BYOD: 'I don't think we can put the genie back in the bottle'

BYOD: 'I don't think we can put the genie back in the bottle'

Summary: Executives from Fujitsu, VeriSign and BlackBerry discuss the business impact of the "bring your own device" trend at the Bloomberg Enterprise Technology Summit.

SHARE:
bbtech-04242013-boyd-sm

NEW YORK—"Bring your own device" may be a term now familiar with many, but that doesn't mean it's any less hairy for a company's IT organization.

That's the consensus of three technology executives—Fujitsu America CIO Tim Branham, VeriSign CSO Danny McPherson and BlackBerry Security VP Scott Tozke—speaking here this morning at the Bloomberg Enterprise Technology Summit.

Their discussion with Bloomberg News reporter Michael Riley spanned a number of topics; below is an abridged version of their exchange, edited and condensed for clarity.

Branham: The explosion of options available to my users has forced our organization to look constantly at how to better support our user community. How can we provide them that choice, but protect our corporation, data, culture, way of doing business? It's choice that's driven [BYOD adoption].

Take Fujitsu headquarters in Tokyo, Japan, for example. That's an older organization, and only recently have they released e-mail to personal and mobile devices—because of culture. In North America, there are completely different expectations. It's expected to receive communication in any number of ways.

McPherson: Any device in an enterprise, or application used for corporate communication, is under providence of the regulatory framework that we're captive of. Where does that data live? What are the transmission mechanisms? The biggest balance is helping people work securely and more effectively than my daughter at school.

Totzke: Post-2008, there was a bit of an economic driver—a way to drive costs out of the business. But there's now device diversity—give the employee the tool to do their job—and a generational thing, Millennials in the workforce who have grown up with technology and expect to use tools how they want, when they want. How do you manage it? Control it? Avoid putting your company in a position where you're [in violation of] regulatory requirements or losing a competitive edge?

The industry needs multiple solutions across multiple platforms. That's a challenge -- there's no consistent bar across platforms for security and manageability.

Branham: We need layered products to protect ourselves. There needs to be some controls in place to mitigate our own risk.

[At Fujitsu] we use the OS standards, but we give guidance. We know there are trapdoors. We're going to point them toward BlackBerry, Android, Apple devices. We want to give them good practical advice and point them to the right tools. But we're not going to say you can only use Android or BlackBerry. That puts us back at the beginning.

McPherson: We give devices out. We have mobile application management tools. There's no expectation of privacy on those devices, or that they own anything on that device. That's why we give them out.

We're making leaps and bounds now but we're certainly [in early days] with what our legal team is comfortable with. Move cautiously and deliberately.

Totzke: We've got a really complicated legal landscape emerging around how you investigate a device. How do we manage this in a practical sense, beyond the technology?

McPherson: There are a lot of challenges to be considered.

Like our desktops and servers, we assume those devices are going to be compromised. How do you gain access to valuable resources to protect the company?

Branham: We always assumed that BlackBerry made the most secure devices. But Android and Apple [are very popular], and so we have to mitigate that.

Totzke: There's the use of consumer services in enterprise context, like using Siri to dictate a document. Where does that data live? These services are becoming part of what all these devices have. There's a tremendous risk that goes along with BYOD. I don't think we can put the genie back in the bottle. But the consumer services change our risk profile. And that risk is growing.

The consumer cares about the absence of security as it impacts them, but it's not really top of mind. For us, it's mission-critical. We have to change from "no" -- turn things off, disable functionality -- and turn it into an enabling function. That's a different mindset than we've seen over the last five or six years.

Branham: My user base is probably 150 percent on devices—if they truly want more than the policy will allow, they will just have another device that doesn't have access to corporate services. They're OK with that separation. But for just carrying that single device, it will be a combination of policy, [policing] and awareness.

Topics: CXO, Consumerization, Mobility

Andrew Nusca

About Andrew Nusca

Andrew Nusca is a former writer-editor for ZDNet and contributor to CNET. During his tenure, he was the editor of SmartPlanet, ZDNet's sister site about innovation.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

9 comments
Log in or register to join the discussion
  • Star Trek

    Was said: "McPherson: We give devices out. We have mobile application management tools. There's no expectation of privacy on those devices, or that they own anything on that device. That's why we give them out."

    Reminds me of the Borg on Star Trek.
    noibs-0cf43
    • Yeah

      He definitely had a bit of a tougher stance than the other two panelists.
      andrew.nusca
    • Humm, that's not BYOD . . .

      BYOD is "they bring devices in," not "we give devices out" . . .

      Sounds like Verisign isn't using BYOD.

      Which is fine with me - I don't think BYOD is for everybody.

      Even in a BYOD business, I'm likely to just buy a separate device for work. I don't really plan on using my personal device for work.
      CobraA1
    • At least

      he is being honest.

      This is the first time I've seen a ZDNet blog that even bothers to scratch the surface about what the implications are for the company with BYOD.

      BYOD is very dangerous, if the company doesn't have policies in place. Especially in heavily regulated industries, like medical, food, medicine, chemical, communication and most manufacturing industries. If that informaiton is loaded on private devices and ends up outside the company, the company can find itself in hot water very quickly.

      A lot of those restrictive IT policies are there, not to aggrivate the users, but to ensure the company doesn't get sued out of existence or the CEO banged up for a data breach.
      wright_is
  • Mp3 Begins

    nice post dude i like your writing style ..
    Mohammad_usman
  • BYOD warnings signs in 2011...

    BYOD has long been an area that I have cautioned my clients about... before it was even "big" (I remember my team being concerned that #BYOD - was coming up in search engines as "bring your own dog" and not wanting us to position as an upcoming trend...) The warning signs were all there. http://blog.redemtech.com/2011/09/byod-to-bring-or-not-to-bring.html
    Barbara Scott
    • It isn't bring your own dog?????

      That explains a lot!
      Right, I need to go and mention this to our CIO. I wonder if we can cancel the hounds we've ordered for those that didn't want to bring their own dog.
      Little Old Man
  • If you want security, BYOD will have to go!

    Look at yesterday's news where someone's Twitter account got hacked and wreaked billions of dollars of havoc on Wall St.

    You CANNOT have privacy and security at the same time, one has to go. If I were an enterprise CIO you can be damn sure that BYOD would be banned, plain and simple. Is it really worth saving a few dollars to put your HBI data at risk???
    omdguy
  • If a company is involved in litigation

    Your phone and personal information might be confiscated. Where is this in the discusions of BYOD?
    If a company is involved in litigation — civil or criminal — personal cellphones that were used for work email or other company activity are liable to be confiscated and examined for evidence during discovery or investigation.

    Rule 34 of the Federal Rules of Civil Procedure
    http://www.law.cornell.edu/rules/frcp/rule_34

    http://redtape.nbcnews.com/_news/2013/04/23/17864332-use-your-personal-smartphone-for-work-email-your-company-might-take-it?lite
    mgdvt