The truth is that employees have been bringing their own devices into the workplace for years, starting with laptops and netbooks, progressing to smartphones, and ending up where we are now; with iPads and other tablets becoming increasingly more commonplace examples of the consumerization of business IT. As Jeff Schmidt, global head of business continuity, security and governance at BT Global Services warns, “these devices can be great tools to enhance and enable business, but it is easy to become cavalier in attitude because they function both professionally and personally, a dangerous combination if the right approach and awareness is not recognized in their use”.
The iPad, though, is especially worthy of attention, not least because it has taken the bring your own device (BYOD) trend to a whole new level and is no longer the realm of the geeky early adopter. Rather, we are increasingly seeing executives wandering around the office with an iPad in hand. Which begs the question: should the CEO bring an iPad to work?
Left to Their Own Devices…
Phil Robinson, director at Digital Assurance, and founding associate member of the Institute of Information Security Professionals, reckons that the whole BYOD trend was pretty much inevitable if you take into account that users have been bringing USB sticks and other removable media into work for more than a decade now. It is “the slow replenishment cycle within the enterprise and the desire by individuals to use their devices for work and play” that’s really driving the trend now, Robinson told Infosecurity, adding that it’s not about to go into reverse.
“BYOD is as momentous a change as the evolution of the internet”, Robinson insists. “It enables us to access information and carry out tasks remotely in speedier and more convenient ways. Any organization that ignores BYOD does so at its peril as users will simply find ways to work around the security obstacles in their path.”
Kurt Roemer, chief security strategist at Citrix, agrees that BYOD adoption will continue to spread quickly, as ever more devices are suitable for enterprise usage. He does argue, however, that organizations are not ignoring the issue, far from it in fact: “BYOD policies are rapidly being adopted, with almost half of companies already boasting some sort of formal company policy”, Roemer says. “Almost all (94%) are expecting to have one by mid-2013.”
An Appetite For Risk
When drafting such policies though, should information security professionals prioritize security or business enablement? Given that many organizations would agree that BYOD is a cost-effective thing – decreasing the IT spend on peripherals when hardware budgets are being tightened – it is also desirable because it helps to ensure staff are using the latest technology. The business benefit argument, therefore, cannot be ignored. But then neither can the security issues surrounding the ability to maintain a consistent standard across the enterprise.
So the question of priorities would appear to be a rather complex one on the surface. Dig a little deeper, however, and those with experience in handling the consumerization of the workplace will tell you it’s actually pretty simple.
Take Quentyn Taylor, director of infosecurity, governance and risk at Canon for example, who told us that “security professionals have no choice in letting consumer devices into the business. Security does not exist to secure the company, but to allow the company to manage its risk. Business enablement is a key driver for information security and always has been.”
| "Security professionals have no choice in letting consumer devices into the business. Security does not exist to secure the company, but to allow the company to manage its risk" |
| Quentyn Taylor, Canon |
Taylor is not alone in this sentiment. Neil Campbell, ex-computer crime fighter with the Australian Police, and now global general manager of security at Dimension Data, also insists that simplistically “an infosec professional’s role is to facilitate the process of risk management and then implement the security controls that are required in order to achieve an acceptable level of risk. The mindset of information security professionals should not be to answer every request with a no, but rather to answer the majority of requests with ‘yes, and here is how we can do that safely’”.
Yet nobody would deny a security breach can have negative impact across the whole organization, ultimately exposing it to liability and financial loss. “It is within this context that the executive team must work to implement working practices that optimize information security while fuelling business growth”, Roemer advises, concluding “a modern security strategy is driven by the overall business objectives and information governance.”
Who’s the Boss of Security?
So, to ask the initial question again, should the CEO be allowed to bring whatever technology he/she wants onto the corporate network? If not, who should have the ultimate power to tell them they cannot? Vlad Botic, technology innovation director at international law firm Norton Rose, is in no doubt that it’s a straight governance issue. “If the CEO wants to introduce a new piece of technology”, Botic suggests, then “he or she still needs to abide by the internal laws set aside by the IT department: compliance, risk and so forth”.
Jeremy Spencer, head of corporate propositions at Orange, is equally certain that BYOD security has to be a top-down thing, with the example being set by the CEO.
“A groundswell will build if the CEO is allowed to use [their] own personal tablet device for work”, Spencer warns. However, as Neil Campbell points out, sometimes there is a clear benefit to certain individuals having access to technology that would, if deployed widely, create an unacceptable risk.
“The CEO may or may not be in that group but it could be that sales, R&D, marketing, or any other group should be using a certain device that isn’t appropriate for general use within the organization”, Campbell insists. Let’s not forget, most businesses are not run as some kind of democracy.
“The CEO should be able to bring in whatever technology he or she believes will help improve his or her day-to-day practices”, Kurt Roemer reckons, with the proviso: “as long as required security and privacy policies are enforced”.
Ultimately though, it isn’t the CEO who defines nor enforces those policies. That’s the job of IT and, as Roemer points out, “this clear line of responsibility is especially essential when leveraging BYOD”.
Three Steps to BYOD Heaven
We will leave the last word to the chief security architect at NetIQ, Michael Angelo, who told Infosecurity that the key to implementing a successful BYOD scheme is defining the use of the device, the risks involved in that usage, and the risk to the corporation.
“When it comes to bringing personal devices into the workplace, information security professionals need to enable the CEO to make an informed decision by explaining what the risks are of bringing consumer IT into the workplace and how it can be managed”, Angelo explains.
That risk, he imparts, needs to be discussed across three different levels: the risk to the corporation and its assets, such as IP, customer data, and business plans; the risk to the assets of the customer and their personally identifiable information; and the risk in as far as what BYOD means for the employee, their assets, and any business or personal information that may be held on the device.
“Only by communicating the potential threat to information or the company’s reputation”, Angelo concludes, “can the IT department enable the CEO to make an informed decision regarding BYOD”.
| For | Peter Cox, CEO of UM Labs, argues that the BYOD tide is unstoppable and any attempt to control it will fail. “Security departments that attempt policies prohibiting BYOD spend all their time in a futile effort to enforce the policy at the detriment of the real security issues”, Cox warns, adding “from a security standpoint it is far better to embrace it and turn it to an advantage.” With correct policy in place he sees no reason why the CEO, or anyone else, should leave their iPad at home. “Many organizations – including a number of law enforcement bodies – are actively pursuing BYOD policies and are extending the security controls beyond data by harnessing the power of tablets and smartphones to encrypt both calls and voicemails”, Cox told us. “The BYOD policy enables these additional security controls to be implemented while at the same time reducing operational costs, because user-owned devices are likely to be upgraded more frequently than devices on corporate contracts and because the cost of a corporate contract can be avoided by piggy-backing on a personal contract.” |
| Against | Pavel Luka, CTO at ESET, argues that while it may seem like a good idea to let the CEO and other employees use their favorite hardware, those people responsible for corporate security have good reason not to agree. “A typical corporate laptop would have full-disk encryption, a security solution deployed and up-to-date patches installed regularly by skilled professionals, and the user would have no admin rights and therefore limited possibility to do something stupid”, Luka insists.He continues: “some say that virtualization enables safe BYOD, running a tied up and secured corporate virtual machine for work or even just a thin client on a personal device, but I think there are still considerable risks such as key-logging malware”. As far as the actual question of should the CEO leave his/her iPad at home, Luka provides us with the perfect answer: “they should ask their CISO”. |