I received an invite to listen in on a webinar tomorrow by the folks at Zscaler. Featuring Rick Holland of Forrester, the webinar will focus on the bring your own device (BYOD) approach compared to the "here is your own device" (HYOD) approach. The BYOD wave has been a nightmare for many a security and IT admin for years. With no control over what devices are accessing the network, we have no control over how data may be viewed and used. We have little-to-no control over the security of these usually mobile devices.
The first approach by security folks was the usual, "no, you can't use that" that hasn't worked so well in the past. I remember saying that when wireless networks first started popping up at offices. I remember it when Facebook and other social media networks started. Heck, I remember when surfing the web first started and security folks said no, that is not secure, let alone a productivity killer. Each and every time, trying to stop these trends was like shoveling sand against the tide. You are just not going to stop it.
So, now realizing that we are not going to stop the invasion of mobile devices onto our enterprise networks, we are instead saying it is OK to use mobile devices, but only the ones we give you. Someone somewhere must have done an analysis that the cost of providing "approved" devices is actually less costly than the risk and losses that BYOD could bring. It is as if IT and security folks are learning from past mistakes and trying to offer a palatable alternative to BYOD. But will HYOD blunt BYOD? If not, it is just another shovel of sand against the tide.
First, let's consider why HYOD may be attractive to BYOD users.
1. I don't have to pay for my device. Hey, this is powerful. I don't have to lay out five or six hundred dollars for that iPad or even a thousand for that Surface Pro tablet. My company is actually going to hand it to me.
2. I can go to my IT guy for support. Don't underestimate this one. I no longer have to worry about not being able to connect, whether I should upgrade to the lastest updates, conflicts between apps and all the rest. I have a free support person I can go to with any problems.
3.Of course it works with all of my business apps. If your company gave it to you, they already checked to make sure it works on your network and that it supports all of the apps you need to get your job done. Not much sense giving you a phone or tablet that doesn't work on your company email or let you access company specific applications.
4. I can use this for my personal stuff, too. This was a great thing about using a company-owned phone. No sense in carrying around two phones (though many of us did). I can use this company-owned device for my personal needs, too. I am not going to put this tablet down when I went to go on Facebook and use my own. I will wind up using this device as my own and, while I will use it for company business, I will get plenty of personal use out of it too. Yes, the IT guy says we really shouldn't, but he can't be serious, can he? What is the sense of having this cool new tablet if I can't use it? Should I have a list of contacts with only work people on it? Should I not be able to read the news, Tweet, etc. on this thing? Of course, they know I am going to use it for personal use too.
Now, why HYOD cannot replace BYOD
1. Big brother is still watching. Perhaps the biggest reason is the feeling that these devices are just another tool for control by my employer. They can see how much time I spend on work-related matters and how much I use the device for personal use. They can control where I go, what I see and who I talk too.
2. I don't want a fu#%ing Blackberry. If I wanted some dorky, useless device, I would have bought one. I want the cool new toy. I also don't want the Wi-Fi-only model or the puny 8 gig version, either. The great thing about BYOD is I decide what device I want to use.
3. Don't limit my apps. If you give me a device, are you going to lock down the UI and what apps I can use? Part of the attraction of BYOD is I am the admin again. There are millions of apps out there; I don't want to ask permission to use the ones I want.
4. IT'S ABOUT FREEDOM. This may be the hardest one for IT and security folks to grasp. BYOD is about freedom and choice. Carrying around the company-owned device in that stupid hip holster may be OK for auditors at E&Y or something like that, but most of us want to march to our own drummer. We may be Mac fan boys, Android lovers or even Microsofties, but whatever we are, we want the freedom to choose what device we want to use. The mobile device we use is going to be used for a lot more than work-related stuff. It is an important part of our life. We want the ability to pick what device we use.
So, in my mind while HYOD is a better response than just saying no to BYOD, at the end of the day it doesn't replace BYOD. Yes, there may be industries and companies where HYOD is the only choice. Our device or no device. But I think those are the exceptions, not the rules. People want to be free, and that includes picking what device you use.
So I will listen in to the webinar tomorrow, but in my mind it is going to be hard for HYOD to blunt the BYOD revolution.
As co-founder and Managing Partner at The CISO Group, Alan Shimel is responsible for driving the vision and mission of the company. The CISO Group offers security consulting and PCI compliance management for the payment card industry. Prior to The CISO Group, Alan was the Chief Strategy Officer at StillSecure. Shimel was the public persona of StillSecure as it grew from start up to helping defend some of the largest and most sensitive networks in the world.
Shimel is an often-cited personality in the technology community and is a sought-after speaker at industry and government conferences and events. His commentary about the state of security, open source and life is followed closely by many industry insiders via his blog and podcast, "Ashimmy, After All These Years" (www.ashimmy.com). Alan is now also a regular contributor to The CISO Group’s security.exe blog and podcast. Follow him on Google.
Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology. His legal background, long experience in the field, and New York street smarts combine to form a unique personality.
Disclosure: The CISO Group sells a software-as-a-service PCI compliance application called SAQPro. The company is independent and does not represent any other vendor's products as a reseller.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited.