Higher Ed CIO Challenges 2 – Consumerization of IT

by | July 11, 2012

This is the second of a three part series on Challenges for Higher Education CIOs – Consumerization of IT.

The particular focus of this challenge is the rise of mobile computing commonly known as “Bring Your Own Device” (BYOD).  This trend is changing the education mandate, particularly how faculty teach course materials to their students with mobile devices and how students engage with their schools.  This trend also creates a new channel for higher education institutions to engage with their extended communities of students, faculty, researchers and staff.  “CIOs must get ahead of the consumerization curve by coming to terms with what is valuable and productive about the influence of consumer IT.” (Bernnat, Acker, Bieber, & Johnson, 2010, p. 4)

More and more students and employees demand the option to use their consumer IT devices to  work and learn.  This blend of work and life, combined with flexible work hours also contributes to an atmosphere where people want to be able to work with the tools of their choice.  “Work is no longer a place you go to, and then leave, but an ongoing activity.” (Bernnat, Acker, Bieber, & Johnson, 2010, p. 3)  Organizations will have no choice but to address the demands of their employees and students.  IT departments in particular, play a key role in articulating the IT security impacts of BYOD programs on their organization.  Blount explores the Consumerizaton of IT – Security Challenges by describing the challenges, the opportunities and the benefits.  “This important trend is not just about new devices; it’s about the entire relationship between IT and its user population.”  (Blount, 2011, p. 3)  BYOD is not just a technology or device specific issue.

Some of the categories this trend impacts: mobile phones, storage, innovative services, dynamic content creation, update cycles and style and customization.  (Bernnat, Acker, Bieber, & Johnson, 2010, p. 3)

Corporate vs. Consumer IT (Bernnat, Acker, Bieber, & Johnson, 2010, p. 3)

Corporate Space   Consumer Space
Devices with functionality limited to phone calls and email, typically Blackberry

Mobile Phones

Smart phones offering tens of thousands of useful apps, typically iPhone or Google Phone
Restricted storage for files and email


Providers such as Google and Yahoo offering virtually unlimited storage
Static employee directories and cumbersome proprietary platforms

Innovative Services

Social networks such as Facebook and LinkedIn used for both socializing and working
Outdated static content within corporate intranet – centralized maintenance and control

Dynamic Content Options

Blogging, wiki, social networking and content services allowing consumers to create, customize, and manage the content they want
Long replacement cycles – up to four years for hardware and eight years for software

Update Cycles

Very rapid updated hardware – immediate download of new apps and services
Highly standardized, inflexible and often restricted environment (“beige box”)

Style and Customization

High variety of consumer devices, systems, applications and “skins”

Bernard describes four dimensions of security: physical, data, personnel and operations.  (Bernard S. A., 2005, p. 329).  These were expanded on by Bernard and Ho into a Security Architecture Framework to eight security layers. (Bernard & Ho, 2007)   Their paper used the eight layers to describe the impacts on IT security architecture when organizations implement a BYOD model.

Summary – “Use What You’re Told” (UWYT) endpoints and employee/student BYOD:


UWYT – Employer

BYOD – Employee/Student

Information Security Governance Standardized endpoints with a Block or Disregard policy approach – “tightly coupled” control of all layers of architecture – focus on corporate control – this is a corporate liable model Move to a ‘loosely coupled’ approach to endpoint management. This is not a endpoint centric approach – focus on policy, culture change and controlling the  applications, systems and information layers – requires a BYOD policy to be in place describing responsibilities of employer and employee – this is a blend of a corporate and individual liable model
Operations Centrally supported data and endpoint service, standard security, antivirus and data protection – requires an acceptable use policy but no mention of personal endpoints Expands the scope of support to hybrid model – internal for data, external vendor for endpoint, distributed security, antivirus and data protection
Personnel Lesser level of employee/student technical ability due to central support, no tax implications as these endpoints are considered equipment, standard user experience and support. Lower costs to create and deliver training on standard endpoints Higher level of employee/student technical ability due to hybrid support, stipend model may result in income tax implications; potential confusion for users resulting in unsatisfactory service, a BYOD policy must be created. Higher costs to create and deliver training especially about information security
Information and Data Flow Centrally provisioned and secured information to meet regulatory and compliance rules and audits. Access controls limit data leakage based on information classification methods Leverages centrally provisioned and distributed security, need an ability to wipe enterprise data but not personal data, more controls required to meet regulatory and compliance rules and audit – digital rights management
Application Entire application infrastructure contained to corporate endpoints to limit vulnerabilities and data leakage. Provides employees with only the applications they need and typically with a lesser user experience Focus on open standards that will run on any endpoint; consideration for future applications (buy or build); strategies needed to separate personal apps from enterprise apps due to the possibility of inappropriate data access
System Centralized control of access to applications, systems and information using IAM and PKI security, IT controls the access process instead of relying on HR business processes Strong reliance on HR business processes to timely notify of changes in employee status; IAM is a critical technology and security strategy and needs investment to properly create role based access and remove access in a timely manner
Infrastructure Layered security approach to network access that restricts access to the wired network for accessing enterprise applications, systems and information. Blocks external endpoints from accessing the network Layered security approach for network access gets augmented by implementing a Limited Access Zone for BYOD devices; use Network Access Control to verify adequate malware and patch protections before allowing access
Physical This is a key security layer for UWYT as it restricts physical access to key applications, systems and information. This security layer is compromised as soon as an endpoint is taken out of the physical protection of the corporate workplace. Physical security is ineffective for BYOD as most of the endpoints are mobile; reliance on the other key security layers is mandatory to reduce risk

Some final overall considerations for moving from a Block/Disregard strategy to a Contain/Enable strategy for BYOD are (ProfitLine, 2011, p. 2):

  • The major pricing and contractual benefits that are lost when moving to individual liable
  • The hidden IT support costs and potential user experience issues
  • The increased security risk and policy ramifications

Each organization needs to consider the impacts of the endpoints supported, the data on those endpoints, identity management, employee/student on-boarding and off-boarding and providing an endpoint independent platform to deliver data and information.

A Proposed Approach to Introduce BYOD for Higher Education

This proposed approach requires executive leadership and strong project management.  The project plan should allow for conducting the policy and research activities in parallel.  Implementing the Policy and Technology strategies requires budget and resources for successful deployment and ongoing support in a BYOD Contain/Embrace strategy.

Bernnat et al suggest two approaches to accommodate using consumer IT.  The first option is the “Bring In” approach.  This approach “involves opening the corporate IT environment to private use and letting employees’ digital lives freely enter their work environments.” (Bernnat, Acker, Bieber, & Johnson, 2010, p. 6)  The second option is the “Reach Out” approach.  This approach “reaches out to employees, allowing them to use their personal devices – even PC’s – to do their work.” (Bernnat, Acker, Bieber, & Johnson, 2010, p. 6)

Each of these approaches has different resource, policy, support and oversight requirements.

BYOD Management Plan Resource Alignment Standardized Policy Decision Support Resource Oversight
Bring In Approach Use existing resources for endpoint management because the endpoints are employer owned Implement Information Security and BYOD Policy for private Web use on employer owned endpoints Employees have a wide variety of employer supplied endpoints to chooseEnterprise apps are pre-installed and employees can add personal apps Employees use company owned endpoints and there continues to be a high degree of employer control
Reach Out Approach Increase support resources for endpoint management because of the mix of employer and employee owned endpoints Implement Information Security and BYOD Policy for employee endpoints and private Web use Employees/students bring their own endpoints for use at workAccess to enterprise apps are controlled by virtualization technologies for apps and desktops Employees/students need to ensure their endpoints comply with employer standardsEmployers need to establish standards and monitor security access

The management plan also addresses Risk Management issues for BYOD programs.   Key areas for risk management are: (Bernnat, Acker, Bieber, & Johnson, 2010, pp. 7-8)

  • Security – specifically network security and data leakage
  • Productivity – potential lost productivity with web surfing distractions
  • Legal and Compliance – ensuring compliance to privacy and copyright laws
  • Reputation – employees and students making poor judgements when interacting on social media
  • Support and Maintenance Costs – heterogeneous endpoint environments increase support costs
  • Risks – employees and students may not be able to do their work (in a timely manner) when their personal endpoint fails and requires replacement

All of these risks must be considered and planned for either in the creation of policy and the development of technology/security solutions for the consumerization of IT.

The next post will be on the third Challenge for Higher Education CIOs – Cloud Computing Services.

Bernard, S. A. (2005). An Introduction to Enterprise Architecture 2nd Edition. Bloomington, IL: AuthorHouse.

Bernnat, R., Acker, O., Bieber, N., & Johnson, M. (2010). Friendly Takeover The Consumerization of Corporate IT. Retrieved from booz&co: http://www.booz.com/media/uploads/Friendly_Takeover.pdf

Blount, S. (2011, Aug). the consumerization of IT: security challenges of the new world order. Retrieved from Computer Associates: http://www.ca.com/us/~/media/Files/TechnologyBriefs/Consumerization-of-IT-Tech-Brief.pdf

ProfitLine. (2011). The Hidden Risks of a “Bring you own Device” (BYOD) Mobility Model. Retrieved from ZDNet: http://i.zdnet.com/whitepapers/Profitline_The_Hidden_Risks_of_a_Bring_your_own_Device_BYOD_Mobility_Model_1_19_2011.pdf

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.