Cisco has transitioned to an entirely bring your own device (BYOD) model over the last three years, and though there were challenges, the productivity advantages were worth the effort.
Cisco has 60,000 worldwide employees, and the company estimates that 40% of employees use three or more devices for work. One device is a corporate-provided laptop; the others are personally owned. At any given time, approximately 40,000 to 50,000 personally owned devices are connected to Cisco's network, said Steve Martino, Cisco's vice president of information security.
SearchConsumerization spoke with Martino about bring-your-own-device benefits, risks and challenges, such as balancing security with user productivity.
What BYOD policies has Cisco established?
Steve Martino: Today, mobile phones and tablets are all employee-owned, with a few exceptions for government contracts or for specific countries that require us to buy them. When an employee brings a mobile device and connects it to our network, whether it's to just do email or to use more extensive applications, then we have a set of trusted device sta ndards, which is like us saying, 'You must be this tall to ride the ride.' We check for things like antivirus, a screen-lock and pin code, encryption, [that] it can't be jail-broken -- there are nine things total.
That gives employees the choice of device while giving us a baseline standard for compliance that says these devices must participate safely on our network.
How are you handling information security with such a massive BYOD initiative?
Martino: We used to have a neat bordered wall containing our enterprise, but now employees are mobile-working at hotels, at the office, at home, and how do we deal with that?
A couple things we've done: There's the trusted device standard, and those are straightforward blocking and tackling strategies. Second, if you want to connect to the network, you have to use a VPN client on that device. The VPN works with our network access policy and control product to validate those trusted device standards. Because users do silly things from time to time, we've also deployed a set of technologies to look at network traffic flow. You need data and analytics to harvest user behavior anomalies on the network and take action immediately if something is out of place.
The third step is we've deployed some technology to deal with spam and phishing attacks, which is still the number one way that systems get infected. If you think about what I just described -- device standards, a way to check for compliance and then leveraging the network -- that gives us a solid foundation for protecting users, devices and our data.
Martino: On phones and tablets, we're deploying MDM technology. The main reason for deploying MDM is just to enable remote-wipe capability, which is the most important thing. We want to be able wipe any data, which is really just emails, if that phone gets lost or stolen. However, we tell them we have the right to wipe everything off the device -- since you never know -- in exchange for allowing them to connect to our network.
The big benefits are giving employees better job flexibility, productivity and satisfaction.
chief information security officer, Cisco Systems Inc.
How do users react to that?
Martino: Sometimes there is a reaction, but one of the things we've done well that is helping us move aggressively through a proactive BYOD program is getting users to share war stories with each other about what works and what didn't. When users share stories about what happens when losing a device, it actually helps with adoption because it drives home things like backing up family photos or that it isn't as draconian as it sounds.
So, just MDM then? Nothing else?
Martino: We don't do containerization or that sort of thing, because in our experience, there needs to be a balance between usability and protection. With containers users have to make all sorts of choices about whether it's work or personal and which container to open files in or browse the Internet in. If the experience isn't usable because of security, well, we've learned people will invest time in finding a way around that security system.
There's still a total cost of ownership debate about BYOD saving money versus not saving money. What has Cisco discovered in this regard?
Martino: The vast majority of our PCs are still company-owned, but I think over time that will change as well. For mobile, there is a cost savings from not buying the actual device, but that's offset from support costs, arrangements to pay for service plans and other soft costs. But cost of ownership isn't the driver for us.
We've implemented crowdsourced support for mobile to help offset those costs, but also because many of our employees are experts themselves. We see a reduction in help desk call volumes and support cases, because [employees] prefer to rely on one another.
The big benefits are giving employees better job flexibility, productivity and satisfaction. Employees have more satisfaction with using their preferred device, and life-work is blending. Reducing the complexity for them to not have two phones is important.
What do you know now that you wished you knew when starting this effort?
Martino: The first thing I wish we knew two or three years ago is that BYOD is a good thing; it's going to happen, and rather than fight it, lets figure out a way to make it happen. We struggled with giving an inch. We resisted changing our approach to protect our data as opposed to the device.
The second thing is there is a lag between our needs and the technology being available. Identity Service Engine was technology we didn't have two years ago that we would have liked. The fundamental thing though is having the right mind-set because the technology will always catch up. If we knew that, we would have moved more effectively. Thankfully we've finally figured that out.