Strategic CIO // IT Strategy
News
6/9/2014
11:50 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

BYOD: Build A Policy That Works

To secure employee-owned smartphones and tablets, it takes a practical, enforceable set of guidelines.

Download Dark Reading's June Tech Digest on BYOD policies, distributed in an all-digital format (registration required).

The requests for employees to use their own smartphones, tablets, and other devices for work is now about as inevitable as a quarterly P&L statement. The question for most organizations is, how well is your company aligning that employee urge with data protection strategies?

While it's common for businesses to invest in mobile device management and mobile application management tools, they frequently fail to apply those tools effectively to user-owned mobile devices. While 65% of businesses say they allow for bring-your-own-device programs, according to a recent report from analyst firm ITIC, 43% have no designated BYOD security policies.

Using even the best mobile device management and mobile tools without a BYOD policy document won't work. A BYOD policy document serves as the bedrock for solid security enforcement and a backstop for legal protection. Without the policies in place, IT is forced into an ad hoc approach to managing device activity and user access, which could keep the BYOD program from supporting business goals such as improving sales teams' efficiency.

Lack of a policy also may leave the business exposed to unnecessary legal risk, if the company isn't transparent with employees about how it's monitoring employee data and doesn't check for any conflicts with privacy laws.

What's more, establishing BYOD policies and educating employees on them is an effective way to make sure the company's leadership and rank and file all are clear on the company's position about access to corporate information on personal devices and what people can and can't access.

"The most important aspect of a policy is transparency," says Garrett Larsson, co-founder and CEO of Mojave Networks, a network-level mobile security company.

Ideally, a BYOD policy document provides a framework that lays out the responsibilities and rights of the company to manage its corporate data on employee-owned devices as well as the responsibility and rights of the employees when they're using personal devices for work. "If you don't lay those out, then there's a whole bunch of question marks hanging in the air," says Nicko van Someren, chief technology officer of mobile device management firm Good Technologies.


Getting Started

As your company sets out to develop realistic and enforceable policies, one of the first considerations is who will draft the document and which stakeholders will get a say about its contents. Without a well-rounded group participating in the process, the company risks committing to a set of measures not grounded in reality.

IT and legal departments should play a leading role in developing the policies, with guidance from the executive committee and human resources. Before they put pen to paper, though, these stakeholders need to build a consensus about their goals. Do that or you'll have a compliance document that looks good on paper, but "it will never get enforced because it's not built from the ground up," says Adam Ghetti, founder and CTO of Ionic Security, a unified data and mobility platform vendor. "Time and time again, we see top-down directives from compliance and legal with a little bit of IT involved."

Instead, it's important to have midlevel line-of-business managers at the table contributing, and to consider some sort of straw-poll input from employees who will feel the impact of new policies. "It's very easy to come up with a policy that satisfies legal and IT but makes employees very unhappy," says Good Technology's van Someren. "I think it's important to get feedback from all of the different constituencies who are subject to this policy."

Companies may find it hard to aggregate all those concerns into a single comprehensive policy statement, but that's OK. In fact, most companies should break up policies and practices along lines such as departments, types of data accessed, geographies, and user groups. The best BYOD policy documents don't force all-or-nothing regulations on a wide base of users.

"BYOD may only makes sense for a portion of your business or employees," says Marc Maiffret, CTO for BeyondTrust, an account management and vulnerability management firm. There will be certain employees who don't need the luxury of accessing corporate data via their personal devices, or executives who may need data that's too high risk to allow access via BYOD, says Maiffret. Adds van Someren: "What's appropriate to do with engineering data is different than what it's appropriate to do with sales data, which is different from legal data."

To read the rest of this story,
download Dark Reading's June Tech Digest on BYOD policies, distributed in an all-digital format (registration required).
Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
rgrapes
50%
50%
rgrapes,
User Rank: Apprentice
6/9/2014 | 1:13:10 PM
Why BYOD policies are necessary.
The necessity, design intent and legalese of BYOD policies is due in large part to the limitations of current mobile devices to isolate apps and data from eachother. Today, we download and mash together all of our apps and data onto a single homescreen (or two). Some of us are organized enough to create app folders, or addtional screens into which we place our apps. But the fact remains that these apps and data all share the same storage location and device memory so our corporate information is sharing the same device space as our personal data. What if we could isolate corporate apps and data from our personal apps and data ... and as device owners permit our IT group to see and manage only the corporate apps and data. After all, it is our device and IT is a guest on our device.

MDM products are not security products, they are device management products. Some MDM products provide lock & wipe features but many are device-wide lock & wipe functions while some provide "Enterprise wipe". But from a security perspective the apps and data are all co-resident. If the User downloads a malicious app then the corporate information could be at risk.

A security product would create strong separation or isolation of the apps and data for each context of the users life: work, play, parenting, finance, health, etc. And for BYOD, would allow the device owner (user) to be in control of those isolated spaces. Sure, they can delegate the management of the Work space to a 3rd party like their IT admin. In this way the corporation gets what they want: security and control over corporate information while the device owner gets what they want: personal privacy and the convenience to use their mobile device exactly the way that they want.

Personal disclosure: I work for a software security company that creates a system-level virtualization/containerization solution that solves the BYOD issue and multiple other consumer use cases. I am simply concerned that corporations and employees are suffering through these complex policies and processes to compensate for inadequate mobile device capabilities. Rather we should be telling the device manufacturers that their phones need to support all of our desired use cases: work, play, sharing, banking, shopping, etc. 

My hope is that next generation mobile devices permit their use across all the various contexts of a persons life ... not just work and play.
Transformative CIOs Organize for Success
Transformative CIOs Organize for Success
Trying to meet today’s business technology needs with yesterday’s IT organizational structure is like driving a Model T at the Indy 500. Time for a reset.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest Septermber 14, 2014
It doesn't matter whether your e-commerce D-Day is Black Friday, tax day, or some random Thursday when a post goes viral. Your websites need to be ready.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.