April 15, 2011 8:19 pm
Sometime around the middle of last year – shortly after Apple’s first generation iPad was launched - the IT department at Unisys, the IT consultancy, noticed that an increasing number of employees were asking for help to hook up their iPads and other personal portable digital devices to the firm’ IT systems.
Most wanted to be able to access their Microsoft Outlook company email, calendar, contact list and other services on their own devices.
“People started carrying around multiple devices in the office, and it became clear to the CIO that he needed to be able to address this trend towards the consumerisation of IT,” says Patricia Titus, chief information security officer at Unisys.
Rather than fight against this ‘consumerisation’ trend, the firm decided to embrace it through a series of in-house pilot projects and then share what was learned with the firm’s clients.
Provided the IT department was able to authenticate the device and maintain system security, Unisys decided to allow basic access to these popular applications. As a result, what began as a trick of ‘bring your own technology’ enthusiasts turned into a torrent. Today about a third of the company’s 25,000 employees are using their own personal smartphones and PC tablets to access company email and other data as part of the pilot project .
Currently the pilot ‘BYOT’ project supports Android, iPhone/iPad and BlackBerry devices, but Ms Titus says it has been designed so that other devices could be supported in the future.
“The CIO did not want us to develop something that was not going to be flexible enough to accept most devices,” Ms Titus says “because tomorrow morning we could wake up and somebody could be announcing something new. As long as long as it will allow us to meet a certain set of requirements, we should be able to accommodate most devices.” Specifically the Unisys IT department must be able to load a software package onto the device that allows IT to secure it, encrypt data on it, authenticate it and remotely wipe it if necessary.
“We are really looking to allow people to use the device of choice because that way they are more efficient. They can use tools that they’re comfortable with. You get some people who want to have an Apple, you get some people who want to have a (Windows) PC and you want to be able to give people the freedom to choose but still feel like you’re maintaining the integrity of your own corporate intellectual property,” Ms Titus says.
Windows-based PC users who want to access the Unisys IT systems from home or using a portable machine must have a VPN (virtual private network) software client loaded onto their machine that actually checks that the device meets a number of criteria including having an up-to-date antivirus package. “If you meet that set of criteria it allows you a limited access, so you don’t get access to everything,” explains Ms Titus. For Apple users, Unisys has taken a different approach – building a secure virtual desktop environment. “We have run a pilot already with the Apple devices and found it very successful,” she says.
Unisys’ decision to embrace BYOT came at an opportune time for the consultancy. “It hit us pretty square between the eyes late last year that we needed to rethink our infrastructure and architecture,” explains Ms Titus. “We had actually divested ourselves of some lines of business and so it seemed like the perfect opportunity in 2011 to rethink our entire network enterprise approach and to address the consumerisation model.”
Crucially that strategy needed to differentiate between what Ms Titus calls the Unisys ‘crown jewels’ – highly sensitive or valuable information – and the ‘costume jewellery.’
“You do not need to build Fort Knox or put security guards with all the guns and badges around your costume jewellery,” she says. “You still want to secure and protect it, but it needs less security.”
Even for companies that do not face the challenge of the consumerisation of IT, this approach can make sense, she says. “As CIOs get asked to do more with less they have to think differently about how to protect data. You can not protect it all exactly the same anymore.”
Unisys itself has adopted an adapted version of the National Institute of Standards and Technology’s Risk Management Framework. Although designed primarily for use by the US Federal government, the framework takes the subjectivity out of looking at systems and data and helps IT departments determine what’s really critical and what is not.
“We wanted to take a methodology approach rather than trying to throw darts on the board at what we thought was critical,” says Ms Titus. “That is where we are at right now….we will use the framework to help us determine what security controls need to go on what systems, and make sure we do a Gap analysis of what’s there and what needs to be there.”
The Unisys IT team has designed a video-based training programme designed to make those that do bring their own devices to work aware of the security and other issues related to that decision. The company also requires BYOT employees to sign a set of legal documents acknowledging for example, that if the device is lost and the IT department needs to do a ‘remote wipe’ that they could lose their own personal data, or that in the case of a legal investigation, they might lose the device altogether.
“It is written into the user agreement that Unisys will not reimburse the employee in those instances,” says Ms Titus. “They have to be made aware that this is a joint partnership between the company and our employees, and there is a responsibility on both sides of the fence to be clear about what the programme is and what is acceptable use of a personal device that may contain our data.”
Provided the BYOT and other pilot projects continue to deliver the benefits that Unisys expects, the firm plans to formally roll them out “no later than 2012.” But will they deliver cost benefits as well?
“That gets into the $50m question we all keep asking,” says Ms Titus. “I don’t know if it’s going to save volumes of money and whether we will see a huge return on investment because of the initial outlay we are going to have to make in changing how the IT systems are architected.” She adds, “I think the ROI is going to be over a period of time, but you have to balance that too with the amount of support you have to provide.”
Copyright The Financial Times Limited 2014. You may share using our article tools.
Please don't cut articles from FT.com and redistribute by email or post to the web.