As "bring your own device" (BYOD) reshapes the way organizations handle technology, how do we handle the uncertainty of legal liability and security concerns?
The answer lies in considering how BYOD changes the entire organization. Change is scary. More so when the impacts of the change, including legal liabilities, are unclear and relatively untested.
Change is also an opportunity. Employees are excited about BYOD and the chance to use devices they prefer. This gives security an opportunity to support the business, enable individuals, and improve security.
To ensure BYOD increases value while also increasing security requires different thinking and an approach that brings people together in a series of conversations.
The key is in how the technical, legal, and other uncertainties are handled. Getting it right requires constructive conversations with stakeholders and influencers.
Here are three key steps in holding productive conversations:
1. Embrace uncertainty
Acknowledge that BYOD introduces change. From allowing individuals their own devices, to shifting the way we provide security, and adapting the legal and operational consequences. It's natural to resist and fight change (at least on the part of security professionals).
However, the key to implementing BYOD in a way that increases security and reduces legal liability is to embrace the uncertainty.
People don't actually expect you to know everything.
The legal counsel doesn't have all the answers, either. The business people seeking BYOD aren't entirely sure of the range of situations and conditions in which they'll use it.
Take the lead and explain that uncertainty is okay. It sets up an opportunity to come together and collaborate; this is in contrast to obtuse declarative statements or enforcing draconian policies that simply don't work.
2. Bring visibility to the process
Embracing uncertainty leads to the opportunity to gather the right people and bring visibility to the entire BYOD process. Visually map out how it works (tips on getting started here), including elements like: device selection, how people envision using the devices, what data and networks they need access to, and the like.
Expect this process to take time. Larger, more complex organizations take more time. Focus on bringing the right people together and allowing each the opportunity to contribute to the mapping. This provides the legal team, security team, IT team, and everyone else involved the opportunity for a clear understanding of the process.
Once the approach is outlined, guide people through the welcomed changes in their processes. As they envision and describe the flow, that's the time to ask questions about what needs to be protected. This means everyone has a voice in explaining the benefits and potential risks of the changes.