Intel byod policy

W13035

INTEL CORP. – BRING YOUR OWN DEVICE R. Chandrasekhar wrote this case under the supervision of Professors Joe Compeau and Nicole Haggerty solely to provide material for class discussion. The authors do not intend to illustrate either effective or ineffective handling of a managerial situation. The authors may have disguised certain names and other identifying information to protect confidentiality. Richard Ivey School of Business Foundation prohibits any form of reproduction, storage or transmission without its written permission. Reproduction of this material is not covered under authorization by any reproduction rights organization. To order copies or request permission to reproduce materials, contact Ivey Publishing, Richard Ivey School of Business Foundation, The University of Western Ontario, London, Ontario, Canada, N6A 3K7; phone (519) 661-3208; fax (519) 661-3882; e-mail cases@ivey.uwo.ca. Copyright © 2013, Richard Ivey School of Business Foundation Version: 2013-02-15

In January 2010, Malcolm Harkins, chief information security officer, Intel Corp., was facing dilemmas in taking forward the Bring Your Own Device (BYOD)1 initiative. The company’s information technology (IT) division had been driving this initiative for nearly a year. Now that senior management had taken a strategic decision in favour of implementing BYOD, Harkins needed to take the lead in the opening up of the initiative broadly across the enterprise. More than 10,000 of Intel’s nearly 80,000 employees worldwide were already bringing their own devices to work. Harkins foresaw that the number of employee-owned mobile devices on the job at Intel would triple in a year and that, by 2014, about 70 per cent of employees would be using their own devices for at least part of their job. Said Harkins:

My dilemmas are three-fold. How do we extract value from the initiative and turn BYOD into a new source of competitive advantage at Intel? How do we ensure security of the corporate data on a device that an employee brings to the workplace? How do we respond to e-Discovery requests for information stored on a device that Intel does not own?

CONTEXT Early in 2009, Harkins had noticed a trend among the employees of Intel. Employees were bringing their own tablets and storage devices to their workstations and using them during office hours. Concurrently, the use of smart phones was rising. The distinction between corporate data and personal data on employee-owned devices was blurring because access to corporate data was no longer limited to office hours, just as personal data was no longer off-limits during office hours. 1 “Bring your own device (BYOD) is an alternative strategy allowing employees, business partners and other users to utilize a personally selected and purchased client device to execute enterprise applications and access data. Typically, it spans smartphones and tablets, but the strategy may also be used for PCs. It may include a subsidy.” Source: Gartner Inc., IT Glossary, available at http://www.gartner.com/it-glossary/bring-your-own-device-byod/, accessed December 21, 2012.

For the exclusive use of C. DALMEIDA, 2018.

This document is authorized for use only by CARMELIA DALMEIDA in IT 547 Summer 2018 taught by DONNA SCHAEFFER, Marymount University from May 2018 to Aug 2018.

Page 2 9B13E002 The trend was catching up. BYOD was causing apprehensions among IT professionals mandated with information security (IS). Their immediate concerns were two-fold: The IT staff would be burdened with supporting and troubleshooting unmanaged devices; and, instead of using the devices for work-related activities, employees would be distracted by applications embedded into their devices, which could potentially lead to a negative impact on productivity. Harkins’s principal concerns related to issues of not only IT and IS (which were his areas of domain) but also finance, law, human resources development and the company’s brand equity (which were not his areas of domain). Employees had personally invested in laptops, netbooks and mobile devices, and they were using them for company work — whether at home, at office or on the road. This practice reduced Intel’s own costs of device procurement but increased its costs of evaluating, configuring and supporting a growing pool of smartphones, tablets and laptops. It also meant greater risks in terms of data security; company data was vulnerable to being compromised while being carried on personal devices. Intel, as an organization, needed to be able to access and control company information; but doing so on employee- owned devices without violating individual privacy was a grey area. Harkins also realized that who should be included in a BYOD program was a sensitive area. Every year, Intel recruited professionals at various levels, and its reputation as a preferred employer, among young jobseekers in particular, would also be affected by its stance on BYOD. Intel had three options for dealing with BYOD as a trend. It could have done nothing, in the hope that employees bringing own devices to work was only a fad and would soon pass. This approach would have ensured status quo but would have also pushed “shadow” IT (as the IT activities occurring outside of IT management were collectively known) further into the dark. The company could have issued a directive stating a categorical “No” to the option of employees bringing their own devices to work. Such an approach would have ensured not only a uniformity of technologies being deployed company-wide and Intel’s ownership of all IT devices used in the company but also corporate oversight. However, this approach would have meant falling behind ongoing trends and alienating a portion of its employees. Studies by both Gartner and McKinsey had pointed out that IT mobility was a rising phenomenon (see Exhibit 1: Top 10 Emerging Trends). The third option was to support BYOD, an approach that had seemed logical in light of some irrefutable “laws” of information security, as Harkins saw them:

These are unwritten laws that one must acknowledge. For example: Users want to click; when connected to the Internet, people will click on things. Information wants to be free; people are prone to talk, post, and share. Code wants to be wrong; a software program can never be 100 per cent error-free. Services want to be on tap; some background processes will always have to be switched on. Security features are double-edged; they help and they also harm. People set and forget; the efficacy of a control deteriorates with time. In such a context, compromise is inevitable for CIOs [chief information officers]. They cannot enforce rules of their own.

Dating back to the early 1990s, Intel’s IT division had acknowledged these laws. As personal computers became common in the homes of its employees, Intel allowed some employees to log in to the Intel network from their home systems and to use that ability to work from remote locations. Subsequently, however, amid concerns over data security risks, Intel had limited this provision to employees who were undertaking mission-critical processes.

For the exclusive use of C. DALMEIDA, 2018.

This document is authorized for use only by CARMELIA DALMEIDA in IT 547 Summer 2018 taught by DONNA SCHAEFFER, Marymount University from May 2018 to Aug 2018.