Beware IT pros who blame BYOD for their own failings

A user gets access to a server he shouldn't have access to and triggers a misconfiguration that posts private data to the Web. Whose fault is that?

A doctor logs in to a hospital server to deactivate his personal computer's account. After his attempt, a server misconfiguration somehow makes the patient records the doctor accessed available on the Web, resulting in a four-year investigation and a $4.8 million fine for two hospitals.

Is this a failure of BYOD and the user? Or of IT's server admins and security staff?

Your answer very likely will determine your fate in IT.

[ How to rethink security for the new world of IT. | Digital Spotlight: How businesses succeed in a BYOD world. | Subscribe to InfoWorld's Consumerization of IT newsletter today. ]

When the fine was announced recently, I got a few emails from readers citing this as an example of the evils of BYOD. After all, had the doctor not connected his own PC to the hospital network in the first place, the server misconfiguration wouldn't have been triggered.

I'd love to be a fly on the wall for the Monday morning meeting of the BYOD doctors as they respond to this issue and work on an appropriate response. Just kidding: We all know who'll be stuck dealing with this mess, one reader wrote.

It's a sadly laughable comment: Blame the user for the fact that the server both was easily accessed by a physician and had a flaw that allowed private medical records to be pumped into the open Internet. If the server should have been off-limits to all but hospital-issued computers, how did the doctor connect? This occurred in 2010, when IT shops were addressing the first big wave of user devices -- mainly mobile ones but also home PCs -- accessing network resources that had been designed in an era when people worked in offices on company-issued PCs -- and nothing else. So a smart doctor likely used work credentials on a personal device back before that was top of mind for IT. That was a forgivable oversight back then for both the user and IT.

But the posting of regulated patient data to the Internet had nothing to do with the user's actions, BYOD or otherwise. The two hospitals involved acknowleged that their security and network practices were substandard, which is why they accepted the $4.8 million fine this winter from the feds. Even back in 2010, that was an unforgivable failure on the part of IT.

Yet four years into the consumerization shift, there remains a strain of IT folks who just can't accept that we live in a connected, heterogeneous, porous-border world and instead keep wishing users would act as if it were still the 1990s or 2000s.

Four years ago, when I first started writing about BYOD and the fundamental shift to users that is the consumerization-of-IT phenomenon, I encountered many bewildered IT pros, whose familar contexts were being uprooted -- and fast. I often heard a subset of IT pros, shaking their fists, declare, "Just you wait until all the breaches happen!"

Well, there've been very few breaches due to BYOD since then. Instead, the losses continue from the traditional venues IT doesn't seem able to address, such as insider attacks, lost thumb drives (ironically, because IT won't support cloud storage), and lost or stolen unencrypted laptops (ironically, because IT often doesn't protect PCs, where most sensitive data is used, but obsesses over mobile devices).

The number of IT fist-shakers has declined since 2010 -- or at least quietly gone underground. Most organizations have figured out a balance between access and security -- rarely perfect, but usually reasonable.

But there are still those in IT who refuse to accept that technology is part of most everyone's work and that many users need access to information from multiple locations and device types to do their jobs. IT's job -- more complicated, to be sure -- is to figure out how to facilitate that. There are now solid methods to follow for BYOD (which really indicates heterogeneous computing and access, not who pays for it), so the challenge today is more about deployment and education than figuring out a core strategy.

If you don't get that and work in IT, you can expect your career options to shrink. You're denying a fundamental reality that reflects how businesses actually operate. We've decomposed so many facets of businesses into changeable parts, and we expect employees who weren't automated away and the increasing army of contractors to be able to work anywhere, any time, on whatever they own themselves on those components.

If you can't accept that, much less help enable it, you're not the kind of technologist most businesses need. It's a fundamental shift IT needs to accept if it wants to survive as more than a group of technology janitors.

Stop blaming users for doing what they need to do. Start figuring out how to safely enable users and lay out the risks for a business to decide on acceptable compromises. It may not be easy, but it is that simple.

This article, "Beware IT pros who blame BYOD for their own failings," was originally published at InfoWorld.com. Read more of Galen Gruman's Smart User blog. For the latest business technology news, follow InfoWorld.com on Twitter.

Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies