IT directors can feel the pressure when the CEO decides it’s time for an iPad. How can you balance security policy with the need to say yes to the boss?
So you’re the IT director and you’re told you have a meeting with the CEO. You’re briefed that the agenda is mobility and mobile devices…oh, and one more thing: the answer is yes, and the answer is iPad.
When management decides it wants to be mobile, the pressure hits the IT director and the established security policy hardest. When the pressure to cater for people’s device of preference in the workplace comes from the top, it’s tempting to look at a quick fix. But when you choose to implement a solution that is an exception to your security policy for the CEO, who then attends a board meeting with that new shiny iPad? The avalanche of user requests begins, as everyone decides they want to bring their own device (BYOD).
Shadow operations teams supporting BYOD
Loyal Apple followers have formed powerful lobby groups in many companies and have even gathered together to self-support the use of Macs and iPads for corporate use. Apple even has a how to whitepaper to encourage it.
This is a major move away from the previous tacit acceptance of the devices and system provided in the work place. This type of brand loyalty and strong user preference challenges the controlled and managed roll-out of systems and devices that has been traditional in business.
However with this problem comes an opportunity to leverage the enthusiasm and develop a lower cost support model that embraces self-support for employees’ devices.
Do management and control go out the window?
The BYOD syndrome is the latest iteration of the age-old struggle between usability and security.
The conundrum has always been to strike a balance between usability and security whilst achieving an acceptable risk profile. That’s the see-saw you see above (thanks to my colleague Andy O’Kelly for the graphic).
A typical illustration of this challenge is remote access solutions that traditionally have used two form factor authentications (a password along with a key fob to generate a one-time password). Solutions like this which offer two layers of security clearly tip the see-saw more toward security, away from usability.
In a world where seamless access to applications is the bar, adding a clunky security checkpoint will be challenged by employees.
Have a plan ready, before that meeting with the CEO
There is no silver bullet solution to solve this issue, but with technologies such as mobile APN, Virtual Desktop, Always-on-VPN, Network Access Control (NAC), and Mobile Device Management (MDM) in the tool bag, we have options to craft a secure and elegant solution.
So if you haven’t had that conversation with your CEO yet, it may be on the way. My advice is to be prepared; develop a strategy and solution, if you haven’t already.
If it helps, you can drop out to eir’s labs for a mobility demonstration of the available solutions.
What’s your plan for allowing more employees to use mobile devices and tablets for business? How are you balancing usability with security?