To BYOD or not to BYOD — That is the question

The economic, social and technological landscape is vastly different than it was only a decade ago, and with the emergence of mobile technology, the threat landscape has changed dramatically. Executives must now work to safeguard information where increasing volumes of the organization’s sensitive data are outside traditional information security perimeters — due to factors such as Bring Your Own Device (BYOD).

BYOD initiatives present considerable challenges, and today’s executive must embrace these technologies or risk being sidelined by those more agile. When the trend first began a few years back, there was much more of a focus on how to control and manage it, and we started to look at things such as what devices we should be allowing. This eventually led to questions of who would be allowed to use personal devices, which in turn pushed the focus toward controlling access on an individual employee basis and mobile device-management strategies.

Who Owns the Devices in the Workplace?

Mobile-device risk in the workplace is established on one fundamental factor: ownership of the device. Employees who bring their own devices expose the organization to different behaviors and thwart long established organization controls when it comes to managing the associated risk. The fact that the employee, not the organization, owns the device has consequences that many organizations have yet to understand or apply the proper resources toward.

Some employee tablet or smartphone activities would be entirely unacceptable if the devices were owned by the organization. For example, the device may be taken to an unsuitable location where it could easily be exposed to unknown Wi-Fi networks, shared with family and friends, or have any number of personal applications on it. If the device contains sensitive organizational data or can connect to a corporate network to access such data, these behaviors greatly increase the risk of compromising an organization’s information.

Furthermore, BYOD has become the prey of hackers poised to take advantage of people who are programmed to use their devices for personal use and forget that they’re on a corporate network. A well-organized attack, whether originating from nation states, criminals, hacktivists or rogue insiders, can exploit BYOD devices by using them as a bridgehead and means of entry to an organization.

Consider and Make Use of BYOD Policy Options

Policy options enable the BYOD policy to be crafted to reflect the interplay of factors such as the information type, device ownership and the likelihood of access to more sensitive information. For example:


  • Senior management or board members’ email may be permitted on one or more specific devices, but not on others
  • Some information and functionality may not be made available through a BYOD device for specific groups/roles — such as commercial systems or a human resources system
  • The source of apps (either off-the-shelf or built by the organization) may be restricted to those available from an in-house app store only.

For policy controls to work, organizations must be able to trust their people to do the right thing. This is only realistic if the organization provides policies, training and monitoring that make it clear what behaviors are expected of them. Behaviors can be difficult to change, and security awareness is often elusive.

Don’t Forget Digital

In today’s “digital age,” there also needs to be a discussion surrounding the importance of digital in the workplace, especially as it pertains to the boardroom. Without a doubt, every organization needs the insights of a digital director today to keep the company vibrant. When the Internet first arrived on the scene, business leaders took notice and sought to add such expertise. Today, we are witnessing a second wave of interest in what is now known as the “digital director.” The digital director is viewed as a boardroom guru who can provide knowledge on everything in the digital realm.

In April, Gartner released findings from a survey of more than 390 senior business leaders in user organizations worldwide which found that digital-business initiatives are behind the sudden growth in planned innovator and digital-leader hiring. The survey showed that many business leaders think they have a digital strategy, as 52 percent of respondents said that they have a digital strategy. Gartner also found that 19 percent of business leaders expect to see a chief digital officer by 2014, and 17 percent expect to see a chief data officer. 

We anticipate that business leaders will change the mix of leadership talent needed to drive change, with chief data officers and chief digital officers at the forefront. As we’ve seen, today’s businesses have become far more likely to adopt new, often online, technologies or approaches that reduce cost, irrespective of the risks they might introduce.

What’s Next…

Highly publicized data breaches, and more stringent regulation, have put the spotlight on cyber security in most organizations around the world. This has put unprecedented pressure on executives to assure stakeholders that sensitive information is secure. Data loss, compromised online transactions and authentication failures impacting customers are just a few things that will immediately get the attention of the board and business stakeholders.

Corporations have a real task on their hands, and some of the smarter organizations have said, “We’re not going to focus on trying to get people to understand the need for security inside the office. Instead, we’re going to focus on reinforcing some of the good practices in security outside the office.” Sound mobile-device security is not a nine-to-five issue.

What it all comes down to is that every organization, both small and large, needs to ensure employees are aware of what constitutes good working practice for mobile devices. As well as making consumer-device security an integral part of awareness campaigns, organizations should consider monitoring-device usage and enforcing policy through disciplinary or financial sanctions.

Obviously, no mobile device in the workplace will ever be 100 percent safe. However, organizations need to balance the acceptance of smartphones and tablets with control of those devices to protect the safety of their information. By putting the right working practices, usage policies and management tools in place, organizations of all sizes can benefit from the advantages that these devices can bring to the workplace, while at the same time managing their exposure to potentially devastating security risks.

About the Author

As the global vice president of the Information Security Forum, Steve Durbin includes among his main areas of focus the emerging security-threat landscape, cyber security, consumerization, outsourced cloud security, third-party management and social media across both the corporate and personal environments.

Durbin has considerable experience working in the technology and telecom markets and was previously senior vice president at Gartner. As global head of Gartner’s consultancy business, he developed a range of strategic marketing, business and IT solutions for international investment and entrepreneurial markets. He has served as an executive on the boards of public companies in the U.K. and Asia in both the technology consultancy services and software applications development sectors.

Durbin has been involved with mergers and acquisitions of fast-growth companies across Europe and the U.S., and has also advised a number of NASDAQ- and NYSE-listed global technology companies. He is currently chairman of the Digiworld Institute senior executive forum in the U.K., a think tank composed of telecoms, media and IT leaders and regulators.

About the Information Security Forum

Founded in 1989, the Information Security Forum (ISF) is an independent, not-for-profit association of leading organizations from around the world. It is dedicated to investigating, clarifying and resolving key issues in cyber, information security and risk management and developing best-practice methodologies, processes and solutions that meet the business needs of its members.

ISF Members benefit from harnessing and sharing in-depth knowledge and practical experience drawn from within their organizations and developed through an extensive research and work program. The ISF provides a confidential forum and framework, which ensures that members adopt leading-edge information security strategies and solutions. And by working together, members avoid the major expenditure required to reach the same goals on their own.

Further information about ISF research and membership is available from