Lessons from Deloitte's BYOD program

Around five years ago, long-time Deloitte CIO Tim Fleming approached his chief executive, seeking top-level guidance as to how he felt about the proliferation of smartphones and tablets in the workplace.

Do you want to lock them all down? Can we stem back the tide?

Neither felt it plausible.

“We both believed that the consumerisation of IT was a wave we wanted to ride," Fleming told me this week. "Our CEO’s view - from the start - was that education is paramount.

"There are always ways for data to be leaked - as we’ve seen with Edward Snowden or the tax haven data released by the International Consortium of Investigative Journalists. If someone wants to steal or expose data, they will do so. They will photograph screens if they have to.”

The right approach to enterprise mobility is to focus on employee “care and responsibility”, backed by an “appropriate amount of safeguards”.

For several years Deloitte staff - over half of which are under thirty and all of whom are very tech savvy - have been offered BYOD plans that Fleming’s team pre-negotiated with Australia’s major mobile carriers. Staff are able to select plans bundles with smartphones and claim their mobile telephony costs back as part of their monthly expenses.

“The age of the fleet of mobile devices is well and truly dead,” Fleming said. “It's an exercise in futility trying to supply your whole company with devices [that will satisfy their needs] - unless you want to replace devices every 12 months. That becomes tremendously expensive.

“So for a long time, we’ve been letting users decide what device they want.”

Fleming’s BYOD strategy does not discriminate on what smartphones are permitted, and is focused “more on protecting the data, less on managing the device.”

“The mobile device management market is still very young, and changing very rapidly,” he said. “Getting a solution that allows you to manage a device that is both professional and private, and that allows you to use the native apps of that device, is not necessarily a simple task.”

Fleming said any CIO approaching an MDM solution needs to ensure users can still run the native applications on their devices.

“If you’re giving end users an email client that comes as part of the MDM solution, it is instant legacy, in my opinion,” he said. “If a new version of iOS7 comes out with new features in the email client, your staff can’t use it because you’re stuck with what you purchased as part of the MDM. People will react very badly to that.”

Thankfully for Fleming, most of the Deloitte applications that would contain highly sensitive data remain unavailable on employee smartphones, as rarely can a business case be made for accessing this data in the field.

For Deloitte, the data of most concern that is held on mobiles is the regular communication its consultants conduct with clients over e-mail. So to date, email has been the one application Deloitte has invested in protecting on the mobile device, balanced with Fleming’s insistence that the user can still access email using the native apps of the device.

Fleming advises his CIO peers that they will need to agree to loosen their control when it comes to enterprise mobility.

“You've got to be comfortable in giving up complete control of a user’s device,” he said. “We're well past the time that such a thing is possible.”