Organisations are demanding more and more of their IT departments to be increasingly agile and responsive to users’ needs when it comes to bring your own device (BYOD). The challenge is ensuring BYOD doesn’t become bring your own disaster.
There is a wealth of opinions as to what should and should not be done with the BYOD issue. The volume and diversity of information, much from parties with some sort of vested interest or are bias one way or another, can be daunting. So I hope to offer some independent, relevant and practical points to help organisations in facing the BYOD challenge.
Mobile devices are powerful extensions of your IT systems and should be treated as such. A single uncontrolled mobile device with ineffective security controls could potentially present as large a risk to the organisation as a major data centre breach.
Organisations which expose their important information assets to mobile devices should deploy some sort of mobile device management environment for these mobile devices. There are a wide range of mobile management systems currently on the market that allow an organisation to effectively manage a diverse fleet of mobile devices. Being able to apply appropriate security policies to any mobile device that is to access sensitive company information makes good business sense. Examples of such policies could include the remote wiping of lost mobile devices and access control restrictions to specific applications only.
The spill over of individual, consumer choice technologies into the enterprise is not new; it’s just more immediate, pervasive and riskier. Shadow IT in one form or another is here to stay, and when it comes to BYOD, CFOs who adopt an open and engaging approach to this challenge will be most likely to win the war of opinions and save the organisation from data breaches and other risks while helping steer the organisation into embracing new and innovative technologies that will drive value and support innovation.
If your IT department offers a Virtual Desktop Infrastructure (VDI) environment to your users of mobile devices, this would possibly offer the optimal protection against data leakage to the mobile device. If the device is lost, there is no need to wipe the mobile device as there was never any sensitive data on the device in the first place.
An important part of effectively managing BYOD revolves around the appropriate allocation of accountability within the business. Here are some pointers to those CFOs whose organisations are still coming to grips with BYOD, or are unaware of the associated risks and benefits:
Step 1: Print out a copy of the draft paper put out by the National Institute of Standards and Technologies (NIST) entitled <i>Guidelines for Managing and Securing Mobile Devices in the Enterprise</i> [800-124](PDF).
Step 2: Give this 29-page document to your CIO, and take a copy for yourself.
Step 3: Ask your CIO to read the document, asking him or her to highlight the parts that are relevant to you and your organisation. The core information is contained in 18 of the 29 pages in the document.
Step 4: Meet with your CIO and come to a common understanding of what BYOD means for your organisation. If you think you’ve got the BYOD issue all sorted, this document may make you reassess and adjust your position — after volatility and change is the norm.
Step 5: Put BYOD on the next monthly executive team meeting, if not done so already.
Pre-issue a succinct BYOD position paper that you have jointly prepared with your CIO and that is relevant to your business and security posture. This should be a business document stripped of technical jargon.
This is an important step in:
- Managing expectations and opinions on BYOD at across all senior executives in your organisation
- Ensuring that any subsequent policies and other mandates are fully supported by all executives
- Assigning accountabilities on the policy settings to those in the organisation.
- State what is BYOD and why it is important to your organisation
- Summarise the benefits of BYOD, including a high level cost / benefit assessment that is relevant you your situation, emphasising that it requires active management
- Summarise the key business risks to the organisation
- State your jointly recommended position. This could be a draft policy, a series of ‘next steps’ or whatever, and seek ratification for a course of action that you feel appropriate.
Suffice it to say you and your CIO should be well prepared to discuss the issues, hear concerns and adjust your position accordingly. At the end of the day, the cost/benefit of various security measures, as well as the acceptance of the residual risks, rests with the business, not IT alone. As long as the explanation of these risks is comprehensive and rigorous, you should be able to sleep well at night.
Without the visibility and support of all executives across the organisation, it will be a constant challenge for the IT leader to continually have to explain why users and managers cannot do what they want with the latest consumer device or gadget. They will then constantly be on the defensive which is not in the best interests of your organisation.
At the end of the day, it's your organisation’s reputation and brand at stake, not just that of your CIO. If your organisation ignores the BYOD phenomenon, you may as well be inviting bring your own disaster. Diligence should be your collective default position in this regard.
Rob Livingstone is Principal of Rob Livingstone Advisory Pty Limited and a Fellow at University of Technology, Sydney