The 'Five Stages' of BYOD and why it's like 'Gangnam Style'
When it comes to accepting or rejecting BYOD, Ian Yip, NetIQ's product/business manager for Identity, Security, and Governance, said that most organisations were now between the bargaining and acceptance stages of the Kubler-Ross model, otherwise known as The Five Stages of Grief.
At an industry breakfast in Sydney yesterday, Yip said that organisations' IT departments first responded to BYOD by burying their heads in the sand in denial, saying it was too hard and refusing to do anything about it. But as users persisted, some organisations responded in anger, either by IT departments going out of their way to make life difficult, or via CEOs threatening to find new IT staff who would allow them to check company information on their mobile devices.
Because of this, Yip said that companies eventually transitioned to the bargaining stage of the model, making exceptions for their boss, or only allowing certain services to be made available on devices, such as email. Yip said that the smarter organisations had changed their tune and already moved to acceptance, becoming "creative 'yes' people" that find ways to safely enable BYOD, so that users don't find new ways to circumvent security.
For the majority, however, Yip said that organisations were somewhere between bargaining and acceptance. While Yip didn't go into detail as to the stage between bargaining and acceptance, according to the Kubler-Ross model, it's depression. But Yip believes that it is still positive that organisations are at least thinking about the issue. Those who still refused to acknowledge the issue would find themselves forced to take action, he said, likening it to the nature of the South Korean song-turned-internet-sensation "Gangnam Style".
"If BYOD was a video, it would be ['Gangnam Style']," he said.
"Just like this viral video, even if you want to get away from it, you can't, and strangely enough, the more you listen to it, the more you like it in an annoying way. In the same way, BYOD for the enterprise is a little bit like a viral video. You really don't want deal with it, but you have to."
For organisations that were beyond denial, Yip offered his advice on how to deal with BYOD: don't do it directly.
"You can't deal with BYOD by dealing with BYOD," he said.
Instead, he said that organisations needed to realise that, despite its name, BYOD isn't about devices.
"BYOD is really about managing mobile employees, not tablets or phones, [and] not even your laptop. It's the fact that people are mobile that you're managing."
Yip drew a parallel to an airport which, as a business, relies on the revenue from its retail leases, but has a primary focus on ensuring that travellers can safely get to where they need to. An airport that made retail leases its primary objective and forgot about fuelling planes or screening passengers for security, would fail to serve travellers, reduce traffic, and indirectly kill its own revenue.
"The most commonly used way of addressing BYOD is to look at the end point. But if you use the airport analogy, securing the end point is essentially just securing the plane and forgetting everything else," he said.
"What you need to do is figure out what you're really trying to protect — it's information."
While some organisations have begun to focus on protecting their data rather than devices, Yip said that data was only half of the picture, recalling a recent claim that every single PIN in the world had been exposed.
"I had a look at it. It was just a page of four digit numbers: 0000 all the way to 9999. It's true, all the PINs had been exposed — but that's data. It wasn't information, so if that got leaked, you really don't care. If you add account numbers to PINs, then you have information. The difference between information and data is context."