BYOD Policy: Is It About the User or the Device?
There is a misconception that a BYOD policy should be limited to mobile phones, tablets, and portable media devices. But what about the rest of the devices an employee may use? Their laptop and desktop are hardly different from those “BYOD devices” today. If your plan is to have separate policies based on device type, then be prepared for an inefficient and expensive experience.
Based on my organization and the overall trend today, the typical employee uses multiple devices including smartphones, tablets, and usually a laptop or desktop computer. This expansion of device type can leave IT grappling with a growing list of form factors and operating systems. But at the end of the day, it really isn’t about the device – it’s about the user.
That’s because – regardless of the device an employee uses – their access to data, networks, and other corporate information will remain the same. And if there is access or data to which they are restricted, these restrictions should be maintained regardless of the device or operating system. The only constant in this equation is the user.
So rather than investing heavily in multiple IT policies and infrastructure based on device type, what if IT focused on the user instead of the device? After all, the main purpose of a BYOD policy is to secure the corporate networks and data that these devices will access. And typically, access to networks and data is defined by the individual, not the device.
Devices are the same, data isn’t
As a CEO, I don’t worry about the device at all. My focus is on the data. And since the data is defined by the individual, the individual will be the first area of focus when a data breach or security incident occurs. Based on the person’s role and access rights, IT can determine the significance of the data on the device and whether we’re dealing with a minor, non-reportable incident, or one that may be devastating from a compliance perspective.
So let’s take the form factor off the table for now and focus on the end user. Rather than seeing an iPad or Android smartphone, look at the employee. Consider their role, team and organizational unit. This will define their security clearance as well as what they need to access in order to be productive.
Ultimately, a profile of the user will develop. Based on this profile, a policy can be created that supports the productivity of the employee while safeguarding the organizational data and networks the employee will access from all of the form factors they use.
Getting to know your people
By focusing on the needs, rights, and permissions of the user, IT should be able to build a template for each group of users that will support their productivity and provide them with the flexibility to use a device of their choosing. Productivity is a key component and one that IT should consider whenever new workflows and processes are implemented.
That’s not to say there aren’t some specific considerations that need to be observed when heading down the path of BYOD. For instance some earlier ultra-portable devices are not capable of supporting enterprise level security requirements. As a result, many organizations will provide a list of devices that can access the network.
In heavily regulated industries, some businesses prefer to maintain ownership of the device but cede the selection of the device to the employee to provide them with the same freedom of use a BYOD scenario would provide. This “corporately-owned, personally enabled” or COPE scenario allows the business to maintain the high level of control and security they require while providing the employee with what they want in order to be productive.
Understanding common ground
And of course (and most importantly) there is the need to legally observe the privacy requirements of the employee – especially when they own the device. I cannot emphasize the importance of having a crystal clear and legally binding agreement in place when it comes to an employee-owned device. This agreement should spell out exactly what IT can do if the device becomes non-compliant, if the employee leaves the organization, or if a suspected security risk is underway. And it should memorialize the employee’s agreement to abide by the program.
This type of agreement is one of the top requests we receive from our customers and is the reason we invested significant resources to provide them with a template they can use as a constructive starting point.
But the BYOD policy should be just that, a legal agreement between the business and the employee that specifies what can and will be done with the device relative to the corporate data and networks it will access. The BYOD policy should act as a complement to an existing baseline IT policy that covers all devices and is in effect regardless if the device is owned by the employee or the organization. It should be a constant protocol that IT implements based on scenario and user activity – not on the type of device.
Finally, any policy is useless if there’s no way to enforce it, so it’s imperative that you provide IT with the tools and technology they need to properly support all users. And if your intent is to support a variety of form factors and operating systems then make sure your IT infrastructure aligns with these objectives. I have seen customers spend countless hours playing catch-up, attempting to retrofit their infrastructure to support additional operating systems and form factors after they’ve already permitted these devices to access the network.
In this day and age, efficient businesses consolidate their infrastructure and resources whenever possible. So a single policy that covers all devices is a perfect fit, especially when it’s been tailored with the end user in mind. It also ensures that each gadget that enters the business is already aligned with the goals of the company. Ultimately, this will drive consistency of policy, greater efficiency and position the business to seamlessly support the overall industry shift towards mobile-first.
About the Author
John Livingston has served as Absolute’s Chairman and Chief Executive Officer since 1995, growing the company from its infancy to a global organization. Absolute invented the computer theft recovery, tracking and loss control product category with the introduction of “Computrace” in 1994. Absolute now has head offices in Vancouver, Canada and Austin, Texas and employs over 350 people. Absolute has evolved to offer a full range of business solutions encompassing physical, data and network security as well as IT asset management.
photo credit: dampoint via photopin cc
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU