The lowdown from CIOs on how they feel about consumerisation of technology and how to manage this seemingly irrepressible trend. Here are highlights from a CIO roundtable on the topic.
Around the table:
Michael Ramsay, head of digital experience and commerce, ASB
Eugene Piercy, IT manager, Deloitte
Kevin Maloney, director, management consulting practice, KPMG
Richard Horton, CIO, Fidelity Life Assurance
Craig Columbus, CIO, Russell McVeagh
Kevin Angland, CIO, IAG
Ian McLean, sales manager, Amtel
Brendan Maree, managing director, Interactive Intelligence
Divina Paredes, editor, CIO New Zealand
Sim Ahmed, writer, CIO New Zealand
'A tidal wave'
Craig Columbus: [It is] a tidal wave. Consumer adoption of mobile technology has driven our corporate need to adapt into the groove because people have grown accustomed to being able to access just about anything anywhere they happen to be, and this extends to our partners or associates and all of our team members.
Eugene Piercy: It is also about freedom of choice and giving people access to things. Way back, we blocked access to Facebook but now it is available on the corporate network because social media is so important to us, not just for connecting to friends but also to our clients. You want to be the person that they can't work without, really.
Kevin Angland: We are adopting a pretty cautious approach, we need to upgrade a lot of our back end infrastructure and systems to make them more mobile capable going forward but we are conscious of the demands that come back through the business. What customers are saying actually is, I want choice. I want to be able to do it mobile, over the phone, on the internet, face to face. So the big challenge is that seamless integration between those channels. We're conscious of the fact that we could rush out and deploy a lot of technology in the mobile space but then we destroy the seamless experience part of the relationship.
Core concern: Security
Kevin Maloney: Our policy is very much based around protecting the firm's data. That said, we are embracing mobility in a number of different areas... but it is a lot more about how we can engage through mobile applications with our customers.
Craig Columbus: Security is everything for us. So figuring out how can we provide a mobile platform with very sensitive information in a secure way is not an easy challenge to overcome. Many times because the device or the technology or the software or the code running on the device was never designed with security in mind.
Response? Separate wireless networks
Eugene Piercy: We have a separate wireless network within the building so anyone who comes in can just bring their mobile device and they can connect, but it doesn't connect to the corporate network.
We have also got Citrix so people can get to the applications using Citrix. If they want to bring in a non-Deloitte provided PC or an iPad then they can use a Citrix receiver client to launch the applications on their device. The advantage of it is that the client's information is still secure but we're giving them access to the applications themselves.
Richard Horton: We're running Citrix and so from an infrastructural perspective Citrix is certainly the short to medium term solution to us if someone wants to bring in a tablet. We've recently rolled out wi-fi within our building and we've got a two-tier infrastructure for wi-fi so most people can connect to the guest network which is pure internet and then we've got our corporate backbone which is available for some devices as well.
End game for company mobiles?
Craig Columbus: Virtually none [took up the offer of a company phone]. It used to be the case that they would jump at the chance, but now because of the pace of change they know that if they take up that offer they're going to have that same phone for two years and two years in the life of mobility today is an eternity.
We tried providing phones to our employees and guess what, we found that from a financial and operational perspective it was too difficult because the pace of change was too rapid. By the time we would roll out a great new phone to someone, code certified it and made sure that it was ready to roll and we give it to them, they say 'well, this is the last model.'
Now we let people buy their own device as long as it is within a certain set of parameters that we know that we can secure and work with. We don't share the cost of the upgrade but we do share the cost of owning the device, so we provide a subsidy for those who have a device for work purposes, we will provide a subsidy back to them to help cover the cost of the data plan because we recognise that they're using it for work.
Managing multiple platforms
Kevin Maloney: What we're finding is that a lot of clients are putting their time into mobile device solutions and they seem to be good for the initial purpose. But as the user needs start to evolve and grow it is like 'oh, if we'd known we wanted to do this six months ago, we might have looked at something different' and that is part of the challenge because it is still an ecosystem that is still growing.
Richard Horton: Fidelity actually builds most of their own core applications so we have a pretty large software development shop within our IT department. So the conversations I'm having with the architects, which I think are four or five years ahead are 'What are we going to do about this problem?'
The only way we can think of right now to do that is to just build web rather than building apps, otherwise we end up having to build for a number of different operating systems and maintain those and it is just all extra support.
Kevin Angland: That is going to be the challenge as more and more of these devices come to market organisations are going to have to make some bets on do they back one and go with it or do they build something that is easily deployable across multiple [platforms].
Communicating the risks
Craig Columbus: A number of times I've had someone come to me and said firm such and such is doing this, why can't we? And I say it's because they're not doing it in a secure way and they're accepting the risk of that. Do you want to be front page on the newspaper when you lose customer data? Lawyers are risk adverse, the answer is 'well no'.
That is why we're not doing it. It is a very easy conversation in that regard.
Kevin Angland: We have got a head of information security and he is seen as the black hat guy in the organisation, that is because he understands the implications of doing this. He is writing those security policies and protocols but he spends a lot of time talking to business people about, 'these are the implications of us doing this and these are the reasons why we have to say 'no'. Or 'instead of allowing you to do this, if it is a job required thing, we will provide you with the device that is going to be secure.'
From an IT perspective we audit and we test our perimeter on a regular basis. We're deploying a new website and it doesn't go live until a third party security assessment has been conducted on that website to find the potential gateways into the organisation.
Customer data is absolutely sacrosanct. What does help us is when you see failures elsewhere and they get a lot of media attention -- that is great because people then come and ask for assurance that this could never happen here.
Eugene Piercy: I suppose it is quite hard in New Zealand because unlike the United States and Australia, we don't have any reporting provisions. So for example if I lost your data I don't need to tell you. Although that is going to change next year I understand, the Privacy Commissioner is looking at it.
Craig Columbus: In many companies IT is taking a seat at the executive table -- who else is better positioned to explain the risk profiles than the CIO. I think it is absolutely the responsibility of the IT department to bring this up, but not in the way of just simply saying 'no' and becoming the classic department of no but to say, 'Look, these are the risks, this is how we're going to mitigate the risks and these are the business advantages we can expect once we've done that.' I do think it falls to IT but in a proper context; it has to be within the context of business.
Impact on the helpdesk
Kevin Angland: One of the issues that crop up, is, 'who is the helpdesk that sits behind the bring your own device?' When something happens they want to be able to pick the phone up and talk to the tech team and get some help. And the answer is the problem is the phone. There is nothing wrong with the way we've set up your access to the network.
Michael Ramsay: We did a lot of work training our internal people to help give them the toolset and skills to be able to have those conversations. Our contact centre for example had devices with them so they could actually pick them up on the phone with potential customers.
Eugene Piercy: When we first started out we weren't providing as much support as we should and now support a lot of devices, particularly with iPad. People get them as presents and they're always going on holiday or they're getting on a plane in an hour and it's not working, can you make it work? My guys will do as much as they can to try and get it on, some of the applications we have you have to download them and then we send them the key, they put the key in and they just don't want to wait for it.
People have got a click mentality as they find an app they think it is going to work, as soon as you send them something they want it to go, so that is where we have come unstuck with quite a few people is that it just doesn't work as fast as they think that it should.
What we're trying to look at is having a listed number of devices that we will support and others that we won't. You obviously want somewhere that you can send the device back if its not going to be fixed. Sort of like notebook PCs, if someone brings in their notebook that we've supplied and it's not working, we just re-image it, it is much faster to do that, get the data off than it is to try and fix it.
Richard Horton: There is also another aspect that we haven't really touched on yet, and that is information going into the cloud, not actually residing on the device. A really good example is that I've just actually installed One Note on a tablet for my own use. Because I want it to sync between my Android and a PC I needed to install Microsoft SkyDrive. Now this is not an ideal scenario because I don't have any idea where that stuff lives, probably America, and also theoretically the infrastructure department has no control over the security of that, so there is no way they can enforce passwords and I think that is actually a big problem.
Kevin Maloney: It comes back to better understanding and what is the user experience we're trying to deliver through the device and what is the right device for it.
Kevin Angland: We've got policies in place that are very much for internal use. We are now going the other way and taking more of the customer in end business requirements with a view to, what does the future look like?
Craig Columbus: The reality is, this is the world, this is where we are going and those of us who don't embrace that opportunity and see it as an opportunity are going to be left behind. If you're not steering, you're going to be pushed, so you might as well steer
Richard Horton: We need to be enablers of it, we've got to get on the front of the wave and take it where we think it is right for our organisation.
Amtel and Interactive Intelligence sponsored the CIO roundtable on enterprise mobility.
Divina Paredes (@divinap) is editor of CIO New Zealand.