Pandora is a rapidly growing Internet radio service that allows people to create their own radio stations on their mobile devices, delivering music chosen by algorithms that predict the user’s musical tastes. The company allows its employees to buy and use their own devices — smart phones, tablets, laptops, and desktops — and pays for their data usage, making no distinction between personal and work use.
While embracing the Bring-Your-Own-Device (BYOD) trend obviously lowers Pandora’s spending for capital equipment, Pandora CFO Steve Cakebread maintains that capitalization is “insignificant” compared with the productivity gains he sees by allowing employees to use technology they know and like, not to mention the money his company saves by not having to invest in training people on unfamiliar devices and systems.
“Technology is changing so fast,” says Cakebread, formerly CFO of Salesforce.com, “that controlling the hardware and software environment” is not worth the trouble. “Control benefits the IT department, but as a CFO you have to decide who you want to benefit: IT or the rest of your organization?”
The BYOD Trend and the CFO
“When you bring up the topic of mobility, it becomes very personal,” says Fernando Alvarez, mobile solutions practice leader for technology consulting firm Capgemini. “How many times have you gone out to dinner and everybody puts their phone on the table like a gun in a cowboy movie? The phone has become an essential part of you.” This intimate connection between person and device is the fruit of what’s often called the consumerization of IT.
A recent Harris Interactive poll for security firm ESET found that more than 80% of employed adults use their own devices for work. And according to a 2011 Forrester survey of 361 North American IT decision makers commissioned by security firm IronKey, 79% believe the “increasing diversity of our end-user devices” will have a significant-to-moderate impact on IT-services spending, and 60% say they’ve already seen savings in that area.
“CFOs love [BYOD],” asserts PricewaterhouseCoopers principal David Edelheit. “In the past, the company paid for the device and paid for usage, which was a high and unpredictable cost. Now, with BYOD, they can say, ‘I’ll allocate $100 for you to buy the device. You want to buy a $500 device? Go ahead. We have discounts with these four vendors. All great deals. It’s your choice. And I’ll pay $50 a month for business usage. If you go over, that’s your problem.’ All this gives CFOs a much more fixed cost and a lower cost with less variability.”
As IronKey CFO Mark Schulte says, “According to Forrester, 23% of an enterprise’s hardware spend is on end-point devices. That’s huge. If I’m a P&L owner, I’m saying, ‘Wow, I could find better uses for that money than giving people boxes, especially as the technology changes so quickly.’”
Jim Buckley, CFO of mobile-device management firm MobileIron, points out other savings: “In a BYOD program, end users take more responsibility for their devices, taking the initiative to fix them themselves rather than involving support, and, because it’s their personal device, they take better care of them.” Another cost benefit Buckley identifies is that “companies no longer have to deal with the device life cycle. Smart phones and tablets generally change every 18 months. That’s a lot of new technology the enterprise no longer has to keep up with.”
There’s a lot about BYOD for CFOs to love and, as Edelheit points out, employees love it “because they can choose their own device and download six million apps.”
Of course, all those apps (some bearing malware and inviting data breaches) raise the questions of risk and who owns the data on all those devices. The employee may own the device, but the corporate data on the device doesn’t belong to the employee and, indeed, its mere existence on employee-owned devices may present an auditing risk. Governing that dichotomy is a tricky dance to which the steps are still being learned.
Security and BYOD
“The definition of what’s sensitive data is expanding,” says Todd Thiemann, senior director for product marketing at Vormetric, an enterprise encryption, key management, and data security firm. “It used to be compliance data — HIPAA, PCI compliance — but today it could be an e-mail list.”
And, Thiemann says, as the number of devices bearing sensitive data “in the wild” increases, and as they all attempt to access enterprise data, risks increase. It’s a numbers game, and although there hasn’t yet been a significant data breach involving mobile devices, Thiemann says “it just a matter of time.” That conclusion was given weight by a recent IDG survey in which three-quarters of the respondents said their companies allowed them access to corporate data on their personal devices while less than half said their companies had a “well-defined” corporate access policy.
But, notes Schulte, trying to stop people from bringing their own devices to work is futile. And Alvarez points out that exceptions have a way of growing up around policies, rendering them ineffective. “You see a lot of people with laptops and secure IDs and passwords,” he says, “and then some top executive wants a corporate report on the iPad his wife bought him for Christmas, and who’s going to say no? There’s no consistency.”
And as CFOs and their companies increasingly look to leverage the cost savings of cloud computing, those ill-defined policies are further complicated by the involvement of a third-party: cloud providers hosting the enterprise’s data and applications.
The way around that problem, some security people advocate, is to forget the end-point and secure the network all those devices are attempting to access. IronKey’s Trusted Access product creates, in effect, a cloud-based virtual environment. When the user attempts to access corporate data, his request goes not to the corporate database but to IronKey, which vets the request and then routes the data through its own network. In effect, IronKey sits between the enterprise and the BYOD user, with the end user none the wiser.
Pandora, which has most of its information systems and data in the cloud, uses Okta, a software-as-a-service identity and access-management tool, to secure its application portfolio. With one call, says CFO Cakebread, “we can take anyone off the whole system. We just decommission the password and login.”
Right now, Cakebread says he’s looking at technologies for protecting and tracking mobile devices that go missing. But he considers all the risks the BYOD trend presents as minor compared with all the problems it solves.
Above all, says Cakebread, “What we want is for our employees to be productive.”
As the BYOD trend accelerates, the ability of companies to support their employees’ productivity while attempting to control all those devices will be sorely tested. PwC’s Edelheit suggests that CFOs leverage BYOD while proceeding with caution. “Take a phased approach,” he advises. “Pilot with power users. Find out what works, what doesn’t, what you can allow, what you can’t.
“Keep your eyes wide open.”