BYOD: 'I don't think we can put the genie back in the bottle'
NEW YORK—"Bring your own device" may be a term now familiar with many, but that doesn't mean it's any less hairy for a company's IT organization.
That's the consensus of three technology executives—Fujitsu America CIO Tim Branham, VeriSign CSO Danny McPherson and BlackBerry Security VP Scott Tozke—speaking here this morning at the Bloomberg Enterprise Technology Summit.
Their discussion with Bloomberg News reporter Michael Riley spanned a number of topics; below is an abridged version of their exchange, edited and condensed for clarity.
Branham: The explosion of options available to my users has forced our organization to look constantly at how to better support our user community. How can we provide them that choice, but protect our corporation, data, culture, way of doing business? It's choice that's driven [BYOD adoption].
Take Fujitsu headquarters in Tokyo, Japan, for example. That's an older organization, and only recently have they released e-mail to personal and mobile devices—because of culture. In North America, there are completely different expectations. It's expected to receive communication in any number of ways.
McPherson: Any device in an enterprise, or application used for corporate communication, is under providence of the regulatory framework that we're captive of. Where does that data live? What are the transmission mechanisms? The biggest balance is helping people work securely and more effectively than my daughter at school.
Totzke: Post-2008, there was a bit of an economic driver—a way to drive costs out of the business. But there's now device diversity—give the employee the tool to do their job—and a generational thing, Millennials in the workforce who have grown up with technology and expect to use tools how they want, when they want. How do you manage it? Control it? Avoid putting your company in a position where you're [in violation of] regulatory requirements or losing a competitive edge?
The industry needs multiple solutions across multiple platforms. That's a challenge -- there's no consistent bar across platforms for security and manageability.
Branham: We need layered products to protect ourselves. There needs to be some controls in place to mitigate our own risk.
[At Fujitsu] we use the OS standards, but we give guidance. We know there are trapdoors. We're going to point them toward BlackBerry, Android, Apple devices. We want to give them good practical advice and point them to the right tools. But we're not going to say you can only use Android or BlackBerry. That puts us back at the beginning.
McPherson: We give devices out. We have mobile application management tools. There's no expectation of privacy on those devices, or that they own anything on that device. That's why we give them out.
We're making leaps and bounds now but we're certainly [in early days] with what our legal team is comfortable with. Move cautiously and deliberately.
Totzke: We've got a really complicated legal landscape emerging around how you investigate a device. How do we manage this in a practical sense, beyond the technology?
McPherson: There are a lot of challenges to be considered.
Like our desktops and servers, we assume those devices are going to be compromised. How do you gain access to valuable resources to protect the company?
Branham: We always assumed that BlackBerry made the most secure devices. But Android and Apple [are very popular], and so we have to mitigate that.
Totzke: There's the use of consumer services in enterprise context, like using Siri to dictate a document. Where does that data live? These services are becoming part of what all these devices have. There's a tremendous risk that goes along with BYOD. I don't think we can put the genie back in the bottle. But the consumer services change our risk profile. And that risk is growing.
The consumer cares about the absence of security as it impacts them, but it's not really top of mind. For us, it's mission-critical. We have to change from "no" -- turn things off, disable functionality -- and turn it into an enabling function. That's a different mindset than we've seen over the last five or six years.
Branham: My user base is probably 150 percent on devices—if they truly want more than the policy will allow, they will just have another device that doesn't have access to corporate services. They're OK with that separation. But for just carrying that single device, it will be a combination of policy, [policing] and awareness.