There is a lot of talk around at the moment about organisations wrestling with people’s desire to use their own IT.
This is generally framed as a Bring Your Own Device (BYOD) discussion.
I was reading through some advice published by the UK CESG yesterday on End User Device Security and Configuration. This advice includes some comments on BYOD:
Whilst enterprise ownership of a device makes many information security aspects much simpler, it is not a prerequisite of this guidance. What is necessary is that the device is placed under the management authority of the enterprise for the complete duration it is permitted to access OFFICIAL information. Hence, a BYOD model is possible – although not recommended for a variety of technical and non-technical reasons.
To ensure information security when using devices not owned by the enterprise, the enterprise must take control of device management at the point of provisioning, ensuring that the device is placed into a ‘known good’ state prior to allowing it to access OFFICIAL information. Limitations of current technology mean that a ‘health check’ or ‘device status’ check is not sufficient to verify ‘known good’ – malware can easily subvert such a check. Instead the device must be returned to an understood state such as via a firmware reinstall or wipe to factory state and any existing configuration on it replaced. It is only by taking over the enterprise management of the device that an organisation is able to ensure that information security policies are being applied.
In other words – you can bring your own device if you like, but we are going to wipe it and place it under our management. Putting the relevance of this security approach to one side, it strikes me that this approach misses the true focus of BYOD.
The true focus of BYOD is not the D it’s the BYO. In order to accomplish what they are trying to do people are wanting to use what is familiar, what is flexible, what makes them productive and creative. The choice of device happens to be a tangible part of that, but it’s only a part. Allowing people to choose the device, but then wiping it and placing under central management seems to me like a misreading of what people are really looking for.
This takes me to a quote by Theodore Levitt, Professor of Marketing at Harvard:
“People don’t want to buy a quarter inch drill. They want to buy a quarter inch hole.”
(HT to Stu Downes)
Traditionally we have lived in an IT world where the organisation defines both the tools and the outcome. Increasingly though, employees are saying – “you define the outcome, let me define the tools”. Organisations have spent so long defining the outcome by defining the tool we’ve got a lot of change to go through before we successfully renegotiate the contract of delivery. But that’s a subject for another day.
I can only imagine that public sector workers in the UK will flock to the BYO model given this level of control. I think the key benefit of BYO is primarily with knowledge workers and for them it is about being able to have their personal knowledge systems (apps, repositories, data) close to their corporate systems and data.
And herein lies the challenge. The users want the 2 sets of data close together, they actually want a permeable barrier between the 2 with the understanding that one side of the barrier will go at the control of the enterprise.
I don’t see many security risk leads who embrace the permeable idea. I can’t see why because in reality if you don’t create a permeable barrier then those same knowledge workers simply ignore the walled garden they are supposed to work in and seek the freedom of the countryside – but watch out they’ve got the seeds for next years crop with them!
LikeLike