Wisegate is a community of senior IT professionals. It frequently holds and reports on round table discussions among its members. These discussions are generally under Chatham House rules, so the reports describe what was said, but not who said it. The weakness is that individual names and companies are not specified; the strength is that this leaves members to talk freely about their own experiences even where the subject might otherwise be considered sensitive. And the value to non-members is that these discussions provide practical and independent non-vendor experiences.
Last year a survey among Wisegate members highlighted security concerns for 2013. High on the list was BYOD. Since then a group of CSOs from major companies have discussed how they are handling the problem in their own companies.
Although a small number of companies simply ban BYOD, the general consensus is that it is unavoidable – although the actual value is questioned. “Many of the company’s resources are already accessible via personal devices (via web browsers and apps), whether or not that was the intention,” said one member. “So people are capable of doing this anyway at least to some extent, and the burden is on IT to make sure it is providing solutions to make sure they can safely create and use data.” But as the CSO from a mid-size energy company commented, “The technology doesn’t scare me, the people using it scare me.”
However, imposing security on the people who use the technology can be difficult. “If we said, ‘We’re going to install a lot of heavyweight, centralized management, central controls, lots of restrictions,’ I probably wouldn’t have a job here,” said another CSO. “The users just wouldn’t use it and they would all retaliate and go do something else that would work around all of our controls. At the end of the day, trying to have too much restriction would be a lose/lose.”
One clear conclusion is that there is no simple solution and no single BYOD policy that will suit all companies – nor even a single approach that can be applied throughout a single company. For example, the various approaches include disallowing BYOD altogether, allowing users’ own devices at their own expense, wholly or partially funding mobile devices, partially funding some devices for some staff – and then allowing different degrees of access to different members of staff. “A CSO in the insurance industry said her organization is made up of multiple companies with a hodgepodge of arrangements,” says the report.
The overall impression from the report is that CSOs are trying to balance maintaining security while relaxing restrictions. This can be seen in a comparison of ‘allowed’ devices in 2011 and 2012. Apple’s iDevices and RIM’s Blackberry are generally considered to be the most secure mobile devices. In 2011 this was reflected by 78% of companies allowing iDevices, and 71% of companies allowing Blackberries. Only 46% allowed Android. By 2012, however, Apple and RIM had reduced to 60% and 53% respectively, while Android had increased to 53%.