CIOs, CSOs must evolve with consumerization, BYOD

CIOs, CSOs must evolve with consumerization, BYOD

Summary: Instead of locking down the company's IT environment, these C-level executives' mindsets need to change to encourage flexible, productive work styles yet still secure sensitive apps and data.


CIOs and CSOs have yet to evolve to better cope with ongoing enterprise trends such as IT consumerization and bring-your-own-device (BYOD), resulting in inadequately secured backend systems which also hamper employees' productivity.

Kurt Roemer, chief security strategist at Citrix, said it is a "big concern" how CIOs and CSOs are managing their IT environments, given that many are still stuck on old models and mindsets with regard to architecture and management. They do not understand how apps, data and networks are being used by employees to be productive and improve the way businesses can be run, he said.

In an interview with ZDNet Asia Wednesday, Roemer said these C-level executives then try to maintain control over their IT architecture because it has worked for the past decade and not recognize that securing access to corporate data is now more important.

This shift of priorities come about because employees have redefined companies' IT architectures and environments by using their personal devices and apps for work purposes, he elaborated.

However, many organizations still allow employees to have access to a large amount of corporate data without implementing the appropriate security controls, he pointed out. For example, when a new worker joins the company, he or she can easily log in and gain access to all internal and external applications regardless of the person's position or job scope.

"If CIOs and CSOs continue with their existing architecture and plans to make absolutely no updates, then consumerization and BYOD becomes a huge security threat," Roemer said, adding these executives will soon find their roles become increasingly irrelevant.

Beyond BYOD and consumerization, cloud computing is another development that is forcing changes on the part of CIOs and CSOs, the executive said. Cloud services are often not introduced by companies' tech departments but by business units and end users who have been frustrated by existing IT systems.

In this area, though, the CIOs and CSOs are showing signs they recognize the need to balance productivity with security to compete in today's environment, he noted.

Granular architecture, flexible compliance needed
With these trends in the workplace, Roemer called on companies to develop a new business model that embraces both consumer technologies and a mobile work style.

Such an IT architecture must be granular enough to provide controls over mission-critical applications and data, meaning administrators can determine which employee can access these programs while keeping out the rest, he suggested.

Virtualization, for example, is useful for safeguarding sensitive information as it puts a "container" around the data sets, ensuring only authorized users can gain access. It then leaves the rest of the non-sensitive information open to other employees, thus striking a good balance, he said.

Other technologies include authentication and multi-factor access, instead of using passwords to protect the more sensitive information, Roemer added.

Topics: Security, Mobility, Bring Your Own Device, Leadership

Ellyne Phneah

About Ellyne Phneah

Elly grew up on the adrenaline of crime fiction and it spurred her interest in cybercrime, privacy and the terror on the dark side of IT. At ZDNet Asia, she has made it her mission to warn readers of upcoming security threats, while also covering other tech issues.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Another reason

    Another reason to choose BlackBerry 10 and its superior security and Balance feature of segregating personal and work activities.
    Susan Antony
  • Just throw out all controls

    Kurt Roemer, chief security strategist at Citrix, said it is a "big concern"

    Yeah a concern companies are not embracing services / solutions Citrix sells ...

    I swear the majority of BYOD is noise from vendors who have a big incentive for BYOD to be embraced.

    Here's the reality behind all the noise:

    Most employees don't care about using their own technology at work. Yes you have a vocal minority that want this but it's not large enough to endure all the policy and security expense to allow BYOD. Employees are wising up to what BYOD really is - a cost shift. To further add insult companies expect to restrict and lock down your device(s). And you wonder why most say No thanks.

    Another reality check is BYOD doesn't lessen your companies need to follow regulatory policies around corporate data. Sure it's easy to throw it all in a virtual container but that negates all the use of your shiny tech to a modern dumb terminal. That is NOT what people expect when they BYOD.

    Employees favor their own devices as they have no security and follow no compliance controls when using them. The simple answer is push all lawsuits and regulatory fines onto the employee as well.
    • BYO wave initiated by workers

      The BYO wave was initiated by workers (users) bringing their personal devices to the work environment and either covertly figuring out a way to access enterprise resources or – if they were in senior management – outright demanding that IT support their devices. BYO is not a vendor invention – it's a worker initiated quest for greater productivity. A main point made in the article was to prepare for BYO, maintaining architectures and processes that allow for the defined and secured use of BYO computing. The BYO wave has already happened in many enterprises and if IT hasn't updated infrastructure to accommodate BYO, productivity and security can suffer.

      The primary noise behind BYO is not from vendors: it's from workers who want freedom of choice and from IT departments who need to maintain information governance.

      While statistics from industry surveys do show strong interest in employee-led BYO initiatives, the recognition of a cost shift is very astute. There are camps of employees who would have already purchased a suitable device for their personal usage that is also suitable for enterprise BYO use. There are also employees who do not wish to or cannot afford to purchase the computing necessary to perform their work functions. Enterprises need to be keenly aware of this and continue to offer enterprise-owned-and-managed computing, as well as stipends for BYO programs to ensure employees are productive and costs are appropriate.

      A requirement for device management, as mentioned, negates BYO. Any usage that must be strictly managed and controlled at the device level must be owned by the enterprise. BYO users can have access to apps, data and containers managed by the organization – but it's inappropriate for an organization to try to manage BYO to the same level that they manage enterprise-owned devices. That said, appropriate restrictions should be placed on BYO usage in these organizations so that an adequate risk profile is maintained that protects sensitive information. And, there's sensitive information that should never be resident on a BYO device in the first place and should either be restricted from BYO or delivered virtualized for enterprise control There are also certain roles (and entire organizations) where BYO is not appropriate and should not be authorized, due to risks to the individual and the organization. Compliance and data governance can be maintained through a BYO initiative, but must have mature processes behind them.

      Organizations have a responsibility to deliver appropriate access to information across a wide variety of devices, while protecting sensitive information from loss or compromise and minimizing worker exposure to liability. Once again, BYO is not appropriate for all users and usage models, but those workers and enterprises who can enjoy the freedoms of BYO definitely benefit from it.
      Kurt Roemer
      • Thanks

        Kurt -

        Thank you for the great reply. At least you speak to both sides and acknowledge BYOD is still emerging and has pain points. The big thing is your last part - it's not for every employee and stipends open tax and compensation questions that need answers. So you have to weigh the cost and effort to provide these type of services for a small amount of employees. Granted these employees are likely you highest paid and driving company efforts but it's tricky.

        From my experience once you start restricting how a BYOD can work (data controls) or on device (MDM controls) they loose interest quick. Add the cost shift and your program is dead. We've been pushing our BYOD program for almost two years and have 1-2% adoption. Hardly the rush upper management envisioned.

        Not denying the shift is coming as companies saw savings pushing health care onto employees so technology is the next thing as lets face it - who doesn't have a PC or smartphone these days. To me it opens issues around standards and usage but we'll trudge through the next few years of pain as this matures.