CSO Security Standard, lesson two: Embrace IT consumerization

Barry Caplin, CISO for the State of Minnesota Department of Human Services, says there's no running from the tidal wave of consumer technology in the enterprise. Better to ride the wave instead.

Next up at the CSO Security Standard this morning is Barry Caplin, CISO for the State of Minnesota Department of Human Services. His message: Stop fighting against IT consumerization and make it work.

Mobile devices have been with us for quite some time, he noted. But everything changed on April 2, 2010 when Apple unveiled the iPad. By the middle of last year, for the first time, tablet and smartphone sales outpaced that of PCs.

"Mobile, cloud computing, IT consumerization and social media are all connected. We can't approach them as separate things," he said. "What businesses need more than anything is mobility, the ability to bring information out to the customer, wherever they may be. To that end, you need to be able to work with consumer devices."

It used to be that you could just say no and it worked, he said. Not any more.

One day two and a half years ago, Caplin recalled, he got a phone call about how two people were in a meeting taking notes on iPads. He was caught off guard, but had to figure out how to make the use of iPads and other devices work. He couldn't just say no. He entered what he called the five stages of tablet grief:

1.) Surprise

2.) Fear

3.) Concern

4.) Understanding

5.) Evangelizing

Once he reached four and five, Caplin said he had to address potential exposure of data and malware. But it wasn't all that daunting, because, as he put it, "We already had these problems on other devices before. The goal was to take our existing controls and move them forward."

He described things to work on:

--Vetting flaws and patches

--Getting ahead of the legal challenges that come with people putting messages on Twitter and Facebook from their portable devices.

He has identified a lot of decent BYOD security solutions, including:

--Sync -- network or OTA

--VDI-- Citrix or similar

--Containerization: Sandboxing, for example

--Avoiding direct connections; not allowing consumer devices to be directly connected to the network.

There's no need to reinvent the policy wheel, he said. If you have an acceptable use policy, just extend it to consumer mobile devices.

The big rule in the state's policy: No government records on the devices.

He ended by noting that younger up-and-coming employees have expectations that they will be able to use their personal technology for business. If they are told they can't, they will go work elsewhere. Enterprises need to be prepared for that.

Copyright © 2012 IDG Communications, Inc.

The 10 most powerful cybersecurity companies