CIOs Cope with Personal iPads and Smartphones on Secure Networks

As these user-friendly devices become intertwined with the average person’s daily habits, public CIOs are responding with formal policies.

by / August 12, 2011

With dazzling gadgets like iPads and Androids flooding the market, people who weren’t techies before are becoming geekier by the year. And CIOs get it. They know that a growing percentage of the government work force is conducting business on personal mobile devices.

As these user-friendly devices become intertwined with the average person’s daily habits — both business and personal — public CIOs are responding with formal policies. But not all agencies agree on whether to embrace or discourage the use of personal devices at work.

Nebraska, for instance, discourages them due to the potential for making sensitive data vulnerable and the risk of litigation over improper downloads. Yet even state CIO Brenda Decker acknowledges the benefits of allowing personal devices on the secure government network.

“We understand there is a cost advantage,” said Decker, pointing out that agencies could have fewer devices to buy if employees used their own. “There is also a convenience advantage to the employee,” she said. “I carry two devices — one for personal use, one for state use — and I have to be very cautious that my family understands this is my state device.”

Nebraska agency directors can approve the use of personal devices on a case-by-case basis.

“A lot of our employees look at it and see that they may have a dental appointment from 8 to 9 in the morning, but if they can sit in the doctor’s office with their personal PC and get that work done [or] put in an extra hour in the evening to make up the time — that’s advantageous to both the state and the individual,” Decker said. “We see there are some advantages. We just feel we have to be cautious about the data that’s going back and forth.”

Decker is right about the cost advantage. A pilot project that subsidizes data plans on personal devices for employees in the Delaware Department of Technology and Information already has produced tangible savings.

“We’ve seen about a 20 percent reduction in our wireless costs and an 18 percent reduction in the number of state-owned devices in that department,” said William Hickox, Delaware’s chief operating officer. His staff recently submitted findings to the governor and recommended taking the policy statewide. Hickox predicts that Delaware could save roughly $2.5 million annually.

Still, these policies raise plenty of questions for agency managers and IT leaders. Among them: Should agencies subsidize data plans for employees’ personal devices, since employees likely would purchase them anyway? Who will handle the workload of securing the numerous types of devices that employees are likely to bring to work? Should the help desk be expected to support those devices?   

As long-term budget shortages force public CIOs to create a new normal, many are considering a switch to personal devices as part of that evolution. Like any policy decision, determining the role of personal devices in the government workplace will bring its share of challenges, benefits, unintended consequences and implementation approaches.

They’re Doing it Anyway  

When Apple CEO Steve Jobs introduced the iPhone in 2007, he promised a cultural shift that would centralize all computing needs onto one mobile device. To an extent, Apple delivered on that lofty goal and devices like the iPhone and the iPad became wildly popular. Resistance became somewhat futile.    

In other words, public CIOs are recognizing that employees will attempt to use their shiny new devices regardless of the rules. Delaware succumbed to that inevitability in 2010 when it launched a set of security policies for personal devices, mostly smartphones, to safely access the secure state network. Despite the state offering agency-sponsored BlackBerrys, a portion of the work force insisted on using personal devices and accessed the network without formal approval. Not surprisingly, this made Delaware Chief Security Officer Elayne Starkey apprehensive.

“I’m sleeping easier at night because I know that, as of Nov. 15, we have closed a significant vulnerability,” Starkey told Government Technology last year.

Since then, attitudes have evolved in Delaware. The Department of Technology and Information’s subsidy policy creates a financial incentive for employees to use their personal mobile devices. If the pilot goes statewide, employees who are willing to turn in their state-issued devices will be reimbursed up to $30 per month for data plans on their personal smartphones.

Hickox said there was extensive debate about whether the state should pay for data plans that employees would probably purchase themselves. Simple cost savings settled the argument. Most state agencies pay $80 to $90 for each BlackBerry, Hickox said. Under his proposed change, employees would pay for their own devices, voice plans and associated taxes. The state would merely cover the $30 data plan. If state business increases the bill for an employee’s voice plan, the state will kick in an extra $10. Hickox said his team is careful to call the money a “reimbursement,” not a stipend, because a stipend counts as taxable income. Employees turn in their receipts each month for the reimbursement.

In North Dakota, a similar policy is in the works — its pilot allows iPads and other personal mobile devices on the network, and the state offers classes on how to safely use the devices. North Dakota CIO Lisa Feldner said she was shocked to learn that so many state employees used personal iPads at work; they were using wireless connections provided for guest access instead of connecting through the secure network.     

“Rather than taking the hard line stance, we’re saying, ‘OK, if you’re going to do this, we want you to know it’s still important to keep the network and the state’s resources secure,’” Feldner said.

The state hired a technology instructor from a public school district in North Dakota to teach the classes, which are consistently packed.           

Potential Gains with Personal Gadgets

When it comes to allowing personal devices on the network, some CIOs envision benefits beyond cost savings and employee satisfaction. Feldner, for instance, sees them as important tools.

“A lot of these devices allow people to be more productive, more so than perhaps a laptop does,” she said. “A laptop is a fairly large device, and maybe the battery doesn’t last very long. You can take an iPad or one of the newer tablet devices, have it on your lap and get a lot of your e-mail done. They don’t make any noise, you can take notes and you have a battery life that’s huge on all of these devices.”

Allowing employees to use these machines also is critical to retaining top IT talent, Feldner believes. Contrary to most of the country right now, North Dakota has a thriving economy due to its agriculture and energy industries. The state is home to Microsoft’s second largest campus, and Feldner directly competes for talent with a few nearby IT firms.     

“As you get the younger generation that grew up in the digital age, they expect to be able to use all of these devices,” she said. “They buy them anyway, and they want to use them at work.”

Feldner was also struck by how much faster nontechnical employees learned to use commercial devices like the iPad compared to government-issued laptops. “I don’t know why these devices are more user-friendly,” she said, “but they seem to be.”  

Looking east to Montgomery County, Md., CIO Steve Emanuel recently received some seed money to enhance the county’s mobile IT strategy. Emanuel, who likes using his iPad at work, may use some of his new funds to see if personal devices could reduce his maintenance staff’s workload.

One idea, which is still incubating, is to pay employees stipends to purchase maintenance plans for their personal devices. Since other counties have achieved efficiencies by offering stipends for personal cell phones used at work, Emanuel said stipends for maintaining tablets and other devices might alleviate his help desk’s workload. The incentive for end-users, Emanuel said, would be that they could pocket any of the maintenance stipend they didn’t use. When it comes to connecting the devices to the network, Emanuel said help desk workers possibly could write employee guides based on the similar menu systems used in the various commercial devices.

Emanuel emphasized that employees who take the stipend would be expected to be savvy, educated end-users who can handle most device problems on their own.

“The stipend process would say, ‘We’re paying you to use your equipment. If you have a problem with it, you need to have a plan B,’” Emanuel said. 

Time will tell whether Emanuel’s idea to subsidize private maintenance plans comes to fruition. Some other local officials, like CIO Gary Cavin of Columbus, Ohio, are willing to allow personal devices on the network, but won’t go as far as paying for private maintenance plans. “I can’t say it’s something that’s impossible,” he said, “but for us right now, that’s not the direction we’re headed.”

Columbus senior systems administrator Ivan King said quality control would be too complicated. What would happen, he asked, if the employee broke the personal device? “Where is your service level agreement? Because now that guy has to run to Best Buy,” he said. “Say they’re going to ship it back to Dell. He’ll get a new one in three days, and now he’s not doing anything. I don’t see how that model plays out.”

In North Dakota, the help desk offers technical support on personal devices. The extra work hasn’t overburdened the help desk, Feldner said. “When we started seeing these devices show up, we equipped our help desk with a couple of them so they had some idea that these things were here,” she said.

Calming Security Fears

Security issues regarding personal devices on a government network usually concern the downloading of health and human services data and tax-related documents. North Dakota doesn’t yet allow the ability to do so on personal devices. The data the state permits for download onto personal devices, Feldner said, is public record. However, her team still puts strict security protections on these personal handhelds, including special password protection. The devices also can be wiped remotely.

“Since people have their state e-mail on their devices, if they get stolen, we don’t want the culprit sending e-mails from that user’s account,” Feldner said. The application used for this protection wipes the device automatically after someone makes 10 failed password attempts.

Delaware, by contrast, allows sensitive files on personal devices but installs special encryption to keep unapproved eyes from viewing the data. North Dakota uses this sort of encryption on state-issued laptops, which can be used for sensitive files. Although Feldner doesn’t do this for personal devices, she expects to hear requests for it eventually.

As for whether personal gadgets require additional information security personnel for the added work, Feldner said that hasn’t been the case. But it doesn’t mean her security officers are happy about allowing the devices.

“They’re not thrilled because it’s one more thing they have to try to keep ahead of,” Feldner said. “They understand that this is the way the world is moving, so we need to accommodate it and figure out a way to keep things secure.”

Andy Opsahl

Andy Opsahl is a former writer and features editor for Government Technology magazine.

Platforms & Programs