Security Blog


How BYOD Revolutionized the Role of CISO

January 28, 2014

BYOD has brought sweeping changes to the enterprise over the last several years. Nowhere is this more apparent than sitting at the head of IT Security in the role of CISO. Having served in this role at companies like Disney, TiVo and Salesforce during this pivotal time, I can say that it’s an interesting seat to have.

As a user I embraced BYOD, excited to trade out my beloved BlackBerry for a shiny new iPhone. However, as I began to push the limits with my iPhone, I also began to see the security implications that came with it. As such I was initially heavy-handed with my organization’s mobile policy. What I did not account for at the time was that as my users, also excited to use their shiny new iPhones,started bringing them to work, they were forcing the issue of BYOD. Over time, these users have become a driving force in shaping mobile policies and, subsequently, the role of a CISO.

If You’re Reading This, It’s Already Too Late

As a CISO, the key to developing a mobile strategy is to understand that mobile is already part of your enterprise. Whether or not you choose to embrace a mobile policy, employees have established their own. I recently spoke with two CISOs both of whom had banned corporate data on mobile devices only to discover that users have been transferring files to their mobile devices using Dropbox and YouSendIt to circumvent security controls. Once we accept that our data is already mobile, we can begin understanding the risks we face and options for securing our data, applications and internal access.

Collaborate to Stay One Step Ahead

Talking to our co-workers about which mobile applications they use and why helps us understand where we have opportunities to regain control of the data without limiting the user’s ability to do their job effectively. It also allows us remain ahead of the technology trends that emerge within our organization. It’s true that in trying to reduce costs, make life easier and give users a choice, we gave up control and allowed IT to become a democracy where users have an equal vote. Sometimes this feels like a mistake, but in reality it is a step forward. (Really it is!) Our users are more productive and happier – these are the most important metrics by which to measure the success of our mobile strategy. From my own experience, had I spent less time trying to keep data in my walled garden and more time ahead of the curve by enabling users, it would have made my life much easier. I wouldn’t have been at the mercy of the users; I would have been making policies that worked for them and the organization.

In the early days of BYOD, we just didn’t see how explosive it would be, and we all went with the easiest implementation path. Had I known what I know now, I would have focused less on blocking and more on protecting. I would have accepted that BYOD was going to be common, and every user would control their mobile work environment, then I would have built a strategy around making this mobile environment secure.

A Comprehensive Approach

When I began adopting mobile policies to meet the growing demands of BYOD I started small, added solution by solution, and eventually ended up with something time-consuming and unmanageable that didn’t really work that well. The users were still going around our solutions, and we didn’t have any insight into our risks. What we needed was a comprehensive, integrated approach, not a bunch of Band-Aids.

Mobile security is complex. It crosses many areas of security from configuration management to encryption, all the way into identity management and remote access. The PC rules just don’t apply to mobile. These devices are often user-owned; we don’t have low-level control of the OS, and due to their short refresh time, these devices are adopting newer technology standards faster than our traditional infrastructure. Piecing together a solution only works in the most basic of scenarios – not when we need to truly meet the user and security needs, while managing cost and support time. Starting with a clear strategy of what the organization and users need to achieve and implementing solutions and policies to meet these needs early will save time and money, and will result in less overhead.

The Way Forward

Hindsight is 20/20. Had I known six years ago what I know today, there are a number of things I would have done differently. The following are three:

 

1.    Define a strategy and a policy. The three things your mobile strategy needs to take into account are: users’ needs, productivity and security. Understanding where you have opportunities to regain control of data, without limiting the ability of your coworkers to do their jobs effectively, allows you to stay ahead of technology trends and evolve with your organization. If the mobile strategy doesn’t account for user needs, it will fail.

 

2.    Be device agnostic. Technology is a moving target – devices and operating systems are all constantly evolving, meaning your mobile strategy will need to do the same. Your mobile strategy will need to adapt to new devices and OS versions, and be built around the devices in your organization.

 

3.    Evaluate and define risks. Chasing problems caused by outliers is a surefire way to overwhelm IT. Not only is that time-consuming, it’s inefficient, as you’ll undoubtedly need to repeat your efforts every six months.

 

The BYOD-era CISO can no longer afford to reject technology. The new CISO needs to be a leader, empowering user mobility (and subsequent productivity). By acting as a facilitator instead of a gatekeeper, the modern-day CISO not only sets the tone and direction of mobile policy, he is able to more easily secure corporate data.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

Security December 2014 issue cover

2014 December

This issue of Security Magazine covers our 12th annual Top Guarding Firms list. Check out the best of the best as of December 2014. The 21st century has brought with it new types of security threats. Read how to combat and protect against these threats.

Table Of Contents Subscribe

Security Emergency Preparedness Training

Which security personnel emergency preparedness training is the top priority to you and your enterprise?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.