Feeds

back to article CIOs urged to take BYOD pleas with pinch of salt

When it comes to implementing mobile technologies inside and outside of the company, plan, plan and then plan some more, but don’t listen too hard to your customers or users, a panel of top IT leaders has advised. Speaking at the CIO Executive Summit 2012 in Hong Kong this week, CIOs from a variety of industries explained that …

COMMENTS

This topic is closed for new posts.
Thumb Up

Sustainability

I'd agree with this point - "promote sustainability by saving a few trees’ worth of paper"

Was at a meeting the other morning, must have been about 60 people, each carrying the 36 page document we'd been urged to print out and bring with us (which, in the end we didn't need!)

I sent the PDF to drop box, opened it in note taker HD & so saved 18 pages of paper (double sided printing) , multiply that by all those people having all those meetings and a business does have the opportunity to save a lot of paper without compromising security.

I didn't need to connect to the corporate network and the document didn't contain any sensitive information.

As usual, common sense is required and I suspect this is where BYOD will fall down.

2
0
Silver badge

@Andy ORourke (was: Re: Sustainability)

"I didn't need to connect to the corporate network"

Then where the fuck did you get the fucking pdf?

"and the document didn't contain any sensitive[1] information."

How the hell did you know, before you:

"I sent the PDF to drop box"

You sent an un-read[1] corporate document off-campus, to make it available on an unaffiliated corporation's servers, in order to view it on your iFad, and you don't see why this might be a trend that compromises corporate security?

If I were your Boss, you'd be fired for incompetence.

If I were your Boss's Boss, I'd fire him/her/it for hiring folks who can't see the big picture.

If I were your biggest shareholder, I'd be very, very worried ...

Side-note: Trees are farmed to make paper. Only takes a decade or so from seedling to harvest. No old-growth was harmed to make your dead-tree copy of the NYT. And don't forget, growing trees eat the evil(sic) CO2 ...

[1] Even if you did pre-read it, are you authorized to decide what is and isn't "sensitive" in this context?

6
6

This post has been deleted by its author

Re: @Andy ORourke (was: Sustainability)

Jake,

You are right, of course, I phrased my post quite badly, I simply meant that I didnt have to connect to the corporate network at the time I required the content.

The PDF had been sent via email from an external company who were coming along to do a presentation and a foot note on each page to say it didn't contain any commercially sensitive information (it was just marketing bumf really)

I had already read the PDF prior to the meeting so I'd have an idea what questions to ask..

Sorry I upset you so much, chill man.

4
0
Silver badge

In the corporate world, the real meaning of "BYOD" is ...

... Break Your Own Defenses.

EOF

8
3
Thumb Down

Re: In the corporate world, the real meaning of "BYOD" is ...

Apparently you inhabit a different corporate world to the one I'm in (and it's Fin Services with all the regulatory nightmare that brings). Still have fun sitting with Canute while he explains the limitations of the situation to you

0
0
Silver badge

Re: In the corporate world, the real meaning of "BYOD" is ...

In my world "RMA" means "Return Material (merchandise) Authorization" ... But then I understand ones & zeros from the ground level. Your world, on the other hand, sees "finished product" from an extremely myopic "least cost" management perspective. SWIFT over IP is a can o'worms waiting to be opened.

0
1
Silver badge
Stop

Infrastructure cost, development cost and security risk

BYOD has to be tailor made for each company and as such will inherit costs which will be extremely difficult to justify against the security risks. It basically means opening multiple interfaces/ports that will get attacked on an almost permanent basis. In general these interfaces will be the front end to your network/data/file servers. Security risks will have a huge impact and personally I would not like to be responsible for the results.

I cannot think of many examples where the benefits outweigh the risks. Is there really that much "good " business that can be done using the "instant success" approach ?

5
1
Silver badge
Thumb Up

Re: Infrastructure cost, development cost and security risk

Highly relevant points. I think that companies are at the very least going to have to develop a list of approved devices or the whole issue will be a dog's breakfast security-wise and enormously time-consuming for the IT depts concerned.

1
0
Anonymous Coward

Re: Infrastructure cost, development cost and security risk

'Approved devices' may be entirely the wrong approach - ideally you'd want something that worked across all devices present and near future or you will be stuck in a cycle of device testing and approval.

BYOD essentially presents the same problems as working from home and my experience has been that the same technologies can be used to provide both - secure VPN with security remediation, and application virtualisation. We've added a wireless extension to the corporate LAN which had already been requested anyway and that's it.

So for us the question of 'how' for BYOD was answered very easily and the only one that was left was 'why not?'

0
0
Silver badge

Re: Infrastructure cost, development cost and security risk

<quote>secure VPN with security remediation, and application virtualisation</quote>

After a little thought I agree that this does seem a relatively secure solution.

The downdside is obviously the cost Secure VPN hardware ( probably Cisco), Cisco + RSA keys are expensive solutions to buy and maintain.

(Application Virtualisation) Terminal Services are again high end and expensive solutions.

I agree that all of the above can be done with FOSS, but that this out of reach to most small business ( they cant afford the guy with the beard) and large coporates already have enough difficulties keeping things in shape.

Wifi, OK this is affordable by most companies depending on whether or not Cisco Vlans and/or Switches are involved.

I would presume that the use of Virtualisation Application os TS requires devices that are closer to Laptops than Iphones in size.

So in the end who is actually using BYOD is your company, I can't imagine who would want to bring their own laptop and iPads/Tablets are kinda crap for TS ( Unless used in confunction with a mouse and keyboard).

I would be interested in understanding if your BYOD solution is really worthwhile ? Its an honest question.

1
0
Holmes

Re: Infrastructure cost, development cost and security risk

"BYOD has to be tailor made for each company"

Where I come from that's what we call an opportunity. There was a time when remote access was custom built, apps where etc etc. Find a way to provide an off the shelf solution, even better if you can partner with a 'consultancy' to provide the deployment and you'll have a business.

"I cannot think of many examples where the benefits outweigh the risks", I disagree but we have different frames of reference. In our firm we see lots of advantages and are working to reduce the risks. New ideas to utilize the tech keep coming out and further tiping the do it side of the scales

There is a lot of do it now business, and it can be a good way to attract the right talent, plus retain people as you make their work environment more flexible. Of course ymmv and depends on industry and employee

0
0
Boffin

Re: Infrastructure cost, development cost and security risk

We (Fin Services, over 60k people globaly) are experimenting with BYOD. Many solutions being tried including 'in a box' solutions with paralells that look to be about as secure as a corporate owned device but not as flexible as we would like, remote terminal solutions (we have VPN etc. in place and have been offering this work from home type service for years). Bring your own laptop is great when you travel as you only have to take one. Agree on the tablet not good for this front, but there are some very interesting technologies that we are seeing starting to flow through the pipeline that massively improve the user experience. To be honest the UX part is going to be harder to crack than the security on the tablet/phone. People are less patient so you really need to think differently.

There are a lot of issues, like, if I brick *MY* machine is there a loaner I can get, who pays, do I get an allowance, what about tech support etc etc. But we are experimenting and looking for technologies that can smooth the path

0
0
Anonymous Coward

Re: Infrastructure cost, development cost and security risk

Why are tablets a bad thing? Android at least can handle VPN, and if iOS doesn't have it then bugger 'em. Similarly, Android tablets can read network shares (again, no info on iOS- can anyone say yay or nay to these things for me/us?). So it stands to reason that with very little effort- and effort that could be written down so the user knows what to do- an Android tablet would be able to view files on a corporate network almost as securely as if it was a laptop on the network itself.

The idea should be to make access to your data as easy and platform-agnostic as possible without compromising security more than the current corporate policy. As a starting point how about assuming every computer is external to the network and needs to be controlled accordingly? It adds an extra layer of complexity to the network but you don't fall into the trap of "well THIS laptop is secure but THAT laptop isn't" when both still have USB ports that can use flash drives and an internet connection that can get to DropBox. Or when both are held by a guy who'll leave them on a train.

As to your problems:

If you brick your machine you'd just use the one the company provided; this shouldn't be about offloading all the the costs of IT onto the employees, it's to make the employees more productive. So companies should still provide at least a bare-basics ability to access the data on your machine.

You pay for your device, you get no allowance, you get no tech support besides generic (maybe OS-specific if you're nice to users) "what settings do I need" crib sheets.

0
0

Senior citizens

"Henk ten Bos, CIO of Ageas Insurance, explained that BYOD plans are only being considered for senior management at the firm"

So only the people whose data is the most critical?

I would have though that if you have a solution that works for them you can extend the use of it with minimal effort.

1
0
Silver badge
Alien

Re: Senior citizens

No, because the senior managment, probably, have their own support staff, and since BYOD increases support costs, only management can be supported because of the increased costs. In addition, you don't tell a CEO 'no' and keep your job.

"...extend the use of it with minimal effort." Um...no. To do that you'd have to buy every employee the same pc/phone/etc that you provide to the CEO, and the accounting department is never going to approve that expenditure. Otherwise you end up having to support too many makes and models and versions to make it feasible....IMHO.

0
0
Anonymous Coward

Re: Senior citizens

"I would have though that if you have a solution that works for them you can extend the use of it with minimal effort."

Yes - but the reality is that these things are perks for the big knobs. All that stuff about a business case was complete bollocks. It's the same with the non-standard notebooks - admin privileges are needed so that the big knobs' offspring can install some games they downloaded via Bittorrent.

"So only the people whose data is the most critical?"

Yeah and these are the same people who demand special exemptions from the corporate security policy so that "they can use the same 4 digit password that they always use". Never mind - just remember: it is their data and their network, not yours. Just make sure all their daft requests are in black and white, in case the shit hits the fan. I don't understand how these chumps can function for so long without being victims of spearfishing.

0
0
Unhappy

The problem is

As soon as your corporate data (esp personal data covered by the DPA) hits a personal device, the corporate loses control , but not responsibility.

If you fire a person who has synched their Outlook to their phone, and you fire them, you immediately have personal records (covered by the DPA) on a device that is not owned by an employee.

Even if they are still employed you have not rights (unless you get a court order) to examine he device, or to ensure data is deleted off it.

This is the huge Achilles heel in BYOD.

5
0
Go

Re: The problem is

There are plenty of technologies to get around this, (dual persona/boot, non local storage, in app remote wipe/encryption). We're not there yet but we are very close to having 'as good as a corporate device'. The issue we run into with our security teams is they want this to be fully secure not just as secure as our existing blackberry/laptop users. That seems unfair to the new tech.

0
0
Anonymous Coward

" Generation Y workers who expect and need to use consumer technologies to be effective in their roles"

You just can't get the staff!

I'd sack/would not employ a generation Y worker if they really need their shiny shiny to do their job properly.

Sad idiotphone/pad, facebook updating, 4x4 driving, conformist wan ers.

3
2
Anonymous Coward

Err...

No-one seems to be asking:

Who is going to assure the safety of these practically untraceable devices which are being brought on and off company premises?

If someone brings a power supply which goes on fire, who's fault is it?

What are the insurers going to say?

If the worst happens and someone is killed by fire or electrocution, who is to blame?

Once these questions have been answered, then I may start thinking about the security aspects of BYOD, until then I don't see how I could allow it in a company I was responsible for.

0
0
Facepalm

Re: Err...

People already bring in devices/power supplies/coffee makers/children where we are. We even let them park big metal boxes with combustable fuels in them at the bottom of the building! So far our insurers have considered that to be normal.

0
0
Anonymous Coward

Re: Err...

Easy enough- at work if we bring anything in it has to be PAT tested. That's the rule, if you break it and nothing happens then it'll get caught on the next 'global' round of PAT tests. If it so much as trips a breaker when someone spills coffee over it (or /looks/ unsafe), it's a disciplinary.

Technically it's a disciplinary either way, but if it has no negative effects no-one particularly seems to care.

0
0
Unhappy

Everyone is so angry about this...

Change scares people I guess. BYOD bring a whole raft of problems, yep. But we've dealt with end of the world scenarios before (Laptops, Blackberries, remote working)...

There are good solutions coming through (Good is a solution for some small part, I'm not sure it's a good solution but there we go) but disruptive technologies are coming through that will help to fix some of the security issues. These range from MDM on corporate owned devices for high security users through to dual persona/MAM for personal lower security users. The world is changing, we see email dieing, we have clients demanding mobile access. This stuff is NOT harder than what we have faced before, but it will be much more publicly visible if you fail, think symetrical risks of reputation damage but doing it but getting it wrong/not doing it at all.

Consumerization IS going to drive corporate going forwards, it is going to be hard to manage, there are new risks, lets stop digging in our heels and figure out how to fix it. It's what we get paid for.

0
0
Gold badge
Trollface

People seem to believe in "one size fits all"...

a) Some people don't need a device. These businesses like the fantasy that they can have people on call 24/7 without paying them for it. I think in some cases, it lowers a psychological barrier where someone who wouldn't dream of "calling you at home" will think nothing of calling a Blackberry (or messaging it expecting a quick response) while they also know you are at home. I'd shut the Blackberry off the minute I left work. Others will want a device but it'd be a waste of money for them. I don't know if I'd figure it's a cheap amount to spend to keep those people happy, or just point out they never get E-Mails and such outside business hours and please suck it up.

b) People who are forever handling sensitive data. These are the ones where you simply have to tell them, "hell no, you get a Blackberry and you'll like it", keep it all locked down, or they get nothing at all. Banks, hospitals, and so on will have certain people in this category.

c) Everyone else. They should be able to get E-Mail and so on on whatever device they want. If the device refuses to cooperate, you know I'd have to tell them "tough luck" but anything can do POP or IMAP or whatever these days, so it shouldn't be an issue.

The problem I see is friction with companies that think every singular person has sensitive data, they don't do either one of 1) Giving people a sensitive E-Mail account that DOES NOT go to any computer outside the business, and a second normal account that does go to the phone or whatever. 2) Recognize that some people's E-Mail is never going to be proprietary or privileged info, it's going to be "Did you finish that thing Thursday?" "Yeah I did", and these people like to feel connected.

0
0
This topic is closed for new posts.