Support BYOD – Or Else

Over the weekend, I read an intriguing LinkedIn post by Steve King entitled: “Please, No More BYOD.”

The article has generated a lot of buzz with hundreds of likes and comments on LinkedIn. And I can relate to the feelings of the many people, especially security pros, who have this viewpoint. You just want to protect the enterprise, right?

 But let me explain why I disagree - using a rookie CISO story that goes back more than a decade, but is directly related.

Back in 2004 when I was the CISO in Michigan government, I was firmly against Wi-Fi. Why? It was not secure, in my view.

I had plenty of war-driving stories, scary magazine breach headlines and an abundance of Washington DC three-letter agency white papers to back up my ‘Wi-Fi is a bad idea’ arguments.

Until one day, I almost got fired when I insisted that we could not put Wi-Fi in our government conference rooms. I said, “We just can’t do it. Not secure. Bad idea. I’m vetoing the project!”

My boss, and state CIO at the time, was Teri Takai. Teri later went on to become the CIO in California Government and at the Department of Defense. Teri said, “Dan, if that’s your answer, you can’t be the CISO in Michigan.”

Teri went on, “I’ve been to Dow, Ford, Chrysler and GM, and they all have Wi-Fi in their conference rooms. So you need to figure out what they know that you don’t know and then come back and tell me how we’re going to implement Wi-Fi securely. And I’m giving you one week.”

That meeting started a transformation in my security career. I began to rethink my role, my team’s mission and how we were being perceived. I refocused my tactical and strategic initiatives to become an enabler of innovation – with the ‘right’ level of security. We went on to win awards for secure Wi-Fi deployments in government a few years later.

And there was larger lesson for me from this experience. I now constantly ask myself: I am bringing the organization problems or workable solutions?

As I look back at my early years as a CISO, I see so many blind spots. Yes, I cared passionately about information security. We launched numerous projects, like deploying encryption on laptops, and marketed better ways to protect the enterprise. I also had the necessary technical skills to do my job. But I was putting up unnecessary roadblocks. I was a hindrance to management and not offering the business a range of technology solutions with different risk levels.

I had forgotten, or never truly learned up to that point, the real reason for the security team’s existence. The security leader (and team) must be trusted advisors offering the business secure technology solutions. Security doesn’t exist if the business fails.

Fast Forward to Today

I tell that story as I believe that history repeats itself regarding technology and security. No doubt, the specific hardware, software, operating systems, frameworks, issues, vulnerability and threats change daily. But whether we are talking about Wi-Fi, cloud computing, BYOD or even wear your own device (WYOD), the same fundamental challenge remains for technology and security professionals: are you bringing problems or solutions?

BYOD brings very real security problems for enterprises, including the risk of sensitive data being lost, stolen or misused. The implementation of BYOD programs is complex, just like Wi-Fi and cloud programs before it. There is the likelihood that new policies, procedures, training and perhaps even a culture change is needed.

Nevertheless, the BYOD boat has left the dock. Are you on the boat – or waving at the boat with both hands from the shore? 

There are real questions around what is coming next, and many signs point to IoT. For example, pay attention to the new wearables. We need to prepare now. There is an urgent need to ready infrastructure, security and mindsets for the new normal, which is already trickling into our environments now – with a flood of new devices coming soon.

Where to Begin?

Many organizations are likely well down the BYOD road. Others who have been holding off may wonder where to begin.

I think the first key is an honest assessment of your enterprise networks. Answer these questions:

1.     Who is really using mobile technology? (Don't just include staff who are formally authorized)

2.     How are they truly using mobile devices? (Include both company and personally-owned equipment in your fact-finding mission)

3.     What data is being accessed on what devices? (Personal and company)

4.     What policies are in place, and are they being followed?

5.     What controls and protections are in place for sensitive data?

6.     What helpful, relevant, engaging training is provided (and taken)?

7.     What’s coming next? Are you prepared for next-generation people, process & technology?

Enable Secure Solutions

There are many great vendors with free mobile data security case studies and examples that can help you in your BYOD journey. But whether you are a BYOD naysayer or WYOD earlier adopter, I strongly encourage you to think again about enabling secure solutions to equip your business to be innovative and grow.

Yes – do your homework. Get help. Build in security. But don’t “just say no” to BYOD, the Internet of Things (IoT) or other new technology. Or... you will regret it professionally.

Become a trusted adviser who leaders will turn to for answers regarding security. 

You can follow Dan Lohrmann @govcso

An earlier version of this blog originally appeared online at:  https://www.infosecurity-magazine.com/opinions/byod-is-the-new-wifi/