How BYOD Revolutionized the Role of CISO
BYOD has brought sweeping changes to the enterprise over the last several years. Nowhere is this more apparent than sitting at the head of IT Security in the role of CISO. Having served in this role at companies like Disney, TiVo and Salesforce during this pivotal time, I can say that it’s an interesting seat to have.
As a user I embraced BYOD, excited to trade out my beloved BlackBerry for a shiny new iPhone. However, as I began to push the limits with my iPhone, I also began to see the security implications that came with it. As such I was initially heavy-handed with my organization’s mobile policy. What I did not account for at the time was that as my users, also excited to use their shiny new iPhones,started bringing them to work, they were forcing the issue of BYOD. Over time, these users have become a driving force in shaping mobile policies and, subsequently, the role of a CISO.
If You’re Reading This, It’s Already Too Late
As a CISO, the key to developing a mobile strategy is to understand that mobile is already part of your enterprise. Whether or not you choose to embrace a mobile policy, employees have established their own. I recently spoke with two CISOs both of whom had banned corporate data on mobile devices only to discover that users have been transferring files to their mobile devices using Dropbox and YouSendIt to circumvent security controls. Once we accept that our data is already mobile, we can begin understanding the risks we face and options for securing our data, applications and internal access.
Collaborate to Stay One Step Ahead
Talking to our co-workers about which mobile applications they use and why helps us understand where we have opportunities to regain control of the data without limiting the user’s ability to do their job effectively. It also allows us remain ahead of the technology trends that emerge within our organization. It’s true that in trying to reduce costs, make life easier and give users a choice, we gave up control and allowed IT to become a democracy where users have an equal vote. Sometimes this feels like a mistake, but in reality it is a step forward. (Really it is!) Our users are more productive and happier – these are the most important metrics by which to measure the success of our mobile strategy. From my own experience, had I spent less time trying to keep data in my walled garden and more time ahead of the curve by enabling users, it would have made my life much easier. I wouldn’t have been at the mercy of the users; I would have been making policies that worked for them and the organization.
In the early days of BYOD, we just didn’t see how explosive it would be, and we all went with the easiest implementation path. Had I known what I know now, I would have focused less on blocking and more on protecting. I would have accepted that BYOD was going to be common, and every user would control their mobile work environment, then I would have built a strategy around making this mobile environment secure.
A Comprehensive Approach
When I began adopting mobile policies to meet the growing demands of BYOD I started small, added solution by solution, and eventually ended up with something time-consuming and unmanageable that didn’t really work that well. The users were still going around our solutions, and we didn’t have any insight into our risks. What we needed was a comprehensive, integrated approach, not a bunch of Band-Aids.
Mobile security is complex. It crosses many areas of security from configuration management to encryption, all the way into identity management and remote access. The PC rules just don’t apply to mobile. These devices are often user-owned; we don’t have low-level control of the OS, and due to their short refresh time, these devices are adopting newer technology standards faster than our traditional infrastructure. Piecing together a solution only works in the most basic of scenarios – not when we need to truly meet the user and security needs, while managing cost and support time. Starting with a clear strategy of what the organization and users need to achieve and implementing solutions and policies to meet these needs early will save time and money, and will result in less overhead.
The Way Forward
Hindsight is 20/20. Had I known six years ago what I know today, there are a number of things I would have done differently. The following are three:
1. Define a strategy and a policy. The three things your mobile strategy needs to take into account are: users’ needs, productivity and security. Understanding where you have opportunities to regain control of data, without limiting the ability of your coworkers to do their jobs effectively, allows you to stay ahead of technology trends and evolve with your organization. If the mobile strategy doesn’t account for user needs, it will fail.
2. Be device agnostic. Technology is a moving target – devices and operating systems are all constantly evolving, meaning your mobile strategy will need to do the same. Your mobile strategy will need to adapt to new devices and OS versions, and be built around the devices in your organization.
3. Evaluate and define risks. Chasing problems caused by outliers is a surefire way to overwhelm IT. Not only is that time-consuming, it’s inefficient, as you’ll undoubtedly need to repeat your efforts every six months.
The BYOD-era CISO can no longer afford to reject technology. The new CISO needs to be a leader, empowering user mobility (and subsequent productivity). By acting as a facilitator instead of a gatekeeper, the modern-day CISO not only sets the tone and direction of mobile policy, he is able to more easily secure corporate data.
