After a very thought provoking conversation with a CISO from a top 10 university, we distilled her thoughts into four key points for a sound BYOD strategy. First, let me level set with a definition of BYOD: Any device which is used for both personal and business needs. It could be a phone, a tablet, a PC, or a Mac. It could be owned by the employee, a consultant, a contractor, a firm you just acquired, or a student.What are the requirements for a BYOD solution from a CISO perspective?
(1) Protect the data, not the device: The key objective of the CISO is to protect enterprise data. Locking down a device does not guarantee that the data is protected.
(2) Make it simple for end users: Make it simple for end users to access their work applications and data. If you restrict or it make it difficult, then end users will look for ways to work around the problem by leveraging non-sanctioned sharing and collaboration tools.
(3) Visibility into work on an endpoint: So, let's assume you find a tool that makes it simple for your end users to access business apps. Also, let's assume that the solution protects the data accessed by those applications, whether online or offline. You still need visibility into what users are doing on the endpoint. Not visibility into their personal behavior, but visibility into business access. Visibility into work access will let you detect abnormal behavior.
(4) Alarms about abnormal access: Seeing is believing, but alarms will drive action. In this highly connected world, detecting abnomal behavior early can fend off serious breaches. So you need to be able to detect abnormal access patterns. For example, why is a user accessing work from both Nigeria and New York? Or why is a user downloading tens of documents today when they have only downloaded a few documents monthly for the last few months? Abnormal access patterns help you detect breakdowns in the security systems you have put in place.