Another company that is progressive about user technology choice is SAP, which is putting help stations in some lobbies modeled after Genius Bars in Apple Stores. Intel is likewise experimenting with friendly help stations in lobbies. One benefit is the reinforcement of Intel's commitment to technology diversity.
But there's a pragmatic benefit, Stevenson notes: "On average, a tech problem exists for seven days before someone reports it for help, so we're looking to reduce that by making a more friendly, Starbucks-like support environment." Earlier support reduces the risk of a tech problem, both on information security and employee productivity, she notes. And it can help reduce support costs by catching a problem earlier, before it escalates or cascades.
Empowerment and security aren't contradictions
Intel hasn't confused technology freedom with "anything goes." Instead, it's realized the goal of information security needs to be about information, not devices. Intel protects its information using both people and technology. After all, people handle the sensitive information, so making them aware of information security is a necessary step to ensure that safeguard.
Unfortunately, too many companies try to exclude users from security efforts, relying only on technology, then wonder why users make mistakes or act as if security isn't a concern -- because it isn't!
Stevenson shrugged when I described that people-averse approach and reiterated that you can't take people out of the equation. That's why Intel has an active education program, including monitoring and verification, and it both trains people and holds them accountable for the information usage. It's not IT's problem; it's everyone's problem.
For example, new employees complete four awareness classes, and every employee takes an annual refresher course. Plus, there are required classes for those who handle sensitive information. Another company, the nonprofit Sesame Workshop, which produces education shows like "Sesame Street" and "The Electric Company," takes a similar approach. It requires employees to attend two classes on information policy before letting them participate in its BYOD program.
Of course, Intel uses technology to help protect information security. It deploys mobile device management (MDM) tools to make sure that devices confirm to basic policies, such as enforcing the use of passwords and encryption. Such enforcement goes a long way to satisfy the fear over lost devices, as do the controls for remote wipe when someone with sensitive data access loses their device. And Intel uses application development tools that let it embed and manage information permissions in internal apps, such as the ones allowing employees to access their payroll information, that it provides to PCs, Macs, mobile devices, and Web browsers.
Intel's BYOD usage policy gives it the right to wipe and remove contents from a device, such as when an employee leaves. In countries where privacy laws forbid such corporate access to personal equipment, Intel doesn't allow BYOD; there is no mixing of personal and business where local sensibilities discourage it. But in the United States, this blending is desired my many employees, who are willing to opt in to such policies in return for freedom of choice.