BYOD is the New WiFi: We Must Learn from History to Enable Mobile Data Security
By Dan Lohrmann, Chief Strategist & Chief Security Officer, Security Mentor
Back in 2004 timeframe, when I was the Chief Information Security Officer (CISO) in Michigan government, I was against WiFi.
Why? It was not secure, in my view. I had plenty of war driving stories, scary magazine breach headlines and an abundance of Washington D.C. three-letter agency white papers to back up my “WiFi is a bad idea” arguments.
Until one day, I almost got fired when I insisted that we could not put WiFi in our government conference rooms. I said, “We just can’t do it. Not secure. Bad idea. I’m vetoing the project!”
My boss and State CIO at the time was Teri Takai. Teri later went on to become the CIO in California Government and CIO at the Department of Defense (DoD). Teri said, “Dan, if that’s your answer, you can’t be the CISO in Michigan.”
Teri went on, “I’ve been to Dow, Ford, Chrysler and GM, and they all have WiFi in their conference rooms. So you need to figure out what they know that you don’t know and then come back and tell me how we’re going to implement WiFi securely. And I’m giving you one week.”
That meeting started a transformation in my security career. I began to rethink my role, my team’s mission and how we were being perceived. I refocused my tactical and strategic initiatives to become an enabler of innovation – with the ‘right’ level of security. We went on to win awards for secure WiFi deployments in government a few years later.
“Whether you are a BYOD naysayer or WYOD earlier adopter, you have to think about enabling secure solutions to equip your business to be innovative and grow”
And there was larger lesson for me from this experience. I now constantly ask myself: I am bringing the organization problems or workable solutions?
As I look back at my early years as a CISO, I see so many blind spots. Yes - I cared passionately about information security. We launched numerous projects like deploying encryption on laptops and marketed better ways to protect the enterprise. I also had the necessary technical skills to do my job.
But I was putting up unnecessary roadblocks. I was a hindrance to management and not offering the business a range of technology solutions with different risk levels.
I had forgotten, or never truly learned up to that point, the real reason for the security team’s existence. The security leader (and team) must be trusted advisors offering the business secure technology solutions. Or in other words, security doesn’t exist if the business fails.
Fast Forward to Today
I told you this story, since I believe that history keep repeating itself in regards to technology and security. No doubt, the specific hardware, software, operating systems, frameworks, issues, vulnerability, and threats change daily. But whether we are talking about WiFi, cloud computing, Bring Your Own Device (BYOD) to work or even Wear Your Own Device (WYOD), the same fundamental challenge remains for technology and security professionals. That is: Are you bringing problems or solutions?
No, I am not diminishing the very real security problems that BYOD programs bring to enterprises. Nor do I underestimate the genuine risks to sensitive data being lost, stolen or misused.
The implementation of BYOD programs is complex, just like WiFi and cloud programs before BYOD. There is the likelihood that new policies, procedures, training and perhaps even culture change is needed.
Nevertheless, just in WiFi, the BYOD boat has left the dock. Are you on the boat – or waving at the boat with both hands from the shore?
Greg Smith, Chief Information Officer at the Missouri University of Science and Technology, recently spoke at a Merit Networks symposium on BYOD. Greg said: “BYOD is here now. It’s happening all around us. It is the status quo, especially on university campuses.”
Greg emphasized that the real questions are around what is coming next, and the answer to that is WYOD. It will be huge and coming soon. For example, pay attention to the new Apple watch launch. We need to prepare now.
Greg’s main points were around our urgent need to prepare infrastructure, security and mindsets for the new normal which is already trickling into our environments now – with a flood of new devices coming soon.
Where to Begin?
Many organizations are likely well down the BYOD road. Others who have been holding off may wonder where to begin.
I think the first key is an honest assessment of your enterprise networks. Answer these questions:
1) Who is really using mobile technology? (Don't just include staff that is formally authorized.)
2) How are they truly using mobile devices? (Include both company and personally-owned equipment in your fact-finding mission.)
3) What data is being accessed on what devices? (Personal and company)
4) What policies are in place, and are they being followed?
5) What controls and protections are in place for sensitive data?
6) What helpful, relevant, engaging training is provided (and taken)?
7) What’s coming next? Are you prepared for next-generation people, process and technology?
In conclusion, there are many great vendors with free mobile data security case studies and examples that can help you in your BYOD journey. But whether you are a BYOD naysayer or WYOD earlier adopter, I strongly encourage you to think again about enabling secure solutions to equip your business to be innovative and grow.
Become a trusted advisor, whom leaders can turn to for answers regarding securing BYOD.