That was the name of the session I moderated this morning at the RSA Conference in San Francisco. Given that there were about 250 people in attendance in the room (on the last day of the conference no less), I don’t think I’d be going out on a limb to say that it’s a question on many people’s minds…particularly those people who are interested in or responsible for security in the workplace.
I thought it was a very good panel…especially because there was disagreement amongst the panelists. One of the key points to come out from the session was that organizations need to understand the difference between BYOD and the Consumerization of IT (where have I heard that one before?). It was an important point to make, one where I saw a number of people in the audience nodding their heads as they seemed to grasp more clearly that the two are not the same.
What I love about this topic (generally speaking) are all the subtle nuances that can come up in an organization. Sure, some companies had already implemented BYOD, and some were still on the fence about it.
But what about a scenario where one company that has yet to implement a BYOD is acquiring a company that implemented a full BYOD strategy? A very basic scenario, and interestingly enough, not one I had thought of before. This was the scenario that one of the attendees brought up. Interestingly, he saw a lot of value in the COPE model so that he could actually please both groups.
The other major thing that came out of the session was best described by another audience member’s comment.
BYOD is not actually about the device, but rather about mitigating the risk of information loss from/via mobile devices.
Amen! Everything we’re talking about these days, whether it’s BYOD, COPE, “security,” blah blah blah is all about mobile risk management and then leveraging technology solutions to mitigate that risk. The question, of course, becomes far more complex when you take into account Cloud services such as Dropbox where the organization will potentially lose even further control of the (mobile) data.
By the time the house manager rudely interrupted us, (in fairness, he did have to prep the room for the next session) we had concluded two things. First, the conversation could have easily gone on another hour, and second, that managing mobile risk is very complex in the context of BYOD and that there may never be one “best” approach to handling it all. Boy is this a fun place to be right now.