I had a great discussion with a group of fellow tweeters yesterday which will be used as the lead in to this week’s #mobilebiz tweet chat (Open to anyone, usually on Thursdays at 1 PM EST…just follow the hashtag). We started off with a tweet about how all people really want is Windows on their iOS device and quickly moved down the rat hole of VDI and from there to Risk, Security and Users and all about Mobile. There were two basic sides to the argument, at least as I understood it summarized very simplistically by one side saying a good risk management program means everything is covered as far as the business is concerned and the other side pushing back by saying a risk management program can’t cover everything, especially as users have become savvier with the advent of CoIT (the Consumerization of IT).
Now that, as I said is a rather simplistic way to look at it so let’s dive a little deeper. If we look at it from the CISO side of the house, the argument goes that they report to the business and not to IT. Their job is to look at the business processes and identify the risks and the controls needed to manage and mitigate those risks when necessary. Many of them will say that their word is law as there can be legal ramifications as well as financial ones if the controls they define are broken or avoided. Their job is not to look at the IT side of the house from the perspective of IT but whether they can insure the controls needed to keep data safe and secure. Users are not really their concern as they look at the controls that are in place as taking care of the users as well, whether that means locking them down ro some other means.
The other side of this equation is usually expressed by IT. They look at what the business has proposed and wants to implement. They look for ways that technology can help them implement the required pieces so that the business needs can be met. In a well-run business, the CISO would have already defined the controls as part of the business units needs and they would be much easier to be met by IT as they know about them up front. Alas, we do not live in a perfect world and all to often security (whether it exists under the CISO, or under IT, and many times it is both) are the last ones to be involved in these business projects. They are bought in at the end and everyone is scrambling to do it all and get it right.
The piece that everyone seems to leave out is the user. We roll out these perfect projects but then we find out the end-user will do things with it that were unexpected. No one ever expected them to do a print screen so they could look at something offline or that they would cut and paste a record into email. These things, quite honestly, are easy to find out about and fix. You pay attention to how they use the app and if you’re smart you set up trials and pilots so you know what works and what doesn’t. The issue comes up when you aren’t dealing with an app or a business project. The line between work and personal life has blurred and with the on set of smart devices everywhere, people are used to being connected whenever and wherever they are.
Yet many companies have controls in place that don’t take into account these savvy users. It’s less of a part of CoIT and more of the ITization of the user. They walk into a company that still blocks Facebook and Twitter, won’t let them see their latest Instagram photos or Pinterest boards. They can’t use their lunch hour to hit Amazon to order the Christmas gifts for their kids. These people pull out there personal devices and start using them for that. Then they realize that instead of BYOD (Bring your own device) they can also BYOI (Bring your own Internet). Their iPhone or Android device comes with a built-in MiFi (wireless hotspot) that they then hook up to their laptop, as they want the big screen experience. They may not even unplug themselves from the main network. Even better, they figure out that they can just tunnel out through the Proxy server/Firewall on their laptop and go to Amazon or their Gmail at any time. They aren’t aware that they may be putting information at risk. Even better, once they figure out how to do it, they tell all their co-workers how as well.
The CISO will claim that they have controls and of course the company is monitoring and will be able to shut each one of these unintentional risks down very quickly. The IT group will be the ones tasked with it, whether they have the people or money resources to do it, and the users just look at as a giant game of Whack-A-Mole. They’ll keep popping out of their hole with new ways to do things and they know that they won’t get caught every time.
So how do you avoid playing Whack-A-Mole in the first place? You start by asking to your users questions and listening to their needs. You figure out what they want to do and find if there is a way you can set them up to do it safely without compromising your data and you business. You figure out the best way manage and mitigate the risks that they are presenting while still enabling them to do work, be productive, and stay happy. You turn it from a game of Whack-A-Mole, us versus them, to a team game where everyone is successful.