About a decade ago, the implementation of wireless networks was a very hot, even cutting edge, issue in computer security circles. But unlike the rest of the world that was getting excited about the new technology opportunities, security pros were the naysayers. The widespread mantra for CISOs at that time was: “WiFi is a bad idea.”
If you were a security leader back in the early days of 802.11, you were likely against implementation of wireless LANs in your enterprise. No guest accounts, no free Internet access in conference rooms, ban wireless cards in laptops and definitely no ubiquitous access around the company campus. Who would have thought that McDonalds would offer free WiFi around the world a decade later?
Oh yes, we had plenty of ammunition. Technology and security magazines were full of scary true stories about wardriving, fired employees who implemented unsecured wireless networks, and parking lot data breaches. White papers, reports from three-letter agencies and war-stories from friends around the country all confirmed that the job of information security leaders was to stop this horrible trend from becoming reality.
(No doubt, we still have some of these WiFi stories and discussions today.) However, very few in the security industry would now support banning WiFi – with the possible exception of some very restricted networks with classified data.
Back in my early days as a CISO, I played the “No can do” part very well. I even lead the “No WiFi” charge in the State of Michigan. In fact, I almost lost my job fighting WiFi adoption. (See problem and solution number one in this story of my CISO journey.)
Over time as Michigan’s CISO, I learned a hard lesson: My real job is to enable the business with the right level of security and compliance. My role was (and is) not to fight WiFi, or cloud computing, or new mobile devices or any other new technology trend. Rather, how can our organization adopt and secure innovative practices that the businesses want? How can we build trust with business executives? What options can improve security and meet customers where they are really at?
After WiFi – The Cloud was the Next Target
So what happened next to WiFi? How did WiFi become a normal part of our daily lives? What changed?
The technology offerings evolved. New security options emerged. Slowly, security pros warmed to the idea and even started to lead the efforts to secure WiFi in enterprises. Along the way, there were articles that warned of problems yet still offered hope and a new mindset. Sure, we still have plenty of WiFi worries, guidance books are still written today and more WiFi security is needed, but the security industry has largely moved on to other headlines.
New battles emerged for security pros that changed the subject. By 2009, most security pros turned on cloud computing as the new bad guy on the block. Articles started to proclaim that cloud computing was a bad idea. One of the main reasons given was security. This blog proclaimed that Cloud Computing - IT’S A REALLY BAD IDEA GUYS!
And several large-scale breaches from major cloud providers gave us new ammunition to fear the cloud.
But don’t think that this developing repeat trend means that I am advocating that security pros just adopt every technology that comes along next. I have also been critical of cloud computing – especially in the early years. The technology is evolving, and we now have new Cloud 2.0 offerings. Cloud security continues to be a hot topic and it should be. We’ll be improving end-to-end cloud security for the foreseeable future.
And yet, a pragmatic middle ground is emerging on the cloud as well. The focus is now how we secure our hybrid clouds and offer our right level of security for customers – whether we are talking about software-as-a-service, platform-as-a-service or infrastructure-as-a-service.
BYOD – Your Time has Come!
Beginning in 2011, BYOD started to emerge as the new hot topic for technology and security pros to condemn. Here’s some evidence:
Network Computing - BYOD: Bring Your Own Disaster
InfoWorld - The BYOD Era May Already Be Ending
We Live Security - From BYOD to CYOD: Security issues with personal devices in the workplace
And I certainly agree that we have many current issues with BYOD security today. Policy is all over the map. Consumer device security options and Mobile Device Management (MDM) products needs to mature and improve. The list goes on and on. In fact, there are already calls for BYOD 2.0 from Wired Magazine. Does this trend sound familiar?
And yet, I see a new industry trend starting to emerge as well. For example, eWeek recently proclaimed that “BYOD Taking Over Business, but Security Issues Persist.” Here’s an excerpt:
“A survey of BYOD participants found there is widespread acceptance of personal device use, but lax security controls.
Ninety percent of U.S. employees used their personal smartphones for work within the past year, yet only 46 percent believe their employers are prepared for any issues that could arise from BYOD, according to a new study in which a network of Cisco partners polled 1,000 consumers.”
The BYOD Ship is Leaving the Dock - Get On the Boat!
Most security pros that I know still think BYOD means “bring your own disaster.” But in my opinion, they are fighting the future. I’ve been there, done that and got that T-shirt. I can close my eyes and remember the battles a decade ago over WiFi. Many of the same arguments are being used today to fight BYOD.
What am I suggesting? Get on the BYOD boat. Become part of the secure-BYOD solution at your company. Offer alternatives. Meet your people where they are at. Don’t put on your blinders. Don’t say no. Say yes to secure BYOD. Meet your customer's mobile business needs. Help them move forward to a better place. Don't bring your boss problems - bring solutions.
What does that look like? How do we embrace BYOD? I have grappled with that question for the past year. For me, it has meant digging deeper and looking at the future. One friend said, “New innovations, new technologies and new business trends need security tools.” That means new people, process and technology answers.
In part two of my blog on BYOD, I will make an announcement. I will release that blog on Tuesday, April 16, 2013. Please come back and help be a part of the BYOD solution for your customers.