I've spent a fair amount of time lately on BYOD (Bring Your Own Device), mobile devices, and related issues around information/cyber security. Yes, we are still firmly in the hype cycle but some mobile device security patterns are starting to emerge.
Many organizations still consider BYOD an all-or-nothing proposition -- adopt a draconian policy with no network access whatsoever or let everyone connect with any type of device. When most organizations end up granting network access, they do so with no business alignment. In other words, there are no business objectives, Key Performance Indicators (KPIs), or strategic plans for future business advancement. Rather, everyone gets access under the vague notion that mobile devices will somehow make employees more productive.
At the other extreme, I see some companies taking the time to establish granular policies around who is allowed to use a mobile device to access the corporate network, under what type of circumstances (i.e., physical location, time-of-day, etc.) and what they are allowed to do. Great start but it's not uncommon for organizations to take the time to craft these kinds of thoughtful policies only to realize that they don't have the network or security controls to enforce them.
Like all other IT initiatives, enterprise firms need a prudent approach to BYOD -- one that supports the business without adding a lot of additional risk. Accomplishing this mandates two parallel projects:
- Business, IT, and security executives must collaborate on objectives, policies, and metrics. This process must go beyond basic access and employee productivity rhetoric and really dig into what the organization wants to do and what it wants to avoid. It is also crucial that companies establish a plan for measuring their progress. Finally, it is worth doing some research to see how progressive firms are using mobile devices to streamline business processes, improve communication, or enhance customer services.
- CIOs and CISOs need a reality check. Before getting too far down the policy creation road, IT and security executives need to understand their current capabilities and what's still missing. This information will help organizations ease into BYOD while creating a blueprint for future network and security requirements. It's worth the time to speak to your networking and security vendors about plans and future needs. Personally, I've heard good stories from Cisco, Enterasys, Extreme Networks, and Juniper in this area.
There's no denying that iPads and Adroids are cool devices that have real potential for most businesses. That said, we really need to take a step back from industry ga-ga and treat BYOD with more careful and well-resourced business and IT planning.