Billions of people worldwide are using smartphones, tablets, or phablets to run both their personal and professional lives. These devices go with us everywhere, from our bedside to the kitchen table to our workplace. This rapid rise of consumerized mobile and wireless technology has upended everything from our most intimate relationships to broader cultural dynamics.
The ubiquity of mobile devices has also changed the workplace. Alongside the devices themselves, cloud services and mobile applications have proliferated and vastly outpaced enterprise tools in terms of innovation and ease of use. IT has lost much of its control over which devices connect to the corporate network, what applications they use, and how they download, store and share data.
IT leaders readily acknowledge that the tidal surge of bring your own devices, cloud, and applications (BYOx) can’t be stopped, however, concerns around network and data security must be addressed. The benefits are significant—connected employees are happy employees. Workers empowered by mobile devices and apps are more productive, collaborative, and innovative. Thanks to mobile technology, organizations can deliver their services and products more quickly, accurately, and flexibly—and much further afield.
But risks have mounted rapidly as well. When IT departments don’t have a comprehensive understanding of how users are connecting to and using their network and data, it is nearly impossible to track and protect critical data, provision appropriate infrastructure, and build effective defenses against hackers. IT used to “just say no” to personal laptops and unapproved software purchases. Now that this is no longer an option, security leaders have to learn how to say “yes, let’s work together” to build a safe and productive BYOx ecosystem.
Bring Your Own Everything
As the trend of employees bringing mobile devices, applications and cloud-based storage and access in the workplace grows, businesses of all sizes continue to see information security risks being exploited. According to the Ponemon Institute, despite the importance of having good mobile security, 50 percent of respondents are not satisfied with the current solutions used in their organizations to secure employees’ mobile devices. In the era of BYOx, this won’t suffice.
BYOx has become the target of hackers who are ready to take advantage of people who are programmed to use their devices or access their cloud storage for personal use and forget that they’re on a corporate network. A well-organized attack, whether originating from nation states, criminals, hacktivists or rogue insiders, can exploit BYOx devices, applications and cloud-based storage by using them as a bridgehead and means of entry to an organization.
The success of a Chief Information Security Officer (CISO) will involve the personalization of IT and being able to accommodate increasingly diverse, yet interconnected, technological ecosystems. BYOx initiatives present considerable challenges, as does the widespread adoption of social media. The modern CISO must embrace these technologies or risk being sidelined by those more agile.
Preventing risks presented by the new BYOx ecosystem will require IT departments to rapidly and effectively deploy enterprise-wide strategies, policies and management technologies. Safeguarding an organization’s data is of the utmost importance, but security measures shouldn’t undermine better workplace productivity and competitiveness. Empowering employees to safely and flexibly use their own devices, applications and cloud-based storage is essential to success, and helps keep workforce morale and talent retention high as well.
Shifting from Awareness to Embedding Behaviors
Traditionally, organizations have run security awareness initiatives, either standalone or alongside other work, to address unintentional or accidental outcomes. Their expectations were that imparting knowledge would motivate people to take information security seriously and act accordingly, thereby:
- Preventing incidents due to human error
- Detecting such incidents earlier
- Providing a greater resistance to threats turning into incidents
- Delaying the impact of an incident to allow the organization time to respond
- Reducing the overall impact of incidents
However, this reliance on awareness initiatives – and the vast sums that have been spent on them over recent decades – seems to have been misplaced. At best, awareness only creates knowledge, and even that can be temporary.
Like any other aspect of the business, organizations need to shift from promoting awareness of the BYOx problem to creating solutions and embedding information security behaviors that aﬀect risk positively.
Here are ten principles that the Information Security Forum has developed to help businesses embed positive information security behavior within their organization:
Develop a Risk-Driven Program
1. Let risk drive solutions. Ensure that each solution has a direct link to business requirements and addresses a deﬁned risk. Using risk reduction as the driving force enables a strong baseline and measurement criteria to be deﬁned upfront.
2. Continue to look for alternatives. By looking closer, organizations may ﬁnd that a complex system or cumbersome process is inhibiting the right behaviors. Our leading ISF Members strive to make systems and processes as simple and user-friendly as possible.
Target Behavior Change
3. Embed positive behaviors. People are an organization’s biggest asset and also potentially its biggest risk. People – how they take decisions and behave in key moments – must play an essential role in strengthening organizational resilience.
4. Empower people. Winning hearts and minds changes both attitudes and mindsets. As far as possible people should be trusted, motivated and empowered at all levels of the organization. Information security practices then become embedded in the business culture, making information security a critical element of “how things are done around here”.
Set Realistic Expectations
5. Set a realistic timescale. There is no silver bullet. Don’t expect signiﬁcant results within a month or a complete change after a year: think in terms of three to ﬁve years.
6. Aim for ‘stop and think’. Successful solutions enable people to make the right decisions – or know when to consult – when faced with the unknown. If people stop and think and take the appropriate actions in key moments, the battle is won.
Engage Employees on a Personal Level
7. Move from ‘tell’ to ‘sell’. Develop a strong brand and identity, and tailor solutions to people’s risk proﬁles where possible – ‘one size ﬁts all’ solutions fail to engage people on a personal level.
8. Tap into the right skills. While the information security function plays a vital role in providing context and content for a solution, experts’ skills are required to deﬁne and implement distinctive solutions that people will buy into.
9. Identify and integrate champions into eﬀorts. Top performing organizations recognize that a network of trained information security champions from within the business plays a vital role in introducing and embedding positive information security behaviors.
10. Hold people accountable. Successful organizations demonstrate that information security is important to them by rewarding good behaviors and addressing bad behaviors constructively – just as they would with any other sub-standard performance.
Like all major initiatives in an enterprise setting, careful management and inclusive collaboration are the keys to reaping the promised benefits of BYOx while avoiding the pitfalls. Embedding pro-security behaviors and legitimizing BYOx use through policy and enforcement is a good place to start. We can see that big companies who aren’t yet embracing this new reality are already falling behind.
Strategically building leadership, expertise, and policy structures that can handle rapidly emerging and shifting technology scenarios will strengthen the security of current operations and pave the way for proactive risk mitigation and agile incident response in the future.
About the Author
Steve Durbin is Managing Director of the Information Security Forum (ISF)