As mobile devices continue a steady march into government offices, CIOs face a conundrum. They want to provide network access for personal tablets and smartphones, but worry about the security risks associated with a BYOD program. Early adopters have a message for those agencies just getting started – don’t let fear stop you.
Many public CIOs say that a security philosophy must be established early in order to implement a successful BYOD policy. By understanding the degree of risk an organization is willing to accept in advance, everyone is on the same page, allowing the mobile environment to thrive.
“You can never get risk-free and you’re foolish if you think you’re not adding more risk, regardless of what any vendor tells you,” said Otto Doll, CIO of Minneapolis, Minn. “I’m sorry but the bad guys out there are seemingly always having an ability to crack everything anyone creates. So [risk acceptance], to me, is really a big first step for anyone.”
Minneapolis kicked off an extensive BYOD program in 2009. At first the program was just for smartphones, but it was later expanded to tablets and other devices when Doll took the CIO job a couple years later. The city also launched its own internal app store for users.
The city of Minneapolis – at least for the moment – operates almost exclusively as an iOS-based shop. While Android phones and tablets are permitted on the network to access the Web, city business functions and the app store are entirely iOS. So users accessing the city network to do their work on personal devices are almost all using iPads, Doll said. He added that Windows-based devices will be supported starting in July.
The decision not to support every device is another suggestion Doll had for local governments eyeing BYOD policies. He explained that the city’s IT team has found that not all types of smartphones can get into the network. And while most do, he encourages decision-makers to evaluate the ROI on keeping up with each new device and platform hitting the market.
Doll says it doesn’t make a lot of sense as an organization to try and support everything, and employees need to be aware that if they want to use their personal technology for business purposes, their choice of device might be restricted.
5 Steps to BYOD Success
Establish a security philosophy. Local governments need to decide early-on how much risk they are prepared to accept by allowing personal devices to be used for government business.
These tips were compiled by Government Technology's Brian Heaton based on interviews with Otto Doll, Nick Roethel and Joel Hartley.
“I don’t think we’ll ever be in a position where our attitude will be we’ll choose one thing and that’s all you can do,” Doll said. “But on the other hand, we’re not going to accept that we need to make work anything that’s brought to us. You have to … be able to ensure the organization and your employees understand that stance.”
The Metropolitan Transportation Commission (MTC), which handles transportation planning, coordinating and financing for the nine-county San Francisco Bay Area, started its BYOD program in 2013. Nick Roethel, IT strategy and operations manager for the MTC, said government agencies need to consider various “what if” scenarios when establishing policy for personal devices in the workplace.
One of Roethel's biggest concerns is document and data management. Because tablets are becoming more popular for traveling employees, a number of mobile tools are being used to create and edit official documents on personal devices.
This can lead to problems down the road if legally discoverable documents are stored on commoditized storage servers such as Dropbox, Google Drive and Microsoft OneDrive, Roethel said. He encouraged agencies to write a BYOD policy that provides clear oversight, but enough trust in the user to make the correct choices when working with public documents.
Roethel adds that giving employees the freedom to bring in their own equipment can trigger additional support demands.
“Once employees taste the freedom of choosing [to bring] their own mobile device, they will begin questioning the entire technology equipment-provisioning model,” Roethel said. “Users will begin asking, ‘if I can bring my own iPhone, then why can’t I bring my own Mackbook?’ And in reality, that’s a great question. If you’re not thinking about the answer, you’d better be, because … you’ll find many folks that sneak in their own devices to do presentations and create/edit documents.”
Securing early buy-in on a BYOD program from both employees and senior management is a key to success, according to Joel Hartley, CIO of Davidson County, N.C. The county has had a BYOD plan in place since 2005, but it’s strictly for smartphones. Employees are paid a monthly stipend for the business use conducted on their personal devices.
Hartley said it was "fairly easy" to gain management approval and roll out the county's initial BYOD implementation. The biggest challenge was communicating with employees about the new program and what it entailed. He stressed that education on the policy and IT knowledge of various devices and operating systems were paramount for long-term success.
Doll added that making BYOD convenient and easy is critical. He noted the value of mobile device management solutions, which can help CIOs push updates and security profiles to employees’ existing or new devices. That can be important factor for a BYOD program’s success, as people generally upgrade their personal computing technology at a much faster pace than what an IT organization is accustomed to.
“If you’re in a much larger organization, you might find a lot of change in what somebody uses over the course of a year,” Doll said. “I think that’s because now you’re dealing with [technology] that’s coming from a consumer standpoint and not as an enterprise IT organization.”