The official hub of The Enterprise Mobility Foundation
Want more than just blog posts? Login or Sign up for a free acount and get research, videos, slide decks and more! Join the online social network for Enterprise Mobility.

How Do You CYA In a BYOD World?

That was the name of the session I moderated this morning at the RSA Conference in San Francisco. Given that there were about 250 people in attendance in the room (on the last day of the conference no less), I don’t think I’d be going out on a limb to say that it’s a question on many people’s minds…particularly those people who are interested in or responsible for security in the workplace.

I thought it was a very good panel…especially because there was disagreement amongst the panelists.  One of the key points to come out from the session was that organizations need to understand the difference between BYOD and the Consumerization of IT (where have I heard that one before?).  It was an important point to make, one where I saw a number of people in the audience nodding their heads as they seemed to grasp more clearly that the two are not the same.

What I love about this topic (generally speaking) are all the subtle nuances that can come up in an organization.  Sure, some companies had already implemented BYOD, and some were still on the fence about it.

But what about a scenario where one company that has yet to implement a BYOD is acquiring a company that implemented a full BYOD strategy?  A very basic scenario, and interestingly enough, not one I had thought of before.  This was the scenario that one of the attendees brought up. Interestingly, he saw a lot of value in the COPE model so that he could actually please both groups.

The other major thing that came out of the session was best described by another audience member’s comment.

BYOD is not actually about the device, but rather about mitigating the risk of information loss from/via mobile devices.

Amen!  Everything we’re talking about these days, whether it’s BYOD, COPE, “security,” blah blah blah is all about mobile risk management and then leveraging technology solutions to mitigate that risk. The question, of course, becomes far more complex when you take into account Cloud services such as Dropbox where the organization will potentially lose even further control of the (mobile) data.

By the time the house manager rudely interrupted us, (in fairness, he did have to prep the room for the next session) we had concluded two things.  First, the conversation could have easily gone on another hour, and second, that managing mobile risk is very complex in the context of BYOD and that there may never be one “best” approach to handling it all.  Boy is this a fun place to be right now.

5 Comments

  1. Posted March 2, 2012 at 15:22 | Permalink

    Was a great session; I apreciated the disagreement amongst the panel as well; very diverse perspectives as we all struggle to maintain security and manage risk.

    Thumb up 0 Thumb down 0

  2. Posted March 5, 2012 at 08:50 | Permalink

    Interesting commentary and indeed this is a fun place to be now.

    I view BYOD vs Consumerization as the WHAT vs the HOW. In all due respect to your audience member, BYOD is really just about the device. It is more of an accounting/legal issue than a risk issue. You can lock down any consumer device with a GOOD or other policy based MDM and eliminate virtually all risks. It is more end user convenience vs consumerization.

    Consumerization is HOW we use a mobile device, regardless if it is a corporate sponsored or BYOD flavor. Can they store local content?; can they download any app on a public APP Store?; can they use location based services; can they use public social media?; can they forgoe passwords; etc. You can have a 100% corporate sponsored program and assume huge risks by not paying attention or surrendering to the consumerization mantra.

    The challenge is when employees want to play mobile in the business world like they do at home in the consumer world, how can you effectively mitigate those risks vs just holding up the typical IT Security Stop Sign.

    Thumb up 1 Thumb down 0

    • Posted March 8, 2012 at 07:29 | Permalink

      “end user convenience vs consumerization” – what do you see as the difference between the two? I’d be curious to know.

      Thumb up 0 Thumb down 0

      • Posted March 8, 2012 at 11:04 | Permalink

        Convenience vs Consumerization could be viewed as follows….

        We have an iPhone Standard. The end user has a personal iPhone. In a BYOD scenario, it is simply a matter of convenience for that user that he/she does not need to carry two phones. Assume we accept/allow Samsung Android devices into our BYOD program. it is now just a matter of convenience that he/she does not need to carry BOTH a Samsung and an iPhone.

        The Consumerization part comes into play more as to “how” they use the device. e.g. do we allow or permit any download off a public app store? Do we allow or permit local storage? Do we allow or permit the use of popular cloud offerings like Dropbox? Do we pay for or fund Texting, a popular consumer activity? Do we do any Geo Fencing? Do we allow playing WordsWithFriends over lunch; etc… As a “consumer” end users have full reign to do whatever they want – and they want a lot! Once they enter the corporate world, BYOD or Not, they still expect and sometimes demand to have those same priveledges.

        My only point was that these consumerization demands and expectations arise regardless of any BYOD program. They (users) would just prefer to do these activities on their own device as a matter of convenience.

        Thumb up 0 Thumb down 0

Post a Comment

You must be logged in to post a comment.