BYOD has very little to do with technology and everything to do with security, organizational politics, and human psychology.
Shadow IT has been big news lately. Hillary Clinton is still trying to recover from the public beating she endured over her use of a private email server instead of the government’s while Secretary of State. Even more dramatic, but not as well-reported, is the story of a US ambassador to Kenya who ran his office, including his own internet connection with a personal Gmail account, out of an embassy bathroom in Nairobi rather than use the government’s IT resources.
The public was shocked and the media apoplectic, but not many technologists registered much surprise over these tales. This is business as usual for most of us because it seems that if IT departments aren’t waging epic battles with the business over rogue cloud deployments, they’re fighting with users demanding more freedom of choice in how they use technology for their jobs. Consumerization has raised the bar with an expectation for a better variety of applications, newer devices and an increasing level of flexibility and privacy. If IT departments can’t or won’t deliver, then users go elsewhere, with or without the permission of security teams.
Where BYOD goes wrong
As most organizations discover, BYOD has very little to do with technology and everything to do with security, organizational politics and human psychology. It’s all about enterprise control vs. user autonomy. Often users feel like pawns, disrespected by their leadership and especially by IT departments, who typically assign a “one size fits all” corporate craptop loaded down with so much bloatware, it seems like a throwback to 1998. This situation is especially frustrating when the user has specific needs driven by a job role or personally owns better technology, but can’t get anyone within IT to meet him or her halfway.
BYOD is no longer optional
This is where the communication breakdown starts. IT wants standards for ease of management and securing of the organization’s assets, mainly data. Users don’t want to think about the “how” of technology, they just want something familiar or comfortable that helps them get their work done. Moreover, if neurophilosopher Andy Clark’s concept of extended mind is accurate, they’re potentially identifying with a personal mobile device as an extension of their cognitive toolset. If both parties continue to be intractable, the result is a full-blown policy war, with information security as the victim.
BYOD doesn’t start as a technology problem
Here’s the main source of confusion. Most organizations already have some form of BYOD, probably unsanctioned by IT. Information security teams need to understand that even if there is no official policy, there’s an implicit one. In the absence of NAC or 802.1X enforcement, then it’s pretty likely that users are plugging unapproved devices into the network. Just check the visitor wireless network, because that’s usually a haven for employees’ rogue devices.
This all seems pretty innocuous at first, allowing employees to use their own cell phones and tablets to check their work email and calendars. Less time and effort for IT staff in managing pesky mobile devices and users are much happier with the latest and greatest technology. If you throw in the carrot of a device subsidy, you can get a higher adoption rate, with the ultimate business goal of eliminating the purchase of mobile devices for staff altogether. Just ignore that doom and gloom from the information security team about the vulnerability of mobile devices and confidential data leakage. All you need to do is install some security controls and everyone is happy, right?
Good BYOD is found in policies and procedures
Does your organization have data classification with handling standards? Is there user classification with some kind of identity management? Without these standards, you can’t have good access control or data protection, much less effective BYOD controls. Do you have an acceptable use policy with an end-user agreement? Implementing security controls without underlying policies and standards is an exercise in futility. An inconvenience, a mere hurdle to be got around by a user community and subject to the whims of an operations team or yearly budget cuts.
Formalizing BYOD needs buy-in from the organization
Any attempt to formalize policies, standards and procedures for BYOD should be undertaken with the understanding that it will only be successful if it’s an organizational initiative. Human resources could have concerns regarding about how accessing or responding to work email will impact the status of non-exempt employees. Legal will worry about the protection of confidential material and how to address the subpoena of a personal device. Audit and compliance teams will need assurance that regulations are being followed and enforced.
Ignore BYOD at your peril
If Gartner is to be believed, 38 percent of companies will stop providing devices by 2016. Accurate or not, BYOD is perceived as a cost saving measure and IT is facing increasing demands to provide value to the business. Security teams should stop arguing with reality, understanding that their worth lies in facilitation of the business, not obstruction. While embracing BYOD can certainly increase risks, denying the trend of consumerization is even more dangerous for an organization. The network perimeter has morphed into something more nebulous and security architecture must align with this evolution or be left behind.