3 ways to reduce BYOD legal liability with the right conversation

As "bring your own device" (BYOD) reshapes the way organizations handle technology, how do we handle the uncertainty of legal liability and security concerns?

The answer lies in considering how BYOD changes the entire organization. Change is scary. More so when the impacts of the change, including legal liabilities, are unclear and relatively untested.

Change is also an opportunity. Employees are excited about BYOD and the chance to use devices they prefer. This gives security an opportunity to support the business, enable individuals, and improve security.

To ensure BYOD increases value while also increasing security requires different thinking and an approach that brings people together in a series of conversations.

The key is in how the technical, legal, and other uncertainties are handled. Getting it right requires constructive conversations with stakeholders and influencers.

Here are three key steps in holding productive conversations:

1. Embrace uncertainty

Acknowledge that BYOD introduces change. From allowing individuals their own devices, to shifting the way we provide security, and adapting the legal and operational consequences. It's natural to resist and fight change (at least on the part of security professionals).

However, the key to implementing BYOD in a way that increases security and reduces legal liability is to embrace the uncertainty.

People don't actually expect you to know everything.

The legal counsel doesn't have all the answers, either. The business people seeking BYOD aren't entirely sure of the range of situations and conditions in which they'll use it.

Take the lead and explain that uncertainty is okay. It sets up an opportunity to come together and collaborate; this is in contrast to obtuse declarative statements or enforcing draconian policies that simply don't work.

2. Bring visibility to the process

Embracing uncertainty leads to the opportunity to gather the right people and bring visibility to the entire BYOD process. Visually map out how it works (tips on getting started here), including elements like: device selection, how people envision using the devices, what data and networks they need access to, and the like.

Expect this process to take time. Larger, more complex organizations take more time. Focus on bringing the right people together and allowing each the opportunity to contribute to the mapping. This provides the legal team, security team, IT team, and everyone else involved the opportunity for a clear understanding of the process.

Once the approach is outlined, guide people through the welcomed changes in their processes. As they envision and describe the flow, that's the time to ask questions about what needs to be protected. This means everyone has a voice in explaining the benefits and potential risks of the changes.

The visual approach prepares everyone for constructive communication.

3. Engage in communication, not just messaging

Messaging is one-way. And worse, messaging doesn't always work (for a variety of reasons). Yet many teams still work to produce the "perfect" message only to succumb to  the perfect message fallacy (read about it here).

Relying on messaging to address the security challenges and legal liability concerns only increases the friction in communication that jeopardizes the effort.

Instead, of relying on messaging, hastily written emails, and other forms of "communication" that hamper conversation, get face-to-face and engage in dialog. Do this when possible. Make it possible frequently.

Refer back to the visual mapping. Ask questions - without knowing the answer. Let others process the question and consider the range of impacts. Support the process by providing anecdotal and measured evidence.

Use the visual approach and conversation to figure out where the liabilities are, and what needs to be protected. By engaging people in the process, they gain an understanding of why and everyone benefits.

Reframing the opportunity of BYOD

Many in security regard the changes brought by BYOD as a threat to security. That frequently leads to the instatement of draconian controls, often with the smug admission of "my way or the highway" -- as they pound their fists on the table.

That approach simply doesn't work.

Here's the reality: BYOD is a massive opportunity to both increase security and provide value to the company. The key is doing it right.

BYOD improves the way people do their jobs. The key is to get people together, bring visibility to the challenge, process, and solution, then engage in active, constructive conversation, not just messaging and directives.

Find and unite the right people around a common story. That reveals the pathway and allows the legal team to help navigate the liability while security focuses on protecting what is important.

As a result, your job gets a bit easier and the organization is better protected from a legal and security perspective.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitySecurity Leadership

More about Engage

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Michael Santarcangelo

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place