Just say yes: Why banning consumer devices makes your organization less secure
Still saying no to employees using iPads, iPhones and other consumer devices on the company network? Al Raymond of PHH Corporation explains why this policy is actually putting your security in peril
By Al Raymond
May 09, 2011 — CSO —
I was a having a conversation with another fellow security professional at the CSO Perspectives seminar a few weeks ago and he used the word "disintermediation" to make a point about his website. We had a bit of a chuckle about how that word that was used (rather, overused) during the dot-com days. The context back then was that the new, online world was going to obsolesce the traditional world of bricks-n-mortars through the "disintermediation" process of cutting out the no-value-adding, costly infrastructure of middle-men.
This got me to thinking about the topic I was speaking about at the conference: the way to bring about a culturally acceptable balance between security and the use of consumerized IT. That is, how could IT departments allow users to bring and use their own equipment in the work environment and still maintain a modicum of security and privacy?
Why is this issue even a concern? In this cost-conscious environment where businesses are constantly being pressured to reduce expenses as much as possible, doesn't consumerized IT actually make sense?
In some ways, yes. The primary downside of this veritable technological tsunami is the impact it has had on the dynamic between the typical user and the IT department. The user demand (especially among C-level types) of bringing in a new iPad, iPhone, Droid, Xoom, etc. that they got for Christmas and expecting it to be hooked up to the company network, inevitably highlights the tension and traditional IT resistance of allowing unknown/untrusted devices into the inner sanctum. The risks are obvious and myriad. These risks have led many organizations to firmly resist consumerization by restricting personal devices/consumer electronics into the workplace.
I argue that regardless of the formal or informal position of the IT department, or even the company policy in general, this faction of users is growing and is in fact disintermediating the IT department by working around them to get their devices to work at work. The "Just Say No" position of many IT departments is in fact making the company less secure overall as it is causing employees to circumvent the rules blockades put up and kept in place from years past.
The driver of this form of insubordination is clear: these days, the boundaries of a company's information network are not as clearly defined as they were in the recent past — the mobile phone is now the mobile office, for example. The ultimate objective of consumerization is simply work and personal life converged onto a single device. There is no longer credibility in walking around with five devices clipped to your belt, looking like something out of Batman Beyond. Today, if you walk into a meeting and plop down more than one device on the table, you are immediately branded a dinosaur.