As "bring your own device" (BYOD) reshapes the way organizations handle technology, how do we handle the uncertainty of legal liability and security concerns?
The answer lies in considering how BYOD changes the entire organization. Change is scary. More so when the impacts of the change, including legal liabilities, are unclear and relatively untested.
Change is also an opportunity. Employees are excited about BYOD and the chance to use devices they prefer. This gives security an opportunity to support the business, enable individuals, and improve security.
To ensure BYOD increases value while also increasing security requires different thinking and an approach that brings people together in a series of conversations.
The key is in how the technical, legal, and other uncertainties are handled. Getting it right requires constructive conversations with stakeholders and influencers.
Here are three key steps in holding productive conversations:
1. Embrace uncertainty
Acknowledge that BYOD introduces change. From allowing individuals their own devices, to shifting the way we provide security, and adapting the legal and operational consequences. It's natural to resist and fight change (at least on the part of security professionals).
However, the key to implementing BYOD in a way that increases security and reduces legal liability is to embrace the uncertainty.
People don't actually expect you to know everything.
The legal counsel doesn't have all the answers, either. The business people seeking BYOD aren't entirely sure of the range of situations and conditions in which they'll use it.
Take the lead and explain that uncertainty is okay. It sets up an opportunity to come together and collaborate; this is in contrast to obtuse declarative statements or enforcing draconian policies that simply don't work.
2. Bring visibility to the process
Embracing uncertainty leads to the opportunity to gather the right people and bring visibility to the entire BYOD process. Visually map out how it works (tips on getting started here), including elements like: device selection, how people envision using the devices, what data and networks they need access to, and the like.
Expect this process to take time. Larger, more complex organizations take more time. Focus on bringing the right people together and allowing each the opportunity to contribute to the mapping. This provides the legal team, security team, IT team, and everyone else involved the opportunity for a clear understanding of the process.
Once the approach is outlined, guide people through the welcomed changes in their processes. As they envision and describe the flow, that's the time to ask questions about what needs to be protected. This means everyone has a voice in explaining the benefits and potential risks of the changes.
The visual approach prepares everyone for constructive communication.
3. Engage in communication, not just messaging
Messaging is one-way. And worse, messaging doesn't always work (for a variety of reasons). Yet many teams still work to produce the "perfect" message only to succumb to the perfect message fallacy (read about it here).
Relying on messaging to address the security challenges and legal liability concerns only increases the friction in communication that jeopardizes the effort.
Instead, of relying on messaging, hastily written emails, and other forms of "communication" that hamper conversation, get face-to-face and engage in dialog. Do this when possible. Make it possible frequently.
Refer back to the visual mapping. Ask questions - without knowing the answer. Let others process the question and consider the range of impacts. Support the process by providing anecdotal and measured evidence.
Use the visual approach and conversation to figure out where the liabilities are, and what needs to be protected. By engaging people in the process, they gain an understanding of why and everyone benefits.
Reframing the opportunity of BYOD
Many in security regard the changes brought by BYOD as a threat to security. That frequently leads to the instatement of draconian controls, often with the smug admission of "my way or the highway" -- as they pound their fists on the table.
That approach simply doesn't work.
Here's the reality: BYOD is a massive opportunity to both increase security and provide value to the company. The key is doing it right.
BYOD improves the way people do their jobs. The key is to get people together, bring visibility to the challenge, process, and solution, then engage in active, constructive conversation, not just messaging and directives.
Find and unite the right people around a common story. That reveals the pathway and allows the legal team to help navigate the liability while security focuses on protecting what is important.
As a result, your job gets a bit easier and the organization is better protected from a legal and security perspective.