Wall Street & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security

11:00 AM
Becca Lipman
Becca Lipman
Commentary
Connect Directly
Facebook
Google+
Twitter
RSS
E-Mail
50%
50%

BYOD Policy: Don't Reinvent the Wheel

Financial firms still feel overwhelmed by BYOD risks and challenges. But these can be addressed by a good policy, and the guidelines are already out there.

"I am unusual in the security community because I’m pro BYOD,” says Michele Chubirka, network security engineer and blogger on information security trends for Packet Pushers. “Mostly because I think it's inevitable. You're arguing with reality. The concept of pervasive or ubiquitous computing is here. The revolution is over, we won.”

Unfortunately, most financial IT departments haven't figured that out yet. Many companies that would call themselves progressive in adopting BYOD are still not supporting Android devices. “I feel I've gone back in time. It's like there's something about BYOD and mobility that sends them into paralysis.”

Chubirka spent 13 years working in academia, which she calls the original BYOD environment. “You had to make this stuff work. There is no argument. The students come in every year, and you needed to be ready for the September surprise. You don't know what new device or operating system or hardware they’re coming with, perhaps it’s a drive that doesn’t connect to the network. So you learn to adapt.”

[Join the Women in Technology Panel & Luncheon at Interop on Wednesday, October 1. How different are IT career paths and opportunities for men and women in 2014? Join your peers for an open forum discussing how to advance in an IT organization, keep your skills sharp, and build a mentoring network].

Consider the concept of the extended mind, she says. This is where you identify with the tools you use to complete a task. Tablets and smartphones are tools of cognition now, and what students or employees prefer to use. To forbid the tool and then hand them another phone doesn't seem very efficient or likely to succeed.

“This is a misunderstanding of what technology really means, and what it's come to mean in the 21st-century. It's gotten beyond. It's transparent now. It's in everything. We have smart TVs and refrigerators and bathtubs, everything is connected to the network and yet with BYOD we continue to be held immobilized by lore and the risks. You're not doing your organizations any favors.”

Don't reinvent the wheel
Chubirka, who will speak about BYOD on the Mobility track at Interop New York, said firms don't really know where to start with BYOD. The problem is technologists jump right into the technology but they don't really know what to do because there's no policy. “They spin and spin and spin, because they didn't work out all the other stuff on the front end.”

Worse, the policy guys don't really understand BYOD and there's nobody in the middle translating. “That's where I see a lot of organizations fail.“

Her advice: Start with policies and procedures and guidelines, and don't reinvent the wheel. “Get the stakeholders in the room and get an agreement on policies and procedures. And yes, every, department defines policies and procedures differently, but don’t argue, just do it the way they want.”  

And there’s simply no need to start from scratch. Pay homage to what others have already done. Academia is a great place to start because they have these census driven organizations, and post their policies and procedures publicly because all their students are everywhere and they need to get to them. The National Institute of Standards and Technology (NIST) has great guidelines, and Gartner and Corporate Executive Board has great templates as well. 

She adds that one often overlooked yet critical component of BYOD is data classification. “Written into the policy is who is allowed to touch what, when are certain controls supposed to be at rest, when is it supposed to be encrypted in transit. Figure out your data type, like drivers license and Social Security numbers, ID numbers is conjunction with an email address, etc. Figure out what you have and how you're going to protect it. And that tells you how you're going to do BYOD with your policies.”

“Know the class of data and handling of that data type,” says Chubirka. “Build a framework so when someone tries to put certain data on a certain device, you know what kind of controls have to be in place. Once all that is done, now you can touch the technology.”

Chubirka acknowledges that to technologists this background work can seem boring, but it needs to get out of the way before they can get to the fun stuff.

Becca Lipman is Senior Editor for Wall Street & Technology. She writes in-depth news articles with a focus on big data and compliance in the capital markets. She regularly meets with information technology leaders and innovators and writes about cloud computing, datacenters, ... View Full Bio
More Commentary
A Wild Ride Comes to an End
Covering the financial services technology space for the past 15 years has been a thrilling ride with many ups as downs.
The End of an Era: Farewell to an Icon
After more than two decades of writing for Wall Street & Technology, I am leaving the media brand. It's time to reflect on our mutual history and the road ahead.
Beyond Bitcoin: Why Counterparty Has Won Support From Overstock's Chairman
The combined excitement over the currency and the Blockchain has kept the market capitalization above $4 billion for more than a year. This has attracted both imitators and innovators.
Asset Managers Set Sights on Defragmenting Back-Office Data
Defragmenting back-office data and technology will be a top focus for asset managers in 2015.
4 Mobile Security Predictions for 2015
As we look ahead, mobility is the perfect breeding ground for attacks in 2015.
Register for Wall Street & Technology Newsletters
Video