Bill Murphy, CTO and managing director at Blackstone, a global investment and advisory firm, knew he wanted to find a way to allow employees to use their own devices for work. The demand was there, and he was increasingly hearing about how adding in BYOD would help productivity.
"The whole focus on allowing employees to bring whatever device they want was less important than to give them tools that they feel comfortable with, that are easy to use as consumer tools. That's what we've been trying to do - to make it a pleasant experience to get work done."
But with responsibility for about $US210 billion in assets, there were naturally a few issues to consider with regard to documents and sensitive information. Financial documents, floating around unsecured on user-owned devices, just wasn't an option.
[Avoiding basic BYOD blunders]
The answer came in the form of the iPad. About 18-24 months ago, Murphy said the Apple tablet was really catching fire. Everyone had one, he noted, and those who didn't, wanted one. Why not allow employees to use them, restrict BYOD to one platform, and find the tools to secure it?
Today, among the 1800 Blackstone employees in 24 offices worldwide, there are currently 600 privately-owned iPads being used for work. Murphy expects that number will rise.
Murphy gave us the details of how he secures his employees' devices, and why keeping his policy to BYOA(pple) works.
CSO:What was the main driver in deciding to allow employees to use their own iPads?
Bill Murphy:Productivity was a primary reason. People have been carrying some form of email device in our industry for some time. While folks have been able to do more outside of work with a smartphone, I don't know how many work-related tasks they are able to complete other than checking email on their phone.
The tablet is the thing that changed the game. The tablet is a real productivity enhancer. We see people travel now with their iPad and not bring their laptop. The reading use case on a tablet is way more enjoyable than on a laptop. Every morning I'm using my tablet before I get to work where as previously I sat at a laptop.
We wanted to get that translated over into the office. If you can have all of your documents with you on a tablet, it is so much easier to carry around on a laptop.
What is your security approach to the devices? As a financial firm, you obviously have a lot of sensitive information that needs to be carefully guarded.
There are two types of security. The first is securing the device, and we work with MobileIron on that. With regard to the documents, we work with WatchDox, which offers us a document experience that allows us to put our most sensitive docs in the Watchdox repository, have them sync to mobile devices, and not worry that those docs are going to get in the wrong hands by whatever means.
How?
There is digital rights management (DRM) built into the document. Through the WatchDox viewer you can read all of these very sensitive documents for both internal and external business purposes. But if someone lost the device, or tried to forward the document, it would be useless outside of a permissions-set of specific folks.
[Should security be responsible for BYOD policy?]
As of now, you are only allowing Apply devices as part of you BYOD policy?
Yes, I guess you could say we have a BYOAD (Bring Your Own Apple Device) policy, or a Bring Your Own iOS Device policy.
Currently, our set of users are primarily interested in Apple devices. I'm not saying that might not change if someone comes up with something better. But, for now, it's clearly the market leader and is easier for us to support a single set of devices. So we've capped it at that and not delved into the Android realm. We've looked at the Windows devices and we don't feel like we are at a point where we need to support that yet either.
Was it simply user demand and interest, or were there other reasons you decided things would be strictly BYOA?
It came down to the expectations of our users for support. And maintenance is high. In order to provide that level of support, there are limitations. That's the trade off.
If you have a low support culture where it is fend for yourself and no support for devices, then BYOD works well. But if you have a high-touch, white-glove maintenance model, BYOD puts a significant strain on your resources because of the proliferation of different problems on different operating systems.
How long do you anticipate you'll remain with just Apple devices allowed in your organization?
It all depends on the devices. If there is something truly better, we will move to it, or allow it in addition.
We are constantly combing and listening and staying on top of what is truly interesting, but we have not had a ground swell of need for other devices.
So, no demand among employees? No one showing up in your office asking to use something other than an iPad?
Right. We basically said you can have a Blackberry supported by us or you can get an iPad. Other than that, you're stuck.
[With BYOD, data breaches just waiting to happen]
What is the feedback of employees?
So far, so good. They really enjoy the convenience of WatchDox and being able to have their documents with them all the time. A lot of them don't really understand how secure it is. And I think that is key in driving adoption of technology. Everyone usually believes security is a tax on usability. Being able to have a secure product that is also usable allows the security to recede into the background -- and makes my head of security happy with it, too.
As far as the users know, they can have all of their documents and collaborate with them as they have before.
What was the C-suite reaction to this policy?
There was certainly a sales pitch in terms of the value. But, again, I think the iPad was the game changer. Everyone got one and everyone loves it. So, kudos to Apple as it relates to changing behaviors. It wasn't something you had to drag people to. It was something they were pushing to use.
We now have C-suite execs who previously had very limited screen time that are now consuming their email via iPad, and bringing it on the road when they previously didn't use technology at all while traveling.
Have you been able to measure any ROI on this yet?
We have two different use cases to explain ROI. The first is we've implemented WatchDox at our conferences. Employees can bring their own iPads, or we give them loaners for the day if they don't have one. In doing this, we have cut out hundreds of thousands in printing costs.
Internally, with everyone bringing their own iPad, the ROI is tremendous because we are adding value, and the cost is relatively contained to a WatchDox license, which isn't super cheap, but its very easy to measure value add just in cheaper Fed Ex costs, or improved productivity, for example.
What's next?
We haven't sponsored significant firm-wide purchase of iPads, which would obviously change cost dynamics, but we are looking at that. I don't know what the right answer is on that, or when it is going to become such a core tool that the firm has to provide that for our users, but we are continuing to measure and figure out of that is the case -- and see if it's necessary to do that or not.