When one thinks of BYOD, concepts like cloud, mobile, virtualization, policies, cost efficiencies, productivity, mobile device management, containerization, privacy, and even the well-known term “bring your own disaster” come to mind. Despite the growing popularity of the BYOD trend, not all organizations have a broad understanding of the term or a well-conceived plan for how to manage BYOD. This article will seek to offer organizations a practical way to think about BYOD risk, security and policy.
During a recent conversation with a CISO, he discussed how some organizations voluntarily implement BYOD without a holistic approach, leaving backdoors to policies and/or controls that may jeopardize secure systems. This conversation also made me think about how other organizations are involuntarily implementing BYOD initiatives, since many of their employees are using privately owned devices to download corporate emails.
Even though we know that employee productivity, satisfaction and mobility increases, the cost savings associated with reduced endpoint hardware procurement, and reduced operational support costs are motivating factors for BYOD deployments, the truth is that security should be put above all of this. The CISO and his/her organization should conduct due diligence to understand all of the challenges associated with BYOD initiatives. For instance, implementing a virtualized environment to enable mobility/BYOD without the proper policy in place does not make sense. This is because it will not “prevent” users from downloading files to their devices when there might also be a backdoor in your web/proxy policy that allows employees to access Gmail, Dropbox or any other of these Web-based applications. Moreover, one must define the business purpose of a BYOD implementation. The most common purposes are email, calendar, contact management, document creation/edit, and access to intranet, company built-in apps, and even enterprise app stores.
After that, it’s important to identify the composition of the audience from a profile and device perspective. A good understanding will enable you to make the most of the BYOD initiative, while also helping you to identify the types of devices that would be used. For example, a presentation at a recent Gartner Summit showed that the most popular device in developed countries is iOS, while in emerging countries it is Android, and that by 2016, smartphones will be 78 percent of total global handset shipments. Such information is helpful when predicting what BYOD devices to plan for.
BYOD demands mobile app development for business purposes and beyond just customers. Thus, it’s essential to collaborate alongside the development team—to understand their mobile application development strategy and sync your BYOD policy. Creating an internal iOS application when your policy is limited to Android devices, for example, does not make much sense. These days, organizations should ensure their mobile enterprise application platforms are multi-platform and multi-channel-oriented.
Defining BYOD policy is also crucial. To help you craft a successful policy, I’ve created a checklist. If you define the following elements in your BYOD policy, you will be on the road to a secure, mobile-friendly work environment:
BYOD initiatives demand new security controls to minimize risk and additional IT resources to manage security initiatives. Yet, since the office of the future demands flexibility, mobility and convenience, it is obvious that BYOD is something that is here to stay. Thus, organizations should embrace it, evaluate it, and implement all required controls and resources necessary for success. Good luck!
Leonel Navarro is Practice Manager & Business leader for Softtek Information Security Practice. He is a certified project management professional (PMP) and a certified information systems security professional (CISSP). Navarro’s twelve years of experience in IT operations with teams based in Mexico, the United States, and China, combined with critical customer-facing positions he has held, enable him to perform the overall coordination of the Sales, Marketing, Product Management and Strategic Alliances strategy for Softtek’s Information Security Service offering while overseeing the delivery of those services with existing clients. Leo holds a Bachelor in Electrical Engineering & Computer Architecture from ITESM.