Trust but verify... Policy only works when it's technically feasible, and visa versa.
I fully agree with Mark that both technology and policy matter and they matter very much; one without the other isn’t the most ideal state nor is it particularly useful in isolation – a symbiotic relationship exists. I also agree with Mark that BYOD is incredibly complicated and implicative, so this is not a service area to be trifled with. But is one more important than the other to the question, I think so, and people will have differing opinions on the matter and that is fine.
In the end state, users need to know what the rules and boundaries are in the form of a written, authoritative policy; they should not care what the technology is to support and enforce the policy. Focusing on the policy early in the service development lifecycle enables good decision-making; it helps lead the technology choices (I believe policy significantly defines the business, functional, technology and implementation principles of what is necessary in the solution and technology architecture and design (see template below and you may get what I mean – especially the implications)).
Each organization will draft their policy based on a multitude of factors. The policy or policies may lean toward the extreme (as below) or be very liberal and there is no such thing as one policy that fits all enterprises. Mark smartly mentions outbound risk (aka - outbound trade secret risk) when an employee leaves – that is a big one, and he mentions regulatory complications and there are so many others to consider it can be overwhelming. Bottom line, we must examine the full spectrum of elements which will guide the service development and for me, technology does not lead, it follows.
ALL information on ALL corporate-owned and personally owned devices (computers, tablets, smartphones, dumbphones, datacards and all other communications and data devices known and yet to be discovered) - that is, any device under Corporate Sponsored or the Personal Bring Your Own program is subject to seizure (electronic and physical), review, audit, necessary business dissemination and archiving by CLIENT, including and without limitation to documents, emails, photographs, voice mails, messaging records such as MMS, IM and SMS, social networking and ALL phone records (known as “Personal Data”). CLIENT may and likely will, for the purposes of such legal need, perform audits and use software and other means to reroute transmissions through other systems including both incoming and outgoing calls to and from such devices used to access all data and information.
Employees will have NO expectation of privacy whatsoever with respect to CLIENT information or personal data (as defined below) on any corporate-sponsored or personally owned / managed devices accessing the CLIENT system, and NO expectation of privacy regarding any documents or communications or content that originated on or were sent to a corporate-sponsored or personal device accessing the CLIENT system. CLIENT does not guarantee the privacy of any electronic communications within or outside of CLIENT.
To be clear, both corporate-sponsored and personal devices will be seized and audited and when necessary, “wiped” of any and all data, operating system software and applications by CLIENT or by a third party resulting in setting device back to factory defaults or rendering it in a forever unusable state. CLIENT shall not be liable for any personal expenses related to such data, software or applications loss. CLIENT makes no promise that information wiped will be retrievable. By your signature below you are agreeing in full to giving up all rights, privileges and control over an authorized device or devices and the information contained or transmitted by said device, be it corporate or personally owned is the property of CLIENT.
I can't tell if my sarcasm meter is busted again or you're serious - however, while eye widening on the surface, it does completely and unequivocally address every single one of the concerns I raised - bravo!
Always serious, because this is a serious matter not to be trifled with right?
Both matter, however in the BYOD space it gets really complicated really quickly - what about the employee who leaves for a new job with sensitive LOB applications on their personal device. Of course you want to wipe them, but you also need to be sure you don't wipe the employees mobile banking application - audit review and logging tools can become even more problematic in this space since the device is effectively serving multiple masters with equally legitimate but different policies - imagine the policies about company email interacting with implicit policies via HIPPA on the employees emails to their Dr on the mobile device. (there are good tools out there for giving the devices schitzoid characteristics, i.e. isolated business and personal aspects (policy :-) )
I look at technology as the enabling mechanism - it defines what is possible. Policy is externally defined and it's realization is the conversion of 'what is possible' to 'what will happen' - I agree with a previous poster on technologies ability to automate policy, I think the deeper issue is that technology simply does things, policy decides what will be done, and when policy and technology are well meshed, things are automated because policy and technology are merged and the decision points are gone - for instance, there are many technologies for cryptography - policy should say which one is there - and then that's what gets used and there isn't an issue
Ah, an interesting question indeed. Normally when responding to questions phrased like this I would make a statement like, “is any one thing really more important than another?” The answer to this question is a resounding YES and in my opinion there “is” a more important thing; POLICY.
People need to know what the rules and boundaries are in the form of a written, authoritative policy and once they have agreed to that policy we need to trust them. So from my perspective and the perspective from the lawyers and HR professionals I have engaged creating BYOD programs, policy always comes first and is more important.
I think of the Ronald Reagan phrase made famous when discussing US relations with Mikhail Gorbachev at the signing of the 1987 Intermediate Range Nuclear Forces Treaty (INF) – “TRUST, BUT VERIFY.” That is the answer to the above question; the trust part is having a written policy in place and trusting the participants to abide by it and verify is having the technology in place to audit and track compliance.
In the end we aren’t really managing mobile devices are we? Isn’t it more accurate to say that we are managing a communications and collaboration mobility service? The policy is like the owners manual for the service and the MDM technology is just a set of tools to make operations management easier. Put another way, we could have a mobility service without either policy or technology, but there is inherently more business risk if we have one without policy – technology is rarely “the most important thing.” Policy protects the business before something happens and gives it a defensible position after something happens.
Organizations that allow mobile devices, business owned or personally owned are at risk if they don’t have a corporate wireless usage policy at a minimum.
They both are and pretty equally I'd say. Technology doesn't mean all that much if the policies aren't both in place and in force to allow the technology to do its job. And all the strident, unified security policies in the world are ineffective if, for example, stolen or lost mobile devices cannot be rendered useless in real time. I think actually it is dangerous to think of these as anything but true partners in meeting the unique challenges of mobile security.
I'd go wih policy, since technology changes far too quickly for managment to keep up. Policies can be enforced via the cloud, letting employees pick the best technology they need to get their jobs done. That's the power of BYOD.
Technology matters most--because it automates enforcement. People do not have to follow policy--a soft control--and they often don't. Unfortunately, that technology and administration also bring new costs--but not as much as a breach! It's the only way to control mobility especially BYOD--but really a host of mobile devices. -- Debbie Christofferson
Paul makes a good point. I have found that corporate culture can be the inhibiting factor to innovation. As we all know we are most comfortable with what we know. This too is an inhibitor to innovation. Looking at a business problem through a variety of lenses will help you understand the needs that might best solve the barriers to success. Sometimes technology is part of the solution and more often than not it is an enabler. That said, all too often we tend to go with what we know and then hide behind the lack of policy to justify not doing what may be the right thing.
If you think about the logical extension of what you are building as a capability of your business and fail to consider the ultimate customer’s engagement in that solution longer-term, then you will continue to do what you have always done. "Keep doing what you are doing and you will keep getting what you are getting."
Break out and take risks. As others have noted, start in your sandbox and with small pilots. Seek to discover the risks that are real rather than the ones noted with other technologies of the past. Being a Chief Innovation Officer in addition to your Information Officer role demands we think differently if we are to make a difference for our business.
Remember, you can always tighten a policy, it is far more difficult to loosen one that has been put in place.
Key to discussion is asking the question, "Is the policy reflective of existing company culture?" All to often priorities relating to management and security dictate decision making. But one thing that the Consumerization of IT era has shown us, is the importance of using technology is a lever/fulcrum for productivity. This means that policies need to be thoughful and technologies used flexible.
One model of a thoughtful approach to mobile policy and technology is Martha Stewart Omnimedia. (see http://bit.ly/OwBdL1)
Yes, my position on the importance of culture was challenged in the 8/14 Twitter chat http://bit.ly/NMFwUx, but I feel strongly that IT policy and implementation (i.e. tech) need to reflect, not change the uniqueness of the organization.
Seems like logically, technology should follow policy (in principle and chronology), but it doesn't always work out that way. As we discussed on the Twitter chat yesterday, there are plenty of examples where tech dictates policy.