Two years ago, when it became clear the trickle of personal devices entering Quest Software from the executive level would soon become a deluge from all fronts, CIO Carol Fawcett had to act. The same story was playing out at enterprises everywhere: It started with a few high-level executives wanting to use the iPad they got for Christmas at work. Soon, everyone from accounting to sales wanted -- "needed" – to use their own devices on the job.
In the face of this mobile device explosion, Fawcett decided that devices should be a secondary consideration in formulating a bring your own device (BYOD) policy. Instead, she focused on the real needs of employees. By putting people first, she came up with a strategy that not only pleased employees, but also made them more productive and kept company information secure. In the first part of a two part SearchCIO.com Q&A, Fawcett, who became Software CIO at Dell Inc. after it acquired Quest Software in September, talks about how she made it happen.
What was the tipping point for you on creating a BYOD policy?
Carol Fawcett: We saw the number and the variation of devices coming in, and knew if we continued to chase the devices, it would be a chasing-your-tail-type scenario and we'd never be in a winning situation. That's when we said, 'OK, let's stop the madness with the devices and turn this into what it should be: giving users access to applications and data that they need in order to get their job done.'
If we continued to chase the devices, it would be a chasing-your-tail-type scenario and we'd never be in a winning situation.
software CIO, Dell Inc.
That's how it morphed from a device conversation into an 'access and management for the specific individual' conversation, recognizing that regardless of what device they're going to use, the same security should apply as if it is sitting on our network.
How did you get started on this employee-focused BYOD policy?
Fawcett: First thing, we stepped back and said, what kind of situation are we in? How much of an issue do we have here? We needed to do some discovery work to figure out that we were even having this issue. That was part of step one -- the recognition that people are bringing devices into the environment, attempting to hook to our corporate network versus a guest network, and attempting to hook to the corporate network via their username and password when they shouldn't be. We used our own product, MessageStats, to figure out what kind of devices were in the environment and who was using them, and then we started categorization of end users.
How did categorizing end users help?
Fawcett: You could start to see, for example, [that] the salespeople seem to be bringing in a lot of tablets. With the accounting people, it looks like they're very happy with what we give them, but some also want to work from home. Then you have [the general population of employees], and pretty much every one of them wants to have email sent to a smartphone so they can be online anytime, anywhere. So, discovery was step one; understanding the roles and who fell into those roles was step two.
Once you knew the roles, what did you do with that information?
Fawcett: We could start attacking what kind of technology we needed to apply against this in order to make sure people have access via that right device. So, for example, the sales reps with tablets -- most of their applications were already Web-enabled; what we needed to do was give them a nice clean portal. Then we thought, what other applications and what other types of users would benefit from a portal? And so, we started to go down that path of categorizing and then associating people with the right means of access.
Read more about BYOD policies
Are CIOs wasting time managing BYOD policies?
IBM CIO experiments with role-based management, BYOD
How the CIO should prioritize BYOD policy, mobile innovation
The portal serves up only what you personally should be able to gain access to via your network login and password, and once you double-click on that application, you have access to only that application. We used that for mergers and acquisitions because in an acquisition situation, you don't have time to go to the newly acquired organization and figure out its network scheme and what kind of virus protection it has, et cetera, but you also don't want to wait to bring them into their new environment.
We gave that tool to the rest of the employee base for pretty much the same reason. We don't know what they're going to use at home or on their tablets or whatever kind of hardware they're choosing to access the application, but since these are Web-based applications, why not let them come in anytime, anywhere and on any device? That worked out great for that type of population who were going to access these Web applications.
How did you deal with employees who needed access to more than Web-based apps?
Fawcett: So, we looked at high-power users who need to be able to do a lot of content management and can't just use a tablet. They need something more powerful, they're a bit mobile. What we needed to do is make sure that the laptop, whether personal or corporate-owned, had that kind of access and that power without pulling that data down onto the device itself. So, that's where we stepped back and said, 'We need these folks to have desktops, but they can't be a physical desktop that they walk around with. Instead, how about a desktop in the data center? How about more of a VDI [virtual desktop infrastructure] approach, where they have the power and applications they need but they're just not pulling the data down?'
The final group consisted of people who were happy with a PC on their desktop and who were just going to be doing data entry. For them, there were two paths we could go down: We could say they're out of the [BYOD] program altogether, or we could gain some cost efficiencies by putting their desktop in the data center. This means you're not buying expensive desktops, you know it's backed up and you've got DR [disaster recovery] in place.
What was the last piece to tie the BYOD policy together?
Fawcett: All of it goes back to the identity and access management piece, which for us goes all the way back to Active Directory where all the employees live. Their roles are defined there, it's automatically provisioned out of our HR system using our identity management solution, so we know exactly when a new hire is coming in and who is their manager for workflow and whatnot. Then, on the day they leave, we make sure they're cut off. It's a nice closed loop.
In part two of this interview, Fawcett talks about some of the organizational and resource requirements needed to build a strong BYOD policy, as well as the benefits she's seen and why she thinks CIOs need to be involved in the process.
Let us know what you think about the story; email Karen Goulart, Features Writer.