The Cloudy Context of the BYOD Era; Has Anything Changed in 25 Years?

Over 25 years ago, I remember being confused when I learned that my father, a manufacturing line machinist and engineer, personally bought and brought most of the tools he used at work, instead of using the tools available in the factory work shop. Interestingly, today’s knowledge workers often do just the same thing – they bring their own tools to work. These days, what confuses and challenges most of us, is how to manage the security of all these devices, given their unpredictable context. If only the security concerns were just as simple as they were 25 years ago.

The Bring Your Own Device (BYOD) era is clearly here and well founded. As the New York Times referenced, Forrester Research discovered last year that 48% of knowledge (or information) workers bring their own smart phones, regardless of IT departments’ blessings. It doesn’t stop with smart phones though. Many of us bring, or would like to bring, our own laptops, iPads, monitors, mice, keyboards, office chairs, desk lamps, software and probably more. The key question, given this trend, is how to effectively manage security given all the devices IT managers can’t control.

Security managers love control, visibility, and clarity around the scope of technology systems that impact their company’s security posture. Sadly, with BYOD, they often have none of these three luxuries around users’ end points. So what to do? My short answer is they have to embrace uncertainty, and remain vigilant: BYOD impacts only one of the three elements of a strong security program – the technology at the end point and its context. We can still control the process (policies and procedures), and people, just as we did 25 years ago.

In fact, one can look at this situation as an opportunity to further justify strong policies and procedures around how we allow access of any device to our networks and corporate infrastructure. Policies and procedures can require minimum acceptable safeguards on employee owned devices. Just as desk lamps and monitors must be UL tested for instance, computers, iPads and software (or apps) can be tested and controlled in various ways using vulnerability assessment tools and network segmentation strategies. Policies can also require employees to share responsibility and liability around negative impacts and costs of security incidents associated with employee owned devices.

Finally, security managers can also be optimistic and happy. In this BYOD era, it is very possible that many security managers will actually have less to worry about than before. If they regard any employee owned device as one less device that they are completely responsible for, and one more device for which they have, through well designed policies, outsourced some, if not most, of the responsibility and liability for, they can be quite content. I’m reminded of my father telling me how popular he was at work, what with many of his co-workers looking to borrow his superior quality tools, his manager admiring his high quality workmanship, and his company silently appreciating avoided expenses that he carried himself.