WIXLIB

2a. Establish aComprehensive SecurityPolicyThe freedom to use personaldevices at work alters thetraditional structure and scopeof control of the IT department.Understanding the modifiedenvironment will provideorganizations with greater clarityon what to consider when draftingBYOD policies. The organizationalso needs to clearly prescribespecific courses of action in theevent of policy guideline violation.Mobility and IT consumerizationpresent evolving, complex securitythreats that require redesigningexisting security strategies. AsFigure 5 illustrates, this strategycan be implemented throughspecific action points.Since sensitive organization dataare stored on employee-owneddevices, BYOD brings its ownsecurity concerns. So devicesecurity management needs to bestrictly enforced. Moreover, BYODrequires a new control frameworkas security enforcement isnot just limited to devices.Organizations need to adopt asystematic globalized securityapproach that encompassesdata, hardware, software andnetwork. Security rules based ondevice management or containerpolicies have to be defined foreach category (laptop, tablet,Smartphone) of BYOD devices.Further, the risk of data beingcompromised from a lost orstolen device is one of the majorsecurity challenges faced byorganizations when dealing witha BYOD program. Businessesneed to chart a clear plan anduse relevant mobile device andapplication management solutionsto deal with lost or stolen devices.The plan need to include clearnotification process, necessarysteps to be taken to remove accessto the corporate network andprocedure to remotely erase localdata stored on the missing device.Figure 5: Major Action Points to Overcome Security Concerns Presented by BYODDefine a stringent securityprotocols to protectcorporate dataDefine the security environment of BYOD- Identifying responsibility if the device is lost or stolenDesign processes and rules to manage the future security threats- Based on the security lifecycle for a BYOD deviceIdentify KPIs and quality criteria to track security assurance- Key indicators to measure results of security policiesSecure all devices used onthe corporate networkSegregate personal and professional data on user devicesSecure data on devices based on- Device management or Container policiesProvide remote assistance for devices- Mobile Device Management tool is useful due to heterogeneoussecurity rules on devicesReview network access andusage to identify sources of riskClassify risks and define security protocols based on wired/wireless connections- Standard 802.1x (security layer), UAG Gateways(access management)Deploy data protection measures like IPSec and RMS servicesbased on corporate network or webDefine the scope of usage of each service provided- Virtualized applications (VM Ware), web-based services(password management)Source: Capgemini Consulting9

2b. Adopt the Right ITand Support SolutionsA cross-analysis of the end-usersegmentation, type of personaldevice used and businessapplication accessed, allowsorganizations to develop a relevantIT solution. It is important tofinalize device catalogs and deploythe relevant application strategiesto develop an agile infrastructurefor a BYOD environment. Thefirst step is to finalize the devicecatalog and extent of devicecoverage. A BYOD model entailsa transformation of the devicecatalog list from a limited numberof supported platforms to amuch wider list. Companies needto decide if they would allowall personal devices or specificdevice categories such as laptop,Smartphone and tablet on thecorporate network.10The second step is to deploy therelevant application architecture,ranging from virtualizationsoftware such as VMWare andXenApp, to browser-based access,to server-based computing andhosted virtual desktops. Further,creating a central repository ofenterprise software under theBYOD arrangement would enableemployees to easily access anddownload the software, as andwhen needed (see NeedhamBank’s Case Study).Finally, a corporate app storeunder a BYOD environment canoffer employees the freedom toselect the software they requireon their device without the typicalservice desk intervention. Thecreation of a corporate app storewill also reduce IT helpdesk costs.For instance, a study found that12% of IT helpdesk ticket requestsare for new software installation,and it is estimated that acorporate store can potentiallysave over 8.6 million a year in IThelpdesk costsix.A study found that 12%of IT helpdesk ticketrequests are for newsoftware installation,and it is estimated thata corporate store canpotentially save over 8.6 million a year inIT helpdesk costs.

Needham Bank’s Case StudyNeedham Bank deployed remote desktop solution to enhanceworker productivity through BYODBackgroundNeedham Bank, a US-basedcommunity bank, needed toprovide its employees an access torange of bank’s applications frommobile device to increase bank’soverall productivity levels duringevenings and weekends. Meetingsecurity and compliance norms setforth by government regulationswere the key considerations inevaluating a feasible solution.InitiativeIn order to enable mobile access,Needham Bank provides someemployees iPhones and iPads(based on eligibility-criteria),which the company manages.Other employees, who do notqualify for company-owneddevices, are allowed to use theirpersonal devices for work. Usingsingle sign-on credentials bankemployees can remotely log intotheir office devices from anydevice to access key applications.To address security concerns,the bank uses mobile devicemanagement solution and trainworkers on following safe practiceswhile using own devices. The bankalso blocks its employees fromdownloading apps like Dropbox,a cloud storage service, and fromusing iCloud, Apple’s storageservice. The bank’s IT also restrictsprinting and clipboard functions toprevent data leakage. In addition,the remote access solution keepsthe data ‘off-the-network’ and nodata or files are stored on iPador remote devices, so there is nothreat to sensitive data in casethese devices are lost or stolen.significant increase in productivitydue to streamlining of operations,eliminated the potential of dataleakage and enabled employees touse their device of choice for work.For instance, Bank’s accountingteam can quickly access financialdata remotely while the businessdevelopment team can accesscore banking applications to getrelevant account and relationshipinformation right before goinginto client meetings. Since,implementation of this initiative,Bank has recorded increase innumber of remote and mobileusers by 11 times while timespend working remotely hasgrown by 120 times, driving overallbusiness productivity of NeedhamBank.BenefitsThrough remote and mobileaccess, Needham Bank achievedSource: Banks May Not Be Able to Resist BYOD, InformationWeek, April, 2012; Array Networks, March 201211

2c. Select the RelevantBYOD Delivery ModelThe BYOD delivery model needs tobe selected based on the industry,IT maturity level, organizationstructure, partner ecosystem andregulatory guidelines in the regionof operation. Figure 6 illustratesthree types of BYOD deliverymodels, with correspondinginfrastructure layouts and supportstructures, based on end-userdevice ownership. Selection outof these delivery models dependson employees’ needs in terms ofsecurity, access to applications,device preferences and need formobility.Figure 6: Three BYOD Models Based on Computing Device Ownership, Infrastructure Set-Up and Support PoliciesPersonaldevices issuedHelpdesk/SupportInfrastructureEnd Usersand ApplicationsCorpCorpFull BYODmodelCorpWork with the company ownedworkstation and their personal deviceOwn their workstation sourced fromwithin a company service catalogSource and own their workstationPartially virtualized- IT sources workstations withoutemployee involvement- Emails and some business apps aremade accessible on personal devicesWell virtualized- IT offers a device catalog and letsemployees choose their devices- All services and apps are availableon the employee’s own workstationWell virtualized- IT may offer allowances toemployees for purchasing the device- All services and apps are availableon the employee’s own workstationIT supports company workstationand corporate services available onpersonal devicesIT supports employee’s ownworkstation including allservices on itIT only supports business apps andexchange services (collaborativetools)Support for the hardware, device andbasic services (OS, office apps andbrowsers) is the employee’sresponsibilitySource: Capgemini Consulting12Catalog of managedBYOD devices

Ford Motors Case StudyFord Motors adopted a user community-driven approach to controlsupport costs under BYOD programBackgroundFord Motors, a leading USbased automaker, started aprogram called ‘Digital Worker’back in 2007, which looked atall collaboration tools to driveincreased capability globally. Outof the four core areas identifiedfor this program, mobility solutionincluding BYOD was a key focusarea. The company then createda cross-functional team consistingof managers from the IT, legal, HR,accounting and other departmentsto examine the risks and rewardsof BYOD.InitiativeIn 2009, Ford rolled-out acorporate-liable program (CLP) toenhance employee convenienceand productivity. Under CLP,company provides devices, paysfor the service and offer help desksupport to the employees forwhom mobility is critical. However,with the increasing number ofusers and to control capital costs,company decided to launchan alternative individual-liableprogram (ILP). Termed as emailon Personally Owned Devicesor ePOD, the program enabledemployees to access corporateemails on personal devices. Thestructure of this program is that– employee pay for the deviceand data plans. The supportmodel is self and user communitydriven, wherein a group of BYODusers interact on common onlineplatform to resolve BYOD relatedqueries and issues. The companybears the back-end costs ofservers and software licenses suchas Mobile Device Management.The employees would fit into acorporate-liable (company-owneddevices) or individual-liable(personal devices) program basedon their job requirement andbusiness criticality. Employeesunder BYOD would sign aparticipation agreement, so thatthey clearly understand their rolesand responsibilities, what is thesupport model, who pays whatcosts and other conditions of theprogram.BenefitsThe BYOD program resulted inincreased flexibility for Fordemployees with seamlessintegration of personal and workactivities as well as reducedcosts associated with enterprisemobility functions. From initial2,700 subscribers under BYOD(ILP), the program has beenexpanded to include over 70,000employees in 20 countries. Thecompany recently deployednew mobile security systemand included other businessapplications in addition to accessto corporate email throughSmartphone, tablets and othermobile devices.Source: How Ford Motors Deployed BYOD, Forbes, July 2011; SearchCIO.com, August-September 201113

2d. Achieve theRegulatory ComplianceOrganizations devising a BYODframework should not only ensurethat the policies are acceptableto employees but also that theyaddress all statutory requirementsregarding compliance and taxlegislations. The BYOD modelshould be regulatory compliantwith norms such as HealthInsurance Portability andAccountability Act (HIPAA) forhealthcare segment, and PaymentCard Industry Data SecurityStandard (PCI DSS) for financialservices sector, regardless of thedevice on which data is stored. It isalso important to draft guidelinesand agreements pertaining toend-user privacy issues sinceprofessional and personal taskswould be carried out on asame employee-owned device.Employees eligible for BYOD needto accept and sign an agreement.The agreement explains howthe organization intends to treatcorporate and personal data andcommunications on the employeeowned device along with deviceand support compensation terms.Further, organizations needto have tiers of compensationpolicy (no compensation,limited compensation or fullreimbursement) for expensestowards devices, data plansand support. A survey across 17countries reported that 55% ofemployees pay for at least onedevice they use for work purposesx(see Ford Motors Case Study).143. Rollout StrategyThe rollout strategy entailsdesigning the plan, guidingemployees about BYOD to helpthem decide whether to joinBYOD program, understand costsubsidies, if any, as well as howdata would be accessed, used andstored on personal devices. Theorganization can choose to adopta company-wide BYOD rolloutmechanism or approach it in aphased manner.Conducting regular audits ofpersonal devices ensures thatemployees abide by the BYODpolicy. Measuring benefits ofBYOD, such as improvementin productivity and employeesatisfaction, enables organizationsto alter the BYOD programaccordingly. BYOD presents risksin managing work conditions,device warranty, taxation impact,and support desk usage by anemployee. While implementinga BYOD model, all associatedsocial and legal risks need to beanalyzed to avoid potential HRand legal issues. Further, theimplementation of BYOD modelneeds to have a strong review andmeasurement process to keeptrack of the benefits, challengesand future actionable points.The funding responsibility topromote BYOD initiative canbe transferred to the businessunits instead of corporate ITbudgets. Such arrangement woulddistribute the cost burden aswell as accountability for successof BYOD program to individualbusiness units. We believe thatBYOD model should be consideredfor creating business value thatgoes beyond cost savings.Growing expectations aroundusage of employee’s personaldevices at the workplace indicateclearly that the BYOD trend ishere to stay. By encouragingemployees to use personaldevices, BYOD policies not onlyboost employee satisfaction anddrive business productivity, theyalso help organizations becomenimble. An effective BYOD policycan help organizations integrate,and encourage, greater usageof digital tools. As digitizationand the imperative to digitallytransform become more critical,BYOD policies can be leveragedsuccessfully to gain employeeacceptance and buy-in for largescale transformation programs.A survey across 17countries reported that55% of employees payfor at least one devicethey use for workpurposes.

ReferencesiIT Organization Embrace Bring Your Own Devices, Citrix, 2011iiMobility Temperature Check: Just How Hot Is BYOD?, Xigo and CCMI, July 2012iiiAsian companies resisting BYOD due to cost, ZDNet, November 2012ivBYOD Planning and Costs: Everything You Need to Know, CIO.com, December 2012vSurvey of telecommunication professionals in North America, Xigo CCMI, July, 2012viWhat is the business value in employees “bringing their own device” into the workplace?,Cisco Service Dynamics, 2011vii 5 Things You Need to Know about BYO Tech, CIO.com and iPass, December 2010viii Global BYO Index, Citrix 2011ixCorporate App Stores: Harness The Power Of BYOD, Forbes and 1E, March 2012xCharting the Rising Tide of Bring-Your-Own-Technology, Forrester, June 2012Note on Cost heads considered for TCO analysis of BYOD and standard modelCapex: Cost of ownership for hardware (laptop, server) and software (OS) decreases as employees bring their own device.However centralized architecture such as server-based computing or hosted virtual desktop would require additionalinvestment in server infrastructure.Opex Engineering: Security management costs would increase in the BYOD arrangement and desktop management (fleetdeployment, replacements, outsourcing) expenses will reduce moderately or remain constant.Admin. Costs: Although IT disposal costs decreases under BYOD environment, IT training cost increases with new devicemanagement and application access processes.Opex Run: Virtualization and transformation into web based application decreases hardware and software maintenancecosts under BYOD. But cost of ownership and maintenance for IT-specific software, Tier 1 IT support (password issue,application access issue) and data center storage costs would increase due to complex security deployment in the BYODarrangement. Tier 2 and 3 IT support will come down as devices are owned by employees.Stipends under BYOD: Grants for purchase of end user device and its support based on the BYOD model and compensationpolicy adopted by the company.End-user Costs: End-user training decreases as employees are familiar with their devices and software as well as extra costsdue to downtime of end-user IT equipments reduces.15

AuthorsBenjamin AlleauJohann mPrincipaljohann.desemery@capgemini.comThe authors would also like to acknowledge the contributions of Jerome Buvat and Vishal Clerk from the DigitalTransformation Research Institute of Capgemini Consulting.For more information contactDACHGuido Kamannguido.kamann@capgemini.comNetherlandsEric Kruidhoferic.kruidhof@capgemini.comSpainChristophe Jean Marc Mariochristophe.mario@capgemini.comFranceCyril Francoiscyril.francois@capgemini.comNorth AmericaMartin A Hanlonmartin.a.hanlon@capgemini.comSweden/ FinlandUlf Larsonulf.larson@capgemini.comMiddle EastJawad Shaikhjawad.shaikh@capgemini.comNorwayGunnar Deinbollgunnar.deinboll@capgemini.comUKStephen Pumphreystephen.pumphrey@capgemini.comAbout CapgeminiCapgemini Consulting is the global strategy and transformationconsulting organization of the Capgemini Group, specializing inadvising and supporting enterprises in significant transformation,from innovative strategy to execution and with an unstintingfocus on results. With the new digital economy creatingsignificant disruptions and opportunities, our global team ofover 3,600 talented individuals work with leading companiesand governments to master Digital Transformation, drawing onour understanding of the digital economy and our leadership inbusiness transf

Bring Your Own Device, or BYOD is a concept by which organizations allow employees to connect their personal devices, such as laptop, tablet and Smartphone, to the corporate network, so that they can access business and collaborative applications. The driving belief behind BYOD adoption is that companies benefit by saving capital costs as they no