California's budget crisis sparks controversial 'BYOD' plan to save money

ORLANDO, Fla. -- The state of California's staggering budget problems -- now an estimated $16 billion shortfall -- have put Chris Cruz, deputy director and chief information officer at the state's Department of Health Care Services (DHCS), in a tough situation. Because of the state's ongoing fiscal crisis, he, like other agency managers, last year was told to cut use of state-issued cellphones by 50% as a cost-saving measure. Cruz decided one way to hold down costs at DHCS, which was using BlackBerries, was to have agency employees use their own smartphones instead -- without any subsidy.

This bring-your-own-device (BYOD) strategy has been controversial, pitting him against the state employee unions which are fighting it since it effectively shifts device and service costs to employees who are not being given any stipend. Cruz acknowledges he also fights over BYOD with his information-security officer, who thought it too risky. But if tough times call for tough measures, Cruz is not backing down, and says his strategy to manage and secure the employee-owned smartphones is working.

MORE: Gartner: Cloud-based mobile-device management (MDM) getting hot

"As a Gen X guy," said Cruz, who spoke about his BYOD strategy during this week's Gartner IT Infrastructure & Management Summit here, I was "looking at IT" not so much as a risk as an "opportunity." And that opportunity was a form of BYOD.

"We had 1,500 BlackBerries," said Cruz, and he had to meet the mandate set by the state last year to cut cellphone use by 50%. Each was costing $110 per month, he said, and "I wanted to get rid of them."

Instead, DHCS, the large California healthcare agency which supports Medicaid and Medicare services, wouldn't buy new smartphones, but ask employees to use their own smartphone for work purposes. The employee using their personally owned device for work data would have to agree to have the mobile device management (MDM) software that was selected, called Good Enterprise, installed on their mobile device so that DHCS would have the enforce policies and the ability to wipe it if it were lost or stolen. The Good Technology software creates an "unbreakable partition" between personal and business data, Cruz pointed out.

"DHCS mandated to have all mobile devices encrypted," Cruz said, adding encryption is something that's required and audited by the agency that's part of the U.S. Department of Health and Human Services, called the Centers for Medicare and Medicaid Services.

The information-security officer last year who initially objected to the BYOD idea, thinking it too risky, had his job changed so that he now reports directly to Cruz, who says he think the job of security staff is not to stop IT but to help mitigate risk.

But Cruz hasn't been able to fend off the objections of California's state-employee unions so easily -- they don't want DHCS employees to have to bring their own phones. It may be "we can't force rank-and-file employees to buy phones," Cruz acknowledges. Negotiations are ongoing, and it's not clear right now whether there will be a compromise or what it will be exactly.

Because of ongoing negotiations with the unions over this, the DHCS BYOD plan isn't being made "mandatory" and is considered "voluntary" at this point, Cruz explained. But some users are getting on board, and the department reckons it's eliminated about $400,000 in costs.

"My goal is to eliminate mobile laptops over time," says Cruz, saying he expects to save about $1.6 million "by not refreshing laptops." Instead, the Good Technology software might be loaded onto tablets like iPads. DHCS is also looking at using the Citrix XenDesktop virtualization technology as well.

The idea is to allow workers more freedom to work from home if they use their own equipment. The department did look at providing stipends for employees, but decided "that contradicted the idea of saving money for the state," said Cruz. Other state CIOs, he acknowledges, weren't too keen on his agency's BYOD plan at the beginning, but criticism may be softening. In fact, says Cruz, DHCS won one of the "Best of California Technology Awards" last week for "Best Mobile/Wireless Project" from the Center for Digital Government.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.

Read more about anti-malware in Network World's Anti-malware section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts