S w
W13035
INTEL CORP. – BRING YOUR OWN DEVICE R. Chandrasekhar wrote this case under the supervision of Professors Joe Compeau and Nicole Haggerty solely to provide material for class discussion. The authors do not intend to illustrate either effective or ineffective handling of a managerial situation. The authors may have disguised certain names and other identifying information to protect confidentiality. Richard Ivey School of Business Foundation prohibits any form of reproduction, storage or transmission without its written permission. Reproduction of this material is not covered under authorization by any reproduction rights organization. To order copies or request permission to reproduce materials, contact Ivey Publishing, Richard Ivey School of Business Foundation, The University of Western Ontario, London, Ontario, Canada, N6A 3K7; phone (519) 661-3208; fax (519) 661-3882; e-mail cases@ivey.uwo.ca. Copyright © 2013, Richard Ivey School of Business Foundation Version: 2013-02-15
In January 2010, Malcolm Harkins, chief information security officer, Intel Corp., was facing dilemmas in taking forward the Bring Your Own Device (BYOD)1 initiative. The company’s information technology (IT) division had been driving this initiative for nearly a year. Now that senior management had taken a strategic decision in favour of implementing BYOD, Harkins needed to take the lead in the opening up of the initiative broadly across the enterprise. More than 10,000 of Intel’s nearly 80,000 employees worldwide were already bringing their own devices to work. Harkins foresaw that the number of employee-owned mobile devices on the job at Intel would triple in a year and that, by 2014, about 70 per cent of employees would be using their own devices for at least part of their job. Said Harkins:
My dilemmas are three-fold. How do we extract value from the initiative and turn BYOD into a new source of competitive advantage at Intel? How do we ensure security of the corporate data on a device that an employee brings to the workplace? How do we respond to e-Discovery requests for information stored on a device that Intel does not own?
CONTEXT Early in 2009, Harkins had noticed a trend among the employees of Intel. Employees were bringing their own tablets and storage devices to their workstations and using them during office hours. Concurrently, the use of smart phones was rising. The distinction between corporate data and personal data on employee-owned devices was blurring because access to corporate data was no longer limited to office hours, just as personal data was no longer off-limits during office hours. 1 “Bring your own device (BYOD) is an alternative strategy allowing employees, business partners and other users to utilize a personally selected and purchased client device to execute enterprise applications and access data. Typically, it spans smartphones and tablets, but the strategy may also be used for PCs. It may include a subsidy.” Source: Gartner Inc., IT Glossary, available at http://www.gartner.com/it-glossary/bring-your-own-device-byod/, accessed December 21, 2012.
For the exclusive use of C. DALMEIDA, 2018.
This document is authorized for use only by CARMELIA DALMEIDA in IT 547 Summer 2018 taught by DONNA SCHAEFFER, Marymount University from May 2018 to Aug 2018.
Page 2 9B13E002 The trend was catching up. BYOD was causing apprehensions among IT professionals mandated with information security (IS). Their immediate concerns were two-fold: The IT staff would be burdened with supporting and troubleshooting unmanaged devices; and, instead of using the devices for work-related activities, employees would be distracted by applications embedded into their devices, which could potentially lead to a negative impact on productivity. Harkins’s principal concerns related to issues of not only IT and IS (which were his areas of domain) but also finance, law, human resources development and the company’s brand equity (which were not his areas of domain). Employees had personally invested in laptops, netbooks and mobile devices, and they were using them for company work — whether at home, at office or on the road. This practice reduced Intel’s own costs of device procurement but increased its costs of evaluating, configuring and supporting a growing pool of smartphones, tablets and laptops. It also meant greater risks in terms of data security; company data was vulnerable to being compromised while being carried on personal devices. Intel, as an organization, needed to be able to access and control company information; but doing so on employee- owned devices without violating individual privacy was a grey area. Harkins also realized that who should be included in a BYOD program was a sensitive area. Every year, Intel recruited professionals at various levels, and its reputation as a preferred employer, among young jobseekers in particular, would also be affected by its stance on BYOD. Intel had three options for dealing with BYOD as a trend. It could have done nothing, in the hope that employees bringing own devices to work was only a fad and would soon pass. This approach would have ensured status quo but would have also pushed “shadow” IT (as the IT activities occurring outside of IT management were collectively known) further into the dark. The company could have issued a directive stating a categorical “No” to the option of employees bringing their own devices to work. Such an approach would have ensured not only a uniformity of technologies being deployed company-wide and Intel’s ownership of all IT devices used in the company but also corporate oversight. However, this approach would have meant falling behind ongoing trends and alienating a portion of its employees. Studies by both Gartner and McKinsey had pointed out that IT mobility was a rising phenomenon (see Exhibit 1: Top 10 Emerging Trends). The third option was to support BYOD, an approach that had seemed logical in light of some irrefutable “laws” of information security, as Harkins saw them:
These are unwritten laws that one must acknowledge. For example: Users want to click; when connected to the Internet, people will click on things. Information wants to be free; people are prone to talk, post, and share. Code wants to be wrong; a software program can never be 100 per cent error-free. Services want to be on tap; some background processes will always have to be switched on. Security features are double-edged; they help and they also harm. People set and forget; the efficacy of a control deteriorates with time. In such a context, compromise is inevitable for CIOs [chief information officers]. They cannot enforce rules of their own.
Dating back to the early 1990s, Intel’s IT division had acknowledged these laws. As personal computers became common in the homes of its employees, Intel allowed some employees to log in to the Intel network from their home systems and to use that ability to work from remote locations. Subsequently, however, amid concerns over data security risks, Intel had limited this provision to employees who were undertaking mission-critical processes.
For the exclusive use of C. DALMEIDA, 2018.
This document is authorized for use only by CARMELIA DALMEIDA in IT 547 Summer 2018 taught by DONNA SCHAEFFER, Marymount University from May 2018 to Aug 2018.
Page 3 9B13E002 The launch of laptops in 1997 had, for the first time, brought the use of personal devices not connected to the corporate network, to centre stage. Laptops were followed by wireless access points, ultra-portables, tablets and net-books. But it was the arrival of smartphones in 2006 that marked the beginning of the BYOD trend. The increasing functionality of smartphones and similar devices had, in some cases, become comparable to laptops in their ability to not only process data but store data. Smartphones could connect to the data centre and plug into corporate applications hosted on the cloud. The trend was unstoppable; by early 2009, Intel recognized that it needed to implement a strategy to address the BYOD trend. As part of developing a strategy, Harkins was keen on gathering the input of not only employees who were bringing their own devices to work but also those employees who were not doing so. He organized a two-day web jam in March 2009. Over an uninterrupted 48-hour period, his team took queries, in turns, from nearly 7,000 employees and responded to more than 1,000 cyberposts. The web jam was an opportunity not only for Intel employees worldwide to provide input on how they wanted to use their smartphones but also for the IS team to explain what the use of smartphones meant to the organization, going forward. Although only 30 per cent of participants were okay with corporate access to their personal devices, there was a near unanimous view in favour of Intel managing the security of personal devices; and, in return for the freedom to bring their own devices to work, 100 per cent were willing to accept necessary training and adjustments to their behaviour. Accountability became one of the pivots around which the policy evolved. It cut both ways. IT was accountable for providing the technology footprint with which to manage devices; and employees were accountable for understanding the potential risk the devices they brought to work carried for the company. For years, Intel had been losing one per cent of its notebooks annually; they were either misplaced or stolen. But, under the terms of the BYOD initiative, Intel no longer needed to buy the devices. Allowing employees to bring their own devices would reduce the incidence of hardware loss; employees would be more vigilant about guarding them because of their sense of ownership. An integrated personal and business calendar on the device would also increase employee productivity. Costs, per se, would decrease because telecom carriers typically charged about 33 per cent less for data plans for individuals than they did for corporations. It was evident that BYOD was not a technology issue; it affected other company functions, such as legal, HR and accounting, whose help was required in defining policy, including such details as privacy and software licensing and enforcing compliance. Also evident was that a “one-size-fits-all” framework would not work. Harkins developed a five-tier model to manage the security risk inherent in BYOD (see Exhibit 2). Said Harkins:
A multi-tier architecture provides not only the greatest security but also return on investment. We classified the level of access to data and services into five categories with progressively higher degree of IS requirements. Level one, for example, pertained to corporate data, like stock price movements, which were uploaded in real time on public servers. Level two pertained to slightly confidential applications like payroll. We had to factor in issues of privacy at this level because the device was owned by the employee. Level three was what we called Basic and had the least permissive level of access to
For the exclusive use of C. DALMEIDA, 2018.
This document is authorized for use only by CARMELIA DALMEIDA in IT 547 Summer 2018 taught by DONNA SCHAEFFER, Marymount University from May 2018 to Aug 2018.
Page 4 9B13E002
corporate data. Examples of services included calendaring, contacts and emails. Level four, called Intermediate, consisted of applications pertaining to specific lines of business. Level five, called the Managed Equivalent, was the most permissive level of access to corporate data.
CONSUMERIZATION OF IT For many decades, IT had been a standalone activity whose understanding was limited to a few employees in an organization. It still carried a mystique to the vast majority, even as the giant mainframes gave way to personal computers, and desktop computers made data processing more accessible for individuals. In the late 1990s, the arrival of hand-held computing devices marked a new beginning of employee empowerment that came to be called the Consumerization of IT (CoIT), defined as “the adoption of any consumer-facing technology for business purposes.”2 Characterized by self-provisioning of technology, CoIT was one of the most disruptive phenomena in the workplace. It was encompassing many sub-categories of computing, such as social media, cloud, applications (apps) development and, of late, BYOD. From CoIT, companies were securing business gains, both internally and externally. Internally, employees were becoming more resourceful and innovative, leading to general gains in organizational productivity. IT’s own productivity was increasing because many consumer technologies were self-supporting and end-users were readily shoring up one another. IT could extend its capabilities across the organization without requiring additional resources. A company adopting CoIT could attract and retain young and skilled employees, leading to improvements in revenues, margins and market share. Externally, CoIT improved the company’s engagement with customers, vendors and business partners. When CoIT was implemented as part of a multi-channel strategy and for deploying tools of social media in particular, it was easier for existing stakeholders to do business with the company and for potential customers to sign up for its offerings. The greatest benefits came from the development of apps aimed at delivering the right data to the right set of users and managing both users and apps for the common good. Mobile apps, in particular, could be developed quickly and at a lower cost than traditional enterprise apps. Employees were developing front- end apps on their own, depending on their ongoing requirements. This development and device freedom had enhanced the spirit of enterprise in companies. However, CIOs were facing several challenges with CoIT. First, there were difficulties in securing the buy-in for any CoIT initiative from functions such as legal and accounting. These functions were accustomed to a compliance mode; risk taking was not part of their culture. A free-for-all culture, which the CoIT phenomenon seemed to represent, was contrary to their traditional mindset. Second, nurturing the innovation that CoIT represented was difficult because companies in general had no precedents for how to encourage productive innovation within the context of CoIT. The more dominant perspective was that personal devices loaded with attention-diverting applications were more representative of
2 “Consumerization of IT: How IT Should Manage Personal Technology at Work,” InfoWorld Special Report, May 2012, http://www.infoworld.com/d/consumerization-of-it/consumerization-of-it-how-it-should-manage-personal-technology-work- 194587, accessed December 10, 2012.
For the exclusive use of C. DALMEIDA, 2018.
This document is authorized for use only by CARMELIA DALMEIDA in IT 547 Summer 2018 taught by DONNA SCHAEFFER, Marymount University from May 2018 to Aug 2018.
Page 5 9B13E002 productivity waste than enhancement; they were thus banned in many firms, such as those on Wall Street.3 To set up the systems and processes supportive of consumer technologies, CIOs needed to secure the data from threats of hacking, viruses and identity thefts; ensure interactive apps experience; manage the load on IT infrastructure and generally stay on the side of new generation workforce. Also necessary was keeping pace with changes in the legal and regulatory environments in different countries where a company’s employees were located. The singular challenge for CIOs, however, was in keeping pace with changes in their own domain of IT. INTEL – COMPANY BACKGROUND Intel was the world’s largest manufacturer of semiconductor chips (see Exhibit 3). Its main products were integrated circuits (i.e., chips etched with electronic switches) and platforms (i.e., suites of digital technologies), which were used as raw materials in computing and communications industries. Intel’s customers included both original equipment manufacturers (OEMs) which marketed branded products and original design manufacturers (ODMs) which provided services to branded and unbranded private-label resellers. In 2009, Hewlett-Packard Company accounted for 21 per cent of Intel’s net revenue (up from 20 per cent in 2008 and 17 per cent in 2007), and Dell Inc. accounted for 17 per cent of net revenue (down slightly from 18 per cent in both 2008 and 2007). The semiconductor industry was characterized by a high percentage of fixed costs in three areas: research and development (R&D), employment of skilled workforce and training of employees. The business was subject to downturns because product demand was variable. The product life cycle was limited, often less than a year. As a result, the pace of technological development and the frequency of new product introductions were more rapid than in other manufacturing sectors. Intel was driven by the strategic mandate of “being the preeminent provider of semiconductor chips and platforms for the worldwide digital economy.” Its goal was to “deliver a great ‘personal’ computing experience across all types of devices and enable consumers to move seamlessly from one type of device to another.” 4 Intel was routinely launching products with improved rates of data processing. It was also innovating to continue to improve the connectivity, storage, security, energy consumption, ease of use and inter-operability of devices. At the end of 2009, Intel had reorganized its business “to better align our major product groups around the core competencies of Intel architecture and our manufacturing operations.” The company had nine operating segments: PC Client Group; Data Center Group; Embedded and Communications Group; Digital Home Group; Ultra-Mobility Group; NAND Solutions Group; Wind River Software Group; Software and Services Group; and Digital Health Group. Said Harkins:
3 “Social Media Like Facebook, Twitter and Gmail Banned on Wall Street,” New York Times, November 23, 2012, http://articles.economictimes.indiatimes.com/2012-11-23/news/35317526_1_social-media-youtube-videos-analyst, accessed December 5, 2012. 4 Intel’s 2009 annual report, http://www.intc.com/intelAR2009/, accessed February 7, 2013.
For the exclusive use of C. DALMEIDA, 2018.
This document is authorized for use only by CARMELIA DALMEIDA in IT 547 Summer 2018 taught by DONNA SCHAEFFER, Marymount University from May 2018 to Aug 2018.
Page 6 9B13E002
The growth of mobile microprocessor units has been outpacing the growth of desktop microprocessor units. This trend will continue. The escalating demand for mobile microprocessors will result in increased development of products with form factors requiring lower power. Their demand will be incremental to that of desktop microprocessors since a growing number of households have multiple devices for different computing functions.
In addition to its four wafer fabrication facilities in the United States (in Arizona, Oregon, New Mexico and Massachusetts), the company had manufacturing units in China, Ireland, Israel and Vietnam and test facilities in Malaysia, China and Costa Rica. It had sales and marketing offices worldwide. For the year ending December 2009, Intel had net revenues of $35.1 billion5 and net income of $4.3 billion (see Exhibit 4). Intel’s revenues had declined by 7 per cent over 2008, although the volume of shipments had increased, as a result of falling prices. Asia-Pacific was the single largest source of revenue at 55 per cent, followed by the Americas at 20 per cent. The company’s competitive advantages included scale, talent pool, global reach and customer orientation. ISSUES BEFORE HARKINS Extracting value Value from BYOD could be extracted from three sources: cost reduction, productivity gains and competitive advantage. An obvious potential source of cost reduction was that Intel would no longer need to pay for the 10,000 small form factor (SFF)6 devices already in circulation, for the purchase of individual devices and for their ongoing service and support. Although Intel had incurred these costs in the past, once BYOD became official, employees would assume these costs. The savings could be large, based on the expectation that, by 2014, nearly 60,000 more employees would be bringing their own devices to work. From reviewing the data over the past few quarters, Harkins had accessed a vital piece of information: Intel employees who were using their own devices were spending, on average, an additional 57 minutes every day on company-related work. This index of productivity was known in IT parlance as “time back per day per employee.” The company could use what was called a “burden rate” of about $100 per hour per employee to arrive at the gain in productivity. Additional gains could be realized from employees seizing every opportunity, outside the office hours, to carry on the business of Intel through real-time collaboration with internal and external customers. Employees would also be generally happy about BYOD, which would lead to gains like their rallying together in the event of a deadline or an emergency. Competitive advantage, particularly if it was to be sustainable, could be built only on a long haul. Harkins could see some potential sources of competitive advantage. For example, networking would, over time, lead to the development of better products and services. Use of authorized device would also minimize the general risk profile within IT.
5 All currencies amounts are shown in U.S. dollars unless otherwise noted. 6 SFF devices were small computers, distinct from traditional personal computers that had towers or conventional full-size laptops. SFF devices included tablets and devices commonly called netbooks, smartbooks or ultrabooks.
For the exclusive use of C. DALMEIDA, 2018.
This document is authorized for use only by CARMELIA DALMEIDA in IT 547 Summer 2018 taught by DONNA SCHAEFFER, Marymount University from May 2018 to Aug 2018.
Page 7 9B13E002 Besides, Intel was making its debut in Fortune magazine’s 2010 annual list of the best companies to work for in the United States, at 98th position in a list of 100. The ranking, which would be useful for its annual recruiting, was based on the facilities that Intel provided to employees, such as telecommuting, job- sharing programs and compressed workweeks. The provision of BYOD would likely improve Intel’s rankings, thereby leading to improved brand equity among potential employees. Said Harkins:
My difficulty is fundamental. How do I dollarize the risks and returns of BYOD? There are businesses at Intel which are sensitive to data walking out the door. They would buy into BYOD if they see, in measurable terms, how BYOD is adding value. But we only have intuitive information so far. What particular data should I mine and apply in order to arrive at the true value of BYOD?
Security The security risk in a BYOD environment had two broad components — device and data. The dilemma before Harkins pertained to two areas: the extent to which device security, which was new to Intel, could be deployed and the extent to which data security, which was prevalent in any case, could be extended in a BYOD situation. Traditionally, all the hardware that was owned and operated by the company was equipped with such built-in IS features as security settings, log-on procedures, authentication protocols, access controls, firewalls and anti-malware software (see Exhibit 5). The BYOD situation would typically comprise two types of devices — managed devices and unmanaged devices. Intel layered its own security controls on all managed devices; the controls took on two forms — encryption and remote-wipe capability. Like round pegs in a round hole, the managed devices fit perfectly with the IT environment and IT expectations. Unmanaged devices, however, were like square pegs in a round hole. No single solution supported all the devices owned by employees, thereby representing a security risk. Leaving a corporate footprint on the devices owned by employees could be damaging for employee privacy. Data encryption and remote-wipe capability would both come into play when the data was compromised or the device was lost or stolen. But the remote-wipe would also affect personal data stored by the employee on the device. The issue of privacy acquired a serious tone, particularly when no evidence of data compromise could be detected upon retrieval of a lost or stolen device. Another relevant issue related to the hourly employees. Intel had 79,800 employees at Intel worldwide, of whom 55 per cent were located in the United States. The majority of Intel’s wafer fabrication activities were also located in the United States. Hourly employees at Intel US were required to report the hours that they spent doing office work on their SFF devices while off network and away from their workstations. These hours counted not only toward their overtime compensation but also for any related expenses. Even routine activities conducted on an SFF device outside normal hours, such as checking a calendar or responding to emails, were required by Intel to be logged as overtime. The log would leave a trail, which would likely create a long-term liability for the company in the event of any claim any time in future by any hourly employee.
For the exclusive use of C. DALMEIDA, 2018.
This document is authorized for use only by CARMELIA DALMEIDA in IT 547 Summer 2018 taught by DONNA SCHAEFFER, Marymount University from May 2018 to Aug 2018.
Page 8 9B13E002 Intel also had other concerns. Global IDs (such as Google ID and Live ID) were gaining popularity, and employees commonly had multiple global IDs, both on the same devices and among their different devices. Integrating global IDs into the corporate Active Directory7 account was fraught with security risks. A password that protected cloud-based email was not adequate for protecting corporate data. Data co-mingling was another potential hazard. If an employee inadvertently placed corporate data on a personally owned device of a friend or family member, who then plugged into an USB connection to charge up, the company’s data would be synchronized with personal data. Another issue related to the implications of jurisdiction (as in a country’s borders), where normal data protection laws (including one’s constitutional rights) did not apply. Said Harkins:
At Intel, we follow what I may call the 4P framework for IS in general: Prediction, Persistence, Patience and Preparedness. The IS team should be able to predict where the security threats would be coming from, which parts of the organization would be vulnerable, and how the risk would manifest itself. It should be persistent about things that matter to Intel and the practices that we care about as a company. It should be patient, not alarmist, and refrain from screaming “the sky is falling.” It should be prepared with strategic controls, contingency plans and mitigation procedures. My dilemma is: How do we apply that framework in executing BYOD?
e-Discovery U.S. companies such as Intel had a legal obligation, under the U.S. Federal Rules of Civil Procedures (FRCP), to comply with demands from the courts of law for inside documents in the event of litigation. Everything in an enterprise — from terabyte-sized databases to 14-character tweets — was thus potentially discoverable (i.e., subject to discovery) and reviewable by litigants. In December 2006, electronic discovery (or e-Discovery as it came to be called) gained a mandate in the United States. The FRCP were amended to expand the coverage of e-Discovery to all document-intensive information on which a company relied to conduct day-to-day business. The amendment brought under the purview of e-Discovery all computer systems and devices storing digital information. It also brought under its ambit all types of litigation — class action, corporate fraud and employment. The changes gave litigants wide-ranging powers to seek, as part of their review, access to the whole range of data running through the networks of an enterprise, including not only legacy data archived on backup tapes but also emails, instant messages, calendars and contact lists. Also included in the accessible data were posts on MySpace, a social media platform; records from the Global Positioning System (GPS), a satellite-based navigation protocol; and data from EZ-Pass, a toll-collection system that automatically deducted tolls from a prepaid account. All these data became part of what was collectively referred to as electronically stored information (ESI), which could be required to be produced as evidence in a court of law. ESI had more volume because, unlike paper, it replicated itself. An email was stored not only in the sender’s and receiver’s files but also at several devices in several locations. ESI was more complex than 7 “Active Directory was an advanced, hierarchical directory service used for managing permissions and user access to network resources. Introduced in Windows 2000, it was a domain-based network wherein a company's workgroups (departments, sections, offices, etc.) were assigned domain names similar to Web addresses.” PC Mag.com, “Encyclopedia,” http://www.pcmag.com/encyclopedia_term/0,1237,t=Active+Directory&i=37454,00.asp, accessed December 15, 2012.