Wireless devices are multiplying, making more people more productive . . . and creating enormous management, support and security headaches for CIOs. You need a plan for juggling these new gadgets. Here's the plan.
- How to determine who needs what service
- Why your beta testers should not be technologically sophisticated
- The hidden costs of deployment
You like to be in control. What executive doesn't?
But mobile and wireless devices, for all their potential and allure, introduce an element of lawlessness to your carefully crafted systems. They take data outside the walls of the enterprise, and the moat you've dug around your digital castle - the hardwired firewalls and virus protection that guard your desktops - means less than nothing to them.
And there's no controlling the demand for these handy new gadgets. Everyone wants a Wi-Fi-enabled laptop or handheld so they can e-mail their colleagues while sitting in the airport lounge or access critical sales applications on their network while meeting with customers. And now everyone wants a smart phone, a converged device that combines mobile phone and handheld functions. At worst, these gadgets are status symbols. At best, they increase your workforce's agility and improve productivity. And since all these gewgaws have become relatively cheap, how can you say no?
But the problem, says Richard LeVine, global lead for mobile security at Accenture, is that CIOs can only "try to align [their policies] with the users or butt heads with them.
"And if you butt heads, the users are just going to go around you."
What CIOs need desperately is a strategy for managing mobile and wireless devices. Elements of a good strategy include: First identifying if there's a business need for a device; segmenting your employees by job function; deciding on a list of devices that IT will (and will not) support; and last, devising a training plan for users and help desk staffers as well as enforcement mechanisms that will ensure device security.
If you try to fly without such a plan, you're sure to end up sitting amidst the charred ruins of a security and privacy disaster. Cautionary examples are multiplying daily. The recent incidence of laptop loss and theft - including the MCI financial analyst's laptop that went missing in April 2005 containing 16,500 names and Social Security numbers of current and former MCI employees - underscores the importance of securing devices with much more than a password. And then there's one of the more infamous accounts of BlackBerry boneheadedness: the Morgan Stanley exec who sold his dead BlackBerry on eBay for $15.50 after he left the company. Turns out the batteries had just run out, and the new owner found hundreds of confidential Morgan Stanley e-mails still on the handheld.
"If you allow people to bring in devices off the street, you are going to have a loss of control," says John Killeen, director of global network systems at UPS, which supports nearly 200,000 wireless devices worldwide. "You need policy, standards and enforcement."
If CIOs can maintain a visible and enforceable policy, and involve users in the process from start to finish, then the security of the devices will almost take care of itself. "At least 70 to 80 percent of adherence to corporate security policies is self-enforced by the people," says Roger Entner, vice president of wireless telecom company Ovum. "If they have a positive attitude, you will have much more cooperation [with security]."
What follow are lessons from CIOs in four industries that cover the entire life cycle of mobile and wireless devices. Through some pre-planning, risk management and training, they've gained a measure of control over mobile devices while still allowing their employees enough flexibility to get their jobs done. "Our challenge is to support multiple devices with multiple operating systems and capabilities so [that our users] are not constrained by the device," says Steve Novak, CIO of law firm Kirkland & Ellis.
Which sounds like a goal to which every CIO can subscribe.
Do the cost-benefit analysis
When CIOs begin evaluating a mobile and wireless device, they must first ask themselves: Is there a business need?
"You have to look at the benefit of what that person can get with the tool versus the added overhead cost of accommodating the tool," says Brian Bonner, CIO of Texas Instruments (TI). Bonner and TI take a pretty hard line on adhering to their mobile device standards. TI's users know that if a new toy doesn't correlate to TI's customer base or products, or if it creates an unnecessary risk, then Bonner isn't going to go for it. "It has to relate to how we serve a customer better or get a product to market quicker," he says.
So if the cost of the device, or the risk it generates, doesn't equal the business benefit, CIOs should just say no.
"It's no different than use of desktop PCs or laptops," says Eric Maiwald, a senior analyst for Burton Group who published an extensive report last March on handheld device security. "CIOs should use those same requirements and analyses with handhelds." In the Burton Group report, Maiwald points out that handheld devices are expensive for companies, both in terms of the direct cost of the devices as well as the added costs of protective mechanisms, such as encryption and authentication features, to secure them. "The use of handheld devices may increase employee productivity, but it may also increase the risk to the organization," he says.
So just what devices should CIOs roll out? Today's untethered knowledge worker usually needs a wireless laptop, and a handheld and mobile phone - or a smart phone. Sales of mobile PCs, PDAs and phones grew 66 percent in 2004, according to In-Stat/MDR, and 90 percent of laptop PCs are now shipped with WLAN cards. Also appearing on the CIO's radar: camera phones, tablet PCs, Wi-Fi broadband connections for home workers, handheld scanners and RFID devices, and new hybrid Wi-Fi/mobile phones arriving from Asia.