How Blackstone is finding BYOD success with BYOA(pple)

Among the 1800 Blackstone employees in 24 offices worldwide, there are currently 600 privately-owned iPads being used for work

Bill Murphy, CTO and managing director at Blackstone, a global investment and advisory firm, knew he wanted to find a way to allow employees to use their own devices for work. The demand was there, and he was increasingly hearing about how adding in BYOD would help productivity.

"The whole focus on allowing employees to bring whatever device they want was less important than to give them tools that they feel comfortable with, that are easy to use as consumer tools. That's what we've been trying to do - to make it a pleasant experience to get work done."

But with responsibility for about $US210 billion in assets, there were naturally a few issues to consider with regard to documents and sensitive information. Financial documents, floating around unsecured on user-owned devices, just wasn't an option.

[Avoiding basic BYOD blunders]

The answer came in the form of the iPad. About 18-24 months ago, Murphy said the Apple tablet was really catching fire. Everyone had one, he noted, and those who didn't, wanted one. Why not allow employees to use them, restrict BYOD to one platform, and find the tools to secure it?

Today, among the 1800 Blackstone employees in 24 offices worldwide, there are currently 600 privately-owned iPads being used for work. Murphy expects that number will rise.

Murphy gave us the details of how he secures his employees' devices, and why keeping his policy to BYOA(pple) works.

CSO:What was the main driver in deciding to allow employees to use their own iPads?

Bill Murphy:Productivity was a primary reason. People have been carrying some form of email device in our industry for some time. While folks have been able to do more outside of work with a smartphone, I don't know how many work-related tasks they are able to complete other than checking email on their phone.

The tablet is the thing that changed the game. The tablet is a real productivity enhancer. We see people travel now with their iPad and not bring their laptop. The reading use case on a tablet is way more enjoyable than on a laptop. Every morning I'm using my tablet before I get to work where as previously I sat at a laptop.

We wanted to get that translated over into the office. If you can have all of your documents with you on a tablet, it is so much easier to carry around on a laptop.

What is your security approach to the devices? As a financial firm, you obviously have a lot of sensitive information that needs to be carefully guarded.

There are two types of security. The first is securing the device, and we work with MobileIron on that. With regard to the documents, we work with WatchDox, which offers us a document experience that allows us to put our most sensitive docs in the Watchdox repository, have them sync to mobile devices, and not worry that those docs are going to get in the wrong hands by whatever means.


There is digital rights management (DRM) built into the document. Through the WatchDox viewer you can read all of these very sensitive documents for both internal and external business purposes. But if someone lost the device, or tried to forward the document, it would be useless outside of a permissions-set of specific folks.

[Should security be responsible for BYOD policy?]

As of now, you are only allowing Apply devices as part of you BYOD policy?

Yes, I guess you could say we have a BYOAD (Bring Your Own Apple Device) policy, or a Bring Your Own iOS Device policy.

Currently, our set of users are primarily interested in Apple devices. I'm not saying that might not change if someone comes up with something better. But, for now, it's clearly the market leader and is easier for us to support a single set of devices. So we've capped it at that and not delved into the Android realm. We've looked at the Windows devices and we don't feel like we are at a point where we need to support that yet either.

Was it simply user demand and interest, or were there other reasons you decided things would be strictly BYOA?

It came down to the expectations of our users for support. And maintenance is high. In order to provide that level of support, there are limitations. That's the trade off.

If you have a low support culture where it is fend for yourself and no support for devices, then BYOD works well. But if you have a high-touch, white-glove maintenance model, BYOD puts a significant strain on your resources because of the proliferation of different problems on different operating systems.

How long do you anticipate you'll remain with just Apple devices allowed in your organization?

It all depends on the devices. If there is something truly better, we will move to it, or allow it in addition.

We are constantly combing and listening and staying on top of what is truly interesting, but we have not had a ground swell of need for other devices.

So, no demand among employees? No one showing up in your office asking to use something other than an iPad?

Right. We basically said you can have a Blackberry supported by us or you can get an iPad. Other than that, you're stuck.

[With BYOD, data breaches just waiting to happen]

What is the feedback of employees?

So far, so good. They really enjoy the convenience of WatchDox and being able to have their documents with them all the time. A lot of them don't really understand how secure it is. And I think that is key in driving adoption of technology. Everyone usually believes security is a tax on usability. Being able to have a secure product that is also usable allows the security to recede into the background -- and makes my head of security happy with it, too.

As far as the users know, they can have all of their documents and collaborate with them as they have before.

What was the C-suite reaction to this policy?

There was certainly a sales pitch in terms of the value. But, again, I think the iPad was the game changer. Everyone got one and everyone loves it. So, kudos to Apple as it relates to changing behaviors. It wasn't something you had to drag people to. It was something they were pushing to use.

We now have C-suite execs who previously had very limited screen time that are now consuming their email via iPad, and bringing it on the road when they previously didn't use technology at all while traveling.

Have you been able to measure any ROI on this yet?

We have two different use cases to explain ROI. The first is we've implemented WatchDox at our conferences. Employees can bring their own iPads, or we give them loaners for the day if they don't have one. In doing this, we have cut out hundreds of thousands in printing costs.

Internally, with everyone bringing their own iPad, the ROI is tremendous because we are adding value, and the cost is relatively contained to a WatchDox license, which isn't super cheap, but its very easy to measure value add just in cheaper Fed Ex costs, or improved productivity, for example.

What's next?

We haven't sponsored significant firm-wide purchase of iPads, which would obviously change cost dynamics, but we are looking at that. I don't know what the right answer is on that, or when it is going to become such a core tool that the firm has to provide that for our users, but we are continuing to measure and figure out of that is the case -- and see if it's necessary to do that or not.

Join the CSO newsletter!

Error: Please check your email address.

Tags ApplesecurityBlackstonemobile

More about AppleBillCSOMobileIronWatchDox

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Joan Goodchild

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts