Striking a Balance: BYOD in the Corporation
By CTU Faculty
I’m writing this post from the Next Generation Security Summit (NGSS) in Austin, TX. The event brings together about 100 senior executives, in particular the chief information security officers (CISOs), from corporations around the country. Are you curious to know the #1 priority on their minds? CISOs want to know how the proliferation of mobile devices impacts security and compliance. More specifically, how should organizations manage the Bring Your Own Device (BYOD) issue?
Companies are faced with a tough situation. One the one hand, they have a sincere interest in their employees’ right to use mobile devices. But on the other hand, organizations are responsible for protecting the integrity and privacy of their data, which means compliance with the law and applicable regulations, as well as the use of simple common sense. So while employees wish to fully exploit the power and convenience of these devices, companies wonder if denying access is the right solution. Fortunately, most companies want to do better than that.
At this stage of industry maturity, most companies that are not subject to the extreme security and regulatory requirements you might find when contracting with the Department of Defense, for instance, are making plans to handle security. In the meantime, employee-wide mobile device use is acceptable – for now. As a result, there are no established processes preventing remote access to sensitive data at the fingertips of employees. If an employee downloads private information to a mobile device that is stolen, then that sensitive data is vulnerable. While this occurrence isn’t materially different than downloading the same data to a home computer or laptop, the portability of a mobile device creates far greater exposure for the company.
Thus, organizations that permit BYOD access to corporate data are recognizing this exposure and are looking for ways to mitigate the risk involved. One interesting idea presented at NGSS was the notion of partitioning the data space of the mobile device, enabling data downloaded from company servers to be held in a separate, encrypted and password-protected area.
At this point in the game, CISOs are aware of the issue, and that’s a great first step. Next, will come creative solutions that will more fully develop as mobile devices continue to gain traction. It will be interesting to see how the balance between availability and security evolves over time. I’m curiously following as security and compliance issues inherent in BYODs are addressed with new technologies, and I’ll be share to them with you as it all unfolds.
Image credit: Flickr/Maaco