BYOD and Enterprise Security: Insights from the IBM CIO Office

Americans now own an average of four digital devices each, and the typical U.S. consumer spends 60 hours a week consuming content across devices, according to Nielsen’s recent U.S. Digital Consumer Report. It’s clear that smartphones, tablets and other devices beyond the standard workstations or laptops are all becoming an extension of our population, and that includes our workers.

IBM began to see the impacts of this several years ago as our employees began bringing personal devices to work regardless of whether we formally allowed it. It quickly became clear that implementing a bring-your-own-device (BYOD) policy for our enterprise was important. If we didn’t enable it, employees would enable themselves, and the risks of self-enablement far outweighed the risks of establishing a formal BYOD program. To fully embrace BYOD, we needed to first address enterprise security to mitigate risk and avoid becoming another news story.

IBM started with almost a year of research, discussion and collaboration, through which we honed in on our internal policy for safe yet agile BYOD security. We built upon our existing solutions such as IBM Endpoint Manager, which originally secured more than 550,000 IBM laptops and workstations worldwide. We now manage enterprise security for over 120,000 personal mobile devices and laptops in addition to company-owned devices. Most recently, IBM has aggressively deployed cloud-based MaaS360 by Fiberlink, now an IBM company, as the technology solution for all employee-owned mobile devices. Implementation includes the use of mobile device management software with advanced device and application security and a cloud-based delivery strategy.

IBM moved very quickly to deploy MaaS360 internally. We began on-boarding devices on MaaS360 just five days after the close of the Fiberlink acquisition in December 2013. Over 15,000 users migrated on the first day and more than 70,000 in the first month, a prime example of how quickly cloud-based deployments can be achieved. It took us less than three days to integrate MaaS360 into the IBM architecture, and by moving from an on-premise model to a cloud model, we’ll save approximately $500,000 in yearly infrastructure and support costs.

IBM’s Top BYOD Lessons Learned

  1. Policy and education trump technology: As a tech guy, this one pains me a bit to say, but it’s an important lesson: The best technology solution available won’t work if employees are not educated and a firm use policy is not in place. It’s worth the time to define which uses are or are not permissible and what the company will and won’t do. For example, we at IBM won’t geolocate an employee’s missing personal device even if they request that we do so in order to avoid data privacy conflicts in many countries. Instead, we will remotely wipe company-related information to protect the enterprise. However, we don’t know to do this if the employee never alerts us to the loss. This is where employee education comes into play.
  2. Educate employees: Employees must be alerted to and made to comply with business conduct guidelines for the security of all. Our employees are our best line of defense and our greatest weakness to a security breach that might come from a personally-owned device. As we educate our teams to be smarter, more mindful users, we significantly reduce our risk.
  3. Move beyond device lock-down or security: Historically, it has been common in the corporate world to secure or lock down each individual device. However, with the consumerization of IT, as well as mobile, cloud and Internet of Things (IoT) concepts, attempting to secure individual devices is no longer reasonable or even possible in many cases. We instead must move security into the application layer to ensure top-notch productivity from employees combined with more robust security. This change of thinking, or cultural shift, is a big challenge for large enterprises, but is crucial to ensure an enterprise can maintain security of its data in the future. It’s no longer about securing the device and the edge of your network: It’s now about securing the data and the app.
  4. Keep up with mobile speed by moving at cloud speed: Finally, the world of mobile devices and the consumerization of IT is dramatically speeding up the pace of change. What used to take years to change now changes in weeks or months. Traditional IT approaches will never keep up, so it’s the perfect time to embrace the cloud. Personally-owned mobile devices typically present the opportunity for new investments and new tools. Make those investments in the cloud, as IBM internally did with our MaaS360 deployment, to ensure that your security tooling and approaches can keep pace.

You can learn even more about addressing risk and security in this space through a webcast on June 3. I’ll be sharing my insights from IBM’s journey alongside Rich Caponigro, security expert for IBM Endpoint Manager, and David Lingenfelter, information security officer at MaaS360 by Fiberlink, an IBM Company. Join us to learn how your company can also mobilize to more quickly and efficiently keep your enterprise secure. We’ll go over lessons from our own journey at IBM and the benefits of, and deployment tips for, IBM Endpoint Manager and IBM Fiberlink MaaS360, detailing how these two solutions complement each other and provide unified device management, securing any device in any location at any time. We’ll also be available for your questions. We look forward to connecting with you on June 3.


William Tworek

Senior Executive IT Architect

William Tworek is the Senior Technical Staff Member and Executive IT Architect for the Chief Information Security...