Manage BYOD to avoid the risks of Bring Your Own Disaster

Shadow IT in one form or another is here to stay, and when it comes to BYOD, IT leaders that have an open and engaging approach to this challenge will be most likely to win the opinion war.

Mobile devices (including wearable technologies) are powerful extensions of enterprise IT and should be treated as such. A single uncontrolled mobile device with ineffective security controls could present as large a risk to the organisation as a major data centre breach.

As a critical element of the effective management of the BYOD revolves around the appropriate allocation of accountability within the business, I thought it may be useful to offer some pointers to those IT leaders still coming to grips with BYOD.

Step 1:  Print out a copy of the draft paper put out by the National Institute of Standards and Technologies (NIST) entitled “Recommended Security Controls for Federal Information Systems and Organizations [SP800-53].”

Take the printout, then go to the local coffee shop, sit down and order your favourite brew. Next, read the document, highlighting the parts that are relevant to you and your organisation. The core information is contained in 18 of the 29 pages in the document.  If you think you’ve got the BYOD issue all sorted, this document may make you reassess and adjust your position – after all, volatility and change is the norm.

Step 2:  Put BYOD on the next monthly Executive team meeting, if not done so already.

Pre-issue a succinct BYOD position paper that you have prepared that is relevant to your business and security posture.  This should be a business document stripped of technical jargon.  Ask your neighbour or spouse to proof read it – If they’re not in IT and can understand it, it’ll be good to be send to the Executive!

This is an important step in:

  • Managing expectations and opinions on BYOD at the senior management levels in your organisation
  • Ensuring that any subsequent policies and other mandates are fully supported by all executives.
  • Assigning accountabilities on the policy settings to those in the organisation, with expert guidance from you.

I would suggest that you include in your position paper aspects such as:

  • What is BYOD and why it’s important to your organisation
  • Summarise the benefits of BYOD, including a high level cost / benefit assessment that is relevant to your situation, emphasising that it requires active management
  • Summarise the key business risks to the organisation
  • State your recommended position. This could be a draft policy, a series of ‘next steps’ or whatever. Then seek ratification for a course of action that you feel appropriate.  It’s beyond this regular column to expand this in much detail, however suffice it to say you should be well prepared to discuss the issues, hear concerns and adjust your position accordingly.  At the end of the day, the cost / benefit of various security measures, as well as the acceptance of the residual risks mostly rests with the business. As long as your explanation of these risks by you is comprehensive and rigorous, and these decisions as on the basis of sound, unbiased advice, you should be able to sleep well at night.

Without the visibility and support of all executives across the organisation, it will be a constant challenge for the IT leader to keep having to explain why users and managers cannot do what they want with the latest consumer device. You will constantly be on the defensive, rather than proactively managing and guiding the organisation through the enterprise IT minefield, a position that, I am sure you will agree, is rather corrosive to the role of enterprise IT.

At the end of the day, if you can ensure that the key executives appreciate that it your organisation’s reputation and brand at stake, not yours, then the war would largely be won, not only on for BYOD, but also for the other side effects of Shadow IT.

This article was written for CIO Magazine and appeared in their September/October 2012 Edition