Sunday, September 16, 2012

Initiate BYOD Approach

BYOD is the means to the end, always keep in mind for the ultimate business goals,

More reputable industry surveys show IT’s accepted that “bring your own device” programs are here to stay. Fifty-six percent of companies now consider themselves proactive toward or accepting of consumer-centric tech; and 59% indicated security is the main concern, at the heart of security is Data, data is the queen in BYOD, where is it islocated, data ownership, data storage, data integration, data governance, data analysis .etc.

After decoding Five Myths of BYOD Management, here, we continue to explore effective Mobile Data Management.

 1.    Focus on Securing Data than Device

The weakest link of organizations is usually people, and what are the weakest link at BYOD management? Data is one of the weakest links, and how to strengthen such weak links? 

 IT has been focused more on managing the device and putting security around data within the confines of the environment. This mindset needs to change to a focus on securing data 100% or as close as possible,  focus on the data not the device. Really understand where it is stored and how it is used. If you can manage your data; the rules around how it can be used and by whom.....this should eliminate most issues for BYOD....this is a fundamental change in how IT thinks

(1) Organizations will have to come up with mobile information strategies to make sure it is well aligned with the organization policies related to information security. Yes that comes down to people, process and technology, however,  it also comes down to the businesses ability to clearly identify the value, sensitivity and compliance needs of its data. 

(2) Not every piece of information is the same, categorize information into different level of security concerns, focus on key data protection, to enforce availability, confidentiality and integrity

(3) Think more holistically about security/GRC, Evaluate an "emergency" plan. What is the risk for the company if some documents are made public. As today's mobile/cloud/social bring unprecedented opportunities for building up business democracy, but it takes innovative approach to embed GRC into business processes, and improve productivity for long term.


2.    Trust but Verify

So is there a possible solution that makes a CIO and employee win-win? Definitely so. What if  businesses were able to create data layers that resulted in corporate policy compliance without sacrificing employee personal data loss?  How to provide enterprise IT with a layer of security and management on top of the consumer services, making it as much transparent as possible to the employee?  Companies also need follow some guidelines:

(1)Don't have too many restrictions... employee must be effective on their environment, if they aren't, they will simply find another way and this way is often worst than just giving enough rights to people. 
(2) There’re processes ready to verify: develop technical applications to:
a) encrypt data and require special access keys in order to review data; 
b) allow the "corporate" level to remotely deactivate access and/or purge all data,
c) ensure that personal device / user is who they claim to be 
d) allow "corporate" rules to be enforced; such as a rule where access is only granted within a particular area and devices taken outside of that area would not allow access to and/or would remove the data after a certain time period,
e) disable functions that could be used to share confidential data (screen prints, copy/paste, etc.) 
f) evaluate & develop an "emergency" plan. What is the risk for the company if some documents are made public?


3.    Treat them same by treating them differently

Not every position has the same requirement for mobility, the goal is to provide customized BYOD solution to empower employees to do the job and serve customer the best  Not every employee or position is the same: treat them same by treating them differently; provide customized service to improve employees' productivity & satisfaction.

Thus, BYOD data security will need the introduction of an efficient and effective role based approach that aids in addressing authenticity of the user, authorized to store and access BYOD data, coupled with a privacy policy that is enforced by the employer linked to the sensitivity rating of the data stored on the device. BYOD solution should leverage the value/risk/cost ratio.
a) Give them the empowerment to decide who can access the information
b) protect data, not data containers
c) use claim base security approach. 

4.    Cultivate Security Enforcement Culture


There are many things that can be done to create a good secure BYOD solution, and don’t just look at it via the technological angle, look at policies, procedures, training, etc too, as the best business/IT solution always well integrate people, process and technology:

Employee education is key:
    a)    Do you have good training program to well educate staff with any type of data sharing, a certain level of trust must exist, and this is reinforced with employee training on BYOD.
  
b)     Does organization have a good guideline? trust, but verify, and cultivate the good GRC culture
c)     Is your BYOD easy to access? Make sure your BYOD policy is accessible and understood by everyone who is accessing data, confidential or not. The more an employee understands about the potential consequences of being careless with their device, the more secure that data is

Culture and process matter. from industry survey, those revenue leaders usually also have stronger security/GRC discipline, compared to laggard, as they well embed them into key business processes; they also cultivate more effective culture to enforce security.


5.    Three-Phase Approach

 Mobile as fast-growing technology, and BYOD as new emerging phenomenon, it is still not fully mature yet, thus, the speed to adopt to BYOD may depend on your business nature and security tolerance,  businesses may establish the technical infrastructure requirements, and rolled these into three phases.
,
(1)  Allow all users to access to all public offering via internet but no access to corporate data at the 1st phase;

(2)  Permit only certain devices and the ability to come in through corporate VPN,  but most of devices are still not part of domain at the 2nd phase;
.
(3)  Apply more complex and comprehensive MDM,  NAC, VPN technologies to manage end to end Mobile solution at the third phase


BYOD is the means to the end, always keep in mind for the ultimate business goals, The goal of BYOD is to shape the trust & enablement culture, provide rapid access to decisions / approvals / escalations, reduce barriers to workforce collaboration, increase asset efficiency, reduce customer care costs, empower & delight employees to achieve high performance result, and yes, protect, manage & understand your data asset, which is new gold in digital business today. 

1 comments:

True that data is the queen. Yet I think it is still important to understand how employees use their own devices. One cant protect the queen without knowledge how the queen can be hurt.
Recommend you to try icedeep worktracker if you need a platform that manage many devices at the sametime. If you only have to manage your own device, RescueTime is another option.

Post a Comment