Don't adapt old IT security policies for BYOD: IBM

Don't adapt old IT security policies for BYOD: IBM

Summary: Many organisations are simply retrofitting existing IT security policies for mobile devices in the workplace, but they should really be formulating a BYOD policy from scratch, according to IBM Institute for Advanced Security director Glen Gooding.


Morphing existing IT security policies to accommodate for bring your own device (BYOD) is the wrong way to address BYOD, according to IBM Institute for Advanced Security director, Glen Gooding.

According to a recent report by data backup vendor Acronis, 57 percent of Australian organisations do not have a BYOD policy in place, and 33 percent of them do not even allow personal devices to access the corporate network.

For organisations that do have a BYOD policy, many of them are doing it wrong by merely adapting their old IT security policy for mobile devices, Gooding said.

"We're in a state of flux, where businesses are migrating existing security policies that have been embedded within organisations for a number of years now," he told ZDNet. "Many organisations are changing those existing policies, and trying to retrofit them to mobile devices.

"I believe the policies that are going to be more successful in defining mobile security policies are the ones that start from scratch and actually build a policy in and around a mobile-only concept."

Gooding said it is likely that the workplace of the future will be dominated by mobile devices, so taking the necessary steps to accommodate for those devices will benefit staff in their work and personal lives. This is especially pertinent for BYOD, as workers use one device for both work and play.

"Defining appropriate mobile security policies from scratch now will educate users to make better decisions how they use those devices in the future," Gooding said.

Topics: Security, Australia, BYOD and the Consumerization of IT

Spandas Lui

About Spandas Lui

Spandas forayed into tech journalism in 2009 as a fresh university graduate spurring her passion for all things tech. Based in Australia, Spandas covers enterprise and business IT.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • BYOD Complexity

    Just because it's a personal device being used doesn't negate the data governance, compliance and regulatory controls around corporate data. So I'd like clarification on what policies should be ignored?

    The best policy for mobile right now is to containerize the corporate data. Either within an App, wrapping it or via virtual solutions. All of which impact the native functionality of why people want to use a mobile device.

    How, when and why data is used doesn't matter who owns the devices. Some data cannot leave certain regions due to other countries data and privacy regulations.

    Can all these vendors stop saying it's so easy as it's not, the more you wish to secure the end point (usually a consumer grade device not meant for corporate usage) the more complex the issue becomes. The more you secure, the less personal the device becomes quasi corporate liable - which makes the employee question why all this is needed as well lessen the appeal to use their own device.
  • Details?

    And what are these "new" security practices that can protect company data (including metadata such as internet links or email addresses, as well as confidential phone numbers) on EMPLOYEE owned devices, without restricting the PERSONAL security practices of those employees, or putting their personal data at risk of exposure to the company and at risk of loss if the company data must be erased from those personal devices? Or would these "new" security rules be for companies that DO NOT CARE about employee privacy, employee property rights, and the like? Companies that WANT to spy on employee personal communications? And want employees to buy with their own money what would then be treated as COMPANY owned hardware?

    The article teases with a statement that "different" security rules would be required, but different in what way? Or is this an advertisement to get managers to book a seminar or consultation with IBM to find out the details?
    • My phone, not yours Company

      The reasons you cite are the very reasons I have two smartphones, one personal and one work. As inconvenient as that is, it is the only way my personal device and contents can remain personal, and I can control its use and replacement without relying on my company IT staff to facilitate that. Also, I can benefit from the use of 2 platforms, Android and Windows 8. I just need one more pocket! And no BYOD policy required.
  • Article Explains Nothing

    This appears to be a nothing interview. I hate these types of interviews. They are one person asking questions, and the other person whinging.

    But being a +ve fellow, perhaps the point of the aritcle is to get organisations who've been ignoring BYOD to sit up and do a bit of research.

    For anyone new to this isssue, a good starting point is ASD. They have a paper on BYOD and a bunch of other issues. Check them out on No need to waste money on a big blue conference!

    BTW, I can't see smart phones and tablets completly replacing desktops, especially in the office. But they might replace laptops though.