Just say yes: Why banning consumer devices makes your organization less secure

I was a having a conversation with another fellow security professional at the CSO Perspectives seminar a few weeks ago and he used the word “disintermediation” to make a point about his website. We had a bit of a chuckle about how that word that was used (rather, overused) during the dot-com days. The context back then was that the new, online world was going to obsolesce the traditional world of bricks-n-mortars through the “disintermediation” process of cutting out the no-value-adding, costly infrastructure of middle-men.

This got me to thinking about the topic I was speaking about at the conference: the way to bring about a culturally acceptable balance between security and the use of consumerized IT. That is, how could IT departments allow users to bring and use their own equipment in the work environment and still maintain a modicum of security and privacy?

Why is this issue even a concern? In this cost-conscious environment where businesses are constantly being pressured to reduce expenses as much as possible, doesn’t consumerized IT actually make sense?

In some ways, yes. The primary downside of this veritable technological tsunami is the impact it has had on the dynamic between the typical user and the IT department. The user demand (especially among C-level types) of bringing in a new iPad, iPhone, Droid, Xoom, etc. that they got for Christmas and expecting it to be hooked up to the company network, inevitably highlights the tension and traditional IT resistance of allowing unknown/untrusted devices into the inner sanctum. The risks are obvious and myriad. These risks have led many organizations to firmly resist consumerization by restricting personal devices/consumer electronics into the workplace.

I argue that regardless of the formal or informal position of the IT department, or even the company policy in general, this faction of users is growing and is in fact disintermediating the IT department by working around them to get their devices to work at work. The “Just Say No” position of many IT departments is in fact making the company less secure overall as it is causing employees to circumvent the rules blockades put up and kept in place from years past.

The driver of this form of insubordination is clear: these days, the boundaries of a company’s information network are not as clearly defined as they were in the recent past — the mobile phone is now the mobile office, for example. The ultimate objective of consumerization is simply work and personal life converged onto a single device. There is no longer credibility in walking around with five devices clipped to your belt, looking like something out of Batman Beyond. Today, if you walk into a meeting and plop down more than one device on the table, you are immediately branded a dinosaur.

The primary theme of my speech was that that the trend of consumerized IT is irreversible and futile to resist, so CIO/CISO/CTOs need to seek a culturally acceptable middle-way of accommodating the movement, while still setting reasonable guidelines. The benefits of cooperation with a workforce who is more tech-savvy than ever are numerous, not the least being the reputation of IT as supporter of the business will be greatly enhanced. No longer IT will be identified as the “Department of No.’

Here are few more reasons why it makes sense to listen to the sound of inevitability thats coming at us at 100 mph. Its all about productivity via familiarity of the toolset. Think about how life was like 15 years ago: you had use of all the great technology and software at work. When you came home, all you had was some stripped down versions of that machinery and applications — toys, really. Today, the scenario is reversed. Employees who have state-of-the-art technology at home can’t reconcile the fact that when they come to work they have a Windows XP, or worse, Windows 98, machine that takes 2 days to boot up. Pent-up user demand (I want my MTV!), especially of the Gen X & Y and Millennials should not be underestimated, and consumerized IT can be the Holy Grail of employee satisfaction.

The toothpaste is now out of the tube, folks. Employees are a lot more productive when they have a say on the tools they use every day. What we as IT professionals need to do is to show leadership & get it right so that the company is protected & users are happy. At least for now.

Al Raymond is the Chief Privacy Officer and Director of Information Risk Management PHH Corporation. Al oversees all ongoing activities related to the development, implementation, maintenance of and adherence to the company’s policies and procedures covering the privacy of and access to, customer data in compliance with federal and state laws, client requirements and the company’s information protection practices.