Intel corp bring your own device case analysis

S w

W13035

INTEL CORP. – BRING YOUR OWN DEVICE R. Chandrasekhar wrote this case under the supervision of Professors Joe Compeau and Nicole Haggerty solely to provide material for class discussion. The authors do not intend to illustrate either effective or ineffective handling of a managerial situation. The authors may have disguised certain names and other identifying information to protect confidentiality. Richard Ivey School of Business Foundation prohibits any form of reproduction, storage or transmission without its written permission. Reproduction of this material is not covered under authorization by any reproduction rights organization. To order copies or request permission to reproduce materials, contact Ivey Publishing, Richard Ivey School of Business Foundation, The University of Western Ontario, London, Ontario, Canada, N6A 3K7; phone (519) 661-3208; fax (519) 661-3882; e-mail cases@ivey.uwo.ca. Copyright © 2013, Richard Ivey School of Business Foundation Version: 2013-02-15

In January 2010, Malcolm Harkins, chief information security officer, Intel Corp., was facing dilemmas in taking forward the Bring Your Own Device (BYOD)1 initiative. The company’s information technology (IT) division had been driving this initiative for nearly a year. Now that senior management had taken a strategic decision in favour of implementing BYOD, Harkins needed to take the lead in the opening up of the initiative broadly across the enterprise. More than 10,000 of Intel’s nearly 80,000 employees worldwide were already bringing their own devices to work. Harkins foresaw that the number of employee-owned mobile devices on the job at Intel would triple in a year and that, by 2014, about 70 per cent of employees would be using their own devices for at least part of their job. Said Harkins:

My dilemmas are three-fold. How do we extract value from the initiative and turn BYOD into a new source of competitive advantage at Intel? How do we ensure security of the corporate data on a device that an employee brings to the workplace? How do we respond to e-Discovery requests for information stored on a device that Intel does not own?

CONTEXT Early in 2009, Harkins had noticed a trend among the employees of Intel. Employees were bringing their own tablets and storage devices to their workstations and using them during office hours. Concurrently, the use of smart phones was rising. The distinction between corporate data and personal data on employee-owned devices was blurring because access to corporate data was no longer limited to office hours, just as personal data was no longer off-limits during office hours. 1 “Bring your own device (BYOD) is an alternative strategy allowing employees, business partners and other users to utilize a personally selected and purchased client device to execute enterprise applications and access data. Typically, it spans smartphones and tablets, but the strategy may also be used for PCs. It may include a subsidy.” Source: Gartner Inc., IT Glossary, available at http://www.gartner.com/it-glossary/bring-your-own-device-byod/, accessed December 21, 2012.

For the exclusive use of C. DALMEIDA, 2018.

This document is authorized for use only by CARMELIA DALMEIDA in IT 547 Summer 2018 taught by DONNA SCHAEFFER, Marymount University from May 2018 to Aug 2018.

Page 2 9B13E002 The trend was catching up. BYOD was causing apprehensions among IT professionals mandated with information security (IS). Their immediate concerns were two-fold: The IT staff would be burdened with supporting and troubleshooting unmanaged devices; and, instead of using the devices for work-related activities, employees would be distracted by applications embedded into their devices, which could potentially lead to a negative impact on productivity. Harkins’s principal concerns related to issues of not only IT and IS (which were his areas of domain) but also finance, law, human resources development and the company’s brand equity (which were not his areas of domain). Employees had personally invested in laptops, netbooks and mobile devices, and they were using them for company work — whether at home, at office or on the road. This practice reduced Intel’s own costs of device procurement but increased its costs of evaluating, configuring and supporting a growing pool of smartphones, tablets and laptops. It also meant greater risks in terms of data security; company data was vulnerable to being compromised while being carried on personal devices. Intel, as an organization, needed to be able to access and control company information; but doing so on employee- owned devices without violating individual privacy was a grey area. Harkins also realized that who should be included in a BYOD program was a sensitive area. Every year, Intel recruited professionals at various levels, and its reputation as a preferred employer, among young jobseekers in particular, would also be affected by its stance on BYOD. Intel had three options for dealing with BYOD as a trend. It could have done nothing, in the hope that employees bringing own devices to work was only a fad and would soon pass. This approach would have ensured status quo but would have also pushed “shadow” IT (as the IT activities occurring outside of IT management were collectively known) further into the dark. The company could have issued a directive stating a categorical “No” to the option of employees bringing their own devices to work. Such an approach would have ensured not only a uniformity of technologies being deployed company-wide and Intel’s ownership of all IT devices used in the company but also corporate oversight. However, this approach would have meant falling behind ongoing trends and alienating a portion of its employees. Studies by both Gartner and McKinsey had pointed out that IT mobility was a rising phenomenon (see Exhibit 1: Top 10 Emerging Trends). The third option was to support BYOD, an approach that had seemed logical in light of some irrefutable “laws” of information security, as Harkins saw them:

These are unwritten laws that one must acknowledge. For example: Users want to click; when connected to the Internet, people will click on things. Information wants to be free; people are prone to talk, post, and share. Code wants to be wrong; a software program can never be 100 per cent error-free. Services want to be on tap; some background processes will always have to be switched on. Security features are double-edged; they help and they also harm. People set and forget; the efficacy of a control deteriorates with time. In such a context, compromise is inevitable for CIOs [chief information officers]. They cannot enforce rules of their own.

Dating back to the early 1990s, Intel’s IT division had acknowledged these laws. As personal computers became common in the homes of its employees, Intel allowed some employees to log in to the Intel network from their home systems and to use that ability to work from remote locations. Subsequently, however, amid concerns over data security risks, Intel had limited this provision to employees who were undertaking mission-critical processes.

For the exclusive use of C. DALMEIDA, 2018.

This document is authorized for use only by CARMELIA DALMEIDA in IT 547 Summer 2018 taught by DONNA SCHAEFFER, Marymount University from May 2018 to Aug 2018.

Page 3 9B13E002 The launch of laptops in 1997 had, for the first time, brought the use of personal devices not connected to the corporate network, to centre stage. Laptops were followed by wireless access points, ultra-portables, tablets and net-books. But it was the arrival of smartphones in 2006 that marked the beginning of the BYOD trend. The increasing functionality of smartphones and similar devices had, in some cases, become comparable to laptops in their ability to not only process data but store data. Smartphones could connect to the data centre and plug into corporate applications hosted on the cloud. The trend was unstoppable; by early 2009, Intel recognized that it needed to implement a strategy to address the BYOD trend. As part of developing a strategy, Harkins was keen on gathering the input of not only employees who were bringing their own devices to work but also those employees who were not doing so. He organized a two-day web jam in March 2009. Over an uninterrupted 48-hour period, his team took queries, in turns, from nearly 7,000 employees and responded to more than 1,000 cyberposts. The web jam was an opportunity not only for Intel employees worldwide to provide input on how they wanted to use their smartphones but also for the IS team to explain what the use of smartphones meant to the organization, going forward. Although only 30 per cent of participants were okay with corporate access to their personal devices, there was a near unanimous view in favour of Intel managing the security of personal devices; and, in return for the freedom to bring their own devices to work, 100 per cent were willing to accept necessary training and adjustments to their behaviour. Accountability became one of the pivots around which the policy evolved. It cut both ways. IT was accountable for providing the technology footprint with which to manage devices; and employees were accountable for understanding the potential risk the devices they brought to work carried for the company. For years, Intel had been losing one per cent of its notebooks annually; they were either misplaced or stolen. But, under the terms of the BYOD initiative, Intel no longer needed to buy the devices. Allowing employees to bring their own devices would reduce the incidence of hardware loss; employees would be more vigilant about guarding them because of their sense of ownership. An integrated personal and business calendar on the device would also increase employee productivity. Costs, per se, would decrease because telecom carriers typically charged about 33 per cent less for data plans for individuals than they did for corporations. It was evident that BYOD was not a technology issue; it affected other company functions, such as legal, HR and accounting, whose help was required in defining policy, including such details as privacy and software licensing and enforcing compliance. Also evident was that a “one-size-fits-all” framework would not work. Harkins developed a five-tier model to manage the security risk inherent in BYOD (see Exhibit 2). Said Harkins:

A multi-tier architecture provides not only the greatest security but also return on investment. We classified the level of access to data and services into five categories with progressively higher degree of IS requirements. Level one, for example, pertained to corporate data, like stock price movements, which were uploaded in real time on public servers. Level two pertained to slightly confidential applications like payroll. We had to factor in issues of privacy at this level because the device was owned by the employee. Level three was what we called Basic and had the least permissive level of access to

For the exclusive use of C. DALMEIDA, 2018.

This document is authorized for use only by CARMELIA DALMEIDA in IT 547 Summer 2018 taught by DONNA SCHAEFFER, Marymount University from May 2018 to Aug 2018.

Page 4 9B13E002

corporate data. Examples of services included calendaring, contacts and emails. Level four, called Intermediate, consisted of applications pertaining to specific lines of business. Level five, called the Managed Equivalent, was the most permissive level of access to corporate data.

CONSUMERIZATION OF IT For many decades, IT had been a standalone activity whose understanding was limited to a few employees in an organization. It still carried a mystique to the vast majority, even as the giant mainframes gave way to personal computers, and desktop computers made data processing more accessible for individuals. In the late 1990s, the arrival of hand-held computing devices marked a new beginning of employee empowerment that came to be called the Consumerization of IT (CoIT), defined as “the adoption of any consumer-facing technology for business purposes.”2 Characterized by self-provisioning of technology, CoIT was one of the most disruptive phenomena in the workplace. It was encompassing many sub-categories of computing, such as social media, cloud, applications (apps) development and, of late, BYOD. From CoIT, companies were securing business gains, both internally and externally. Internally, employees were becoming more resourceful and innovative, leading to general gains in organizational productivity. IT’s own productivity was increasing because many consumer technologies were self-supporting and end-users were readily shoring up one another. IT could extend its capabilities across the organization without requiring additional resources. A company adopting CoIT could attract and retain young and skilled employees, leading to improvements in revenues, margins and market share. Externally, CoIT improved the company’s engagement with customers, vendors and business partners. When CoIT was implemented as part of a multi-channel strategy and for deploying tools of social media in particular, it was easier for existing stakeholders to do business with the company and for potential customers to sign up for its offerings. The greatest benefits came from the development of apps aimed at delivering the right data to the right set of users and managing both users and apps for the common good. Mobile apps, in particular, could be developed quickly and at a lower cost than traditional enterprise apps. Employees were developing front- end apps on their own, depending on their ongoing requirements. This development and device freedom had enhanced the spirit of enterprise in companies. However, CIOs were facing several challenges with CoIT. First, there were difficulties in securing the buy-in for any CoIT initiative from functions such as legal and accounting. These functions were accustomed to a compliance mode; risk taking was not part of their culture. A free-for-all culture, which the CoIT phenomenon seemed to represent, was contrary to their traditional mindset. Second, nurturing the innovation that CoIT represented was difficult because companies in general had no precedents for how to encourage productive innovation within the context of CoIT. The more dominant perspective was that personal devices loaded with attention-diverting applications were more representative of

2 “Consumerization of IT: How IT Should Manage Personal Technology at Work,” InfoWorld Special Report, May 2012, http://www.infoworld.com/d/consumerization-of-it/consumerization-of-it-how-it-should-manage-personal-technology-work- 194587, accessed December 10, 2012.

For the exclusive use of C. DALMEIDA, 2018.