Can BYOD (Bring Your Own Device) work? Can we secure a BYOD strategy? The answer is yes to both but with all changes and new approaches to technology there are the basic rules that apply and always will. I will cover the rules as I see them but keep in mind as you read this that industry and culture changes things somewhat. I also want to discuss a couple of fictional company case studies.
Rules of new technology approaches:
First you must ask yourself a few questions:
1) What is driving the change? cost reduction? personnel reduction? a strategic direction? work force retention?
2) Are there regulatory or customer drivers for the change (or the opposite - reasons you shouldn't make the change)?
3) Where is the change coming from? Senior leadership? Writing on the Men's room wall?
4) What is the impact of the change and how will the change impact the culture (or how will the culture impact the change)?
Once you understand the drivers then you can apply the rules:
1) Efforts like this (changing approaches to technology and security) MUST HAVE TOP DOWN SUPPORT! The "tone from the top" is imperative to make transitions successful. There will always, always be naysayers (some with a high rank) that can derail plans.
2) Understand the scope of the change and types of users it will affect.
3) Ensure that a proof of concept is conducted and all types of users are included. Troublesome end users are best and the higher in the food chain you go - the better.
4) Evaluate security policy to ensure there is no conflict and to see if new policies are required.
5) Do not institute BYOD as a cost savings initiative - there are no savings, this is an initiative that should be used as a retention tool or way to bring top talent to your company (if you think this will work).
This is not an all inclusive list but it will get you started as you start to contemplate how to address BYOD.
CASE STUDIES:
The way it shouldn't go:
Picture for a moment a company that doesn't have to contend with financial or medical related regulations. This company wants to institute a BYOD device program to create an image as a cutting edge company to work for - also because there are competitors who have also instituted programs like this. A conversation between the CEO and CIO takes place and the CIO starts asking questions and telling people we should head in this direction. No one has actually raised their hand or said "I own this and this is what we are doing". There has been no funding set aside and no objectives aligned with a BYOD initiative. It is an ad-hoc undertaking with no leadership or person accountable. In this scenario there are pocket initiatives and none of them will be successful without a great deal of pain.
The way it should go:
Same type company (or not), CEO has a conversation in his staff meeting about BYOD at their company and asks for Pro's/Con's. Get consensus and add objectives to each of the CEO directs to do their part.
A) Policies are evaluated for changes and impact
B) IT evaluates a COMPLETE solution and funding is allocated - if it is important enough it should get funded
C) Other VPs agree that no employees will use personally owned devices until a solution is in place
D) Communications should go out informing end-users of the future approach
Conclusion:
There are many approaches to BYOD. Factors to a successful new approach to an IT service is leadership, approach from leadership and company culture. I have developed a BYOD solution that uses a combination of VDI, web services and client based certificates to identify "Authorized" endpoints. The main theme is keep the "enterprise" separate from the "personal" content. As I mentioned there are a number of political, organizational and technical approaches, but top down support is required to achieve a successful BYOD solution.
No comments:
Post a Comment