Toward the end of our teleconference briefing with Cisco Systems Inc. CTO of security architecture Nasrin Rezai, I opened the Q&A with the stock question I always ask whenever someone brings up the issues of security and the bring your own device movement.
“Why don't we just say no?”
Maybe it's because I'm an old coot, maybe it was the walking to school uphill bothways in the snow, but the Millennial sense of entitlement to bring whatever device they want into the enterprise regardless of its security profile rankles, quite frankly. Where's the backlash from IT? (I wanted to ask our own director of IT about this, but he was on his iPhone.)
The truth is, of course, that some organizations, or at least branches of organizations, do say no. And that not only applies to the BYOD issue, but also to social media and other employee-related risk vectors that are deemed too, well, risky for the organization's security posture and regulatory regime, says Rezai.
“BYOD doesn't mean the same thing to everyone,” she said. Distinctions are made based on the user community; contractors and partners might not have the same access as full-time employees, for example. It's all about visibility into the devices and their context. “The trick is, if I want to say yes, how do I do it?”
Allowing employyes to choose their own devices or use social media in a work context allows the organization to set up a governance regime at the door. Negotiating the rules of use is the collaborative job of business sponsors, human resources, and IT. “Legal needs to be very much involved in that,” Rezai says.
While I buy into the productivity boost of a mobile device, I still feel that a consistent device profile is necessary. With apologies to Maslow's Hierarchy of Needs, employee self-actualization is pretty much the top of the pyramid, whereas information security is a more fundamental need. I might not be alone in that thinking, but my side's not likely to win this battle.
Tim Currie, Cisco Canada's vice-president of borderless networks, reminds me of the rogue Wi-Fi access point issue of a few years ago. When APs became inexpensive and easy to configure, they began popping up everywhere in the enterprise Unfortunately, with no policy for them to conform to, they went largely unsecured. An unsecured access point was the flaw in the TJX data breach in 2006 to 2007 that allowed theives to make off with the financial information of more than 90 million customers. People will do these things behind the enterprise's back.
I have a bone to pick with that argument. When the wave of employee-enabled wireless APs hit enterprise IT, enterprise IT hit back. IT didn't issue policies; IT put its collective foot down.
One difference is, for better or for worse, BYOD is a deluge, not a wave. “They're doing it anyway, and corporate data is being exposed,” Currie says.
The bottom line is, as Rezai says, “Don't let BYOD happen to you.” Have a strategy and governance model, and be prepared.