input is valued. People in all those groups are interested in personal productivity as well; they just may have a particular vested interest in certain parts of it -- to make sure it's secure or legal, for example.
Does a bring-your-own-device program cause an enterprise organization to assume more risk?
Nunez: Anytime you're putting content on devices that have some propensity to be lost or misplaced, there is a certain level of additional risk around things like data leakage. What it does do is help you focus on what it is that is important for you to secure, and what tools and technology you can leverage to enforce those minimum security requirements.
What advice would you give other enterprises interested in introducing a bring-your-own-device program?
Nunez: Have a participation agreement. A participation agreement is set up so that users know exactly what Ford's responsibility is and what their responsibility is. They understand what the support model is, who pays what costs, what the conditions are of the program. That's extremely important in these programs so everyone understands their roles and responsibilities.
Another piece of advice is understanding the existing smartphone environment. It's not at all like the PC environment where you have one dominating operating system. You have multiple smartphone operating systems in use today. It's become a very personal choice, so it's very hard to dictate a particular smartphone OS, even a particular model, because people want to be able to use it in the way they want to use it. They have certain preferences around either virtual keyboard versus a hard keyboard, for example.
So, I think you have to look at smartphone OS environments and understand what your security requirements are and the ability of the smartphone platform OS to meet those [requirements] -- or at some kind of additional security tools like mobile device management that can meet your requirements.
Let us know what you think about the story; email Christina Torode, News Director.