R.I.P BYOD: On To The Next One

David Lingenfelter, Information Security Officer, MaaS360 by IBM

David Lingenfelter, Information Security Officer, MaaS360 by IBM, David is a seasoned security professional with 20 years’ experience in risk management, information security, compliance, policy development and... More >>

Who remembers the war between employees and their IT departments when the thought of bringing your own device (BYOD) to work first emerged? I know CIOs remember it vividly because it represents the moment when the discussion around control of enterprise endpoints shifted forever. It pushed the boundaries of what IT departments could control and not control. Early in the debate over BYOD, enterprises really had three options to choose from when addressing the growing clamor from users – ignore it, block it or understand it. Unfortunately, most corporations picked the first two. Not a big surprise since many decision-makers also once considered the first-generation iPhone a toy not a business productivity device. (My, were we wrong). The business case for BYOD quickly made itself apparent, often with company executives pushing to use their new device for work. Once the executives got the ball rolling and we saw them understand BYOD’s implications emerge and CIOs created policies to govern the use of personal devices. According to a recent IBM study, 48 percent of business leaders said their companies have formal, BYOD regulations in place. What emerged from the early BYOD wars was, CIOs and IT units implemented technology in the form of enterprise mobility management (EMM) leveraging techniques to deploy more granular policies, striking a better balance between enabling employees and ensuring security. Thanks to the evolution of EMM technology, BYOD is now nothing but another use case to manage.

Flexibility Is Key

Fact is, CIOs still are focused on ensuring employee productivity but the concern around security continues to grow. What we’ve seen is that there is no “one size fits all” approach for BYOD or other mobile use cases. Both IT and the technology to manage mobile is now of higher intelligence. For example, data can be secured in specific areas on devices while personal data is ignored. In the process, security must not get in the way of employee activity; it must be an enabler. To accomplish mobility goals, flexibility is key. One possibility is to allow employees to enroll in a program that is enabled by EMM solution. This permits users to access company resources while giving IT limited control over their devices, an arrangement that agreeably takes end-user privacy into account. While it’s the most common way to manage devices, will be a big hit with your employees? Hardly.

An alternative is to provide employees with a separate app to access work email, calendar information, contacts and documents without enrolling a user in the EMM solution. In this scenario, IT would place security requirements, such as passcodes, encryption, and data loss prevention controls, on corporate data and apps without interfering at the device level. If you’re looking to gain popularity points with your employees, this option is ideal since corporations would have “less” control over a user-owned device. It removes the stigma of big brother.

Fortunately, flexible EMM solutions allow IT to deploy different approaches that comply with security guidelines while respecting user privacy. Unless a device conflicts with corporate policy or contains malware, there’s no reason to impose further on an employee’s mobile device. Some options even help both the user and corporation remain safe. For instance, the ability to detect and notify the user that malware has been discovered on their device can help protect their personal information. It’s especially relevant in 2015 since malware infected over 11.6 million mobile devices last year.

The focus is now on IT to evaluate the purpose of a specific device, examine the corporate resources that a user accesses and apply the proper technology and policy to govern. The implementation ultimately hinges on the explicit use case and user requirements. Just remember, there isn’t a single policy to manage all devices and all users. If any - thing, that’s a quick way to pit IT and end users against each other.

“Flexible EMM solutions allow IT to deploy different approaches that comply with security guidelines while respecting user privacy”

Analytics Will Alter the Future

As mobile and big data analytics converge, it will create new forms of intelligent management policies that use context and automation to deliver services. In the coming years, the industry will have more granular control over identity and access management of users and devices. Predictive algorithms in EMM products that forecast risks in devices before they surface will be the new game-changer. Further advancements in analytics and security intelligence will enable IT units to identify vulnerabilities within corporate environments and prevent threats from happening.

These developments will stimulate heightened security measures, further enabling successful mobile adoption. Slowly but surely, the EMM market will evolve from simply enrolling a device in a solution to understanding context and providing predictive analytics. Exciting times are ahead.

While BYOD may no longer be a phenomenon, securing the enterprise still remains the ongoing challenge. It’s up to CIOs to understand the shifts in the landscape, adopt a flexible approach that ensures user productivity while increasing security standards and move on to the next one.