This is part one in a two-part series. Check out the second installment, "How to have BYOD and security, too."
Make no mistake, BYOD is a huge paradigm shift. It's an epic battle in the ongoing war of security versus usability. And usability is winning.
This battle carries major security implications. I've yet to meet the end-user who wants to be bothered by authentication, from CEOs to low-level employees to my own daughters. No one wants to fuss with a log-on of any type. They'll accept security as long as it doesn't get in their way. Every CEO I've encountered has asked me to get rid of nagging password log-ons so that they can get down to real business.
[ In an earlier post, Roger Grimes advised readers to pick their strategy for BYOD. | Take a guided tour of the latest threats and what you can do to stop them in "Fight Today's Malware," InfoWorld's Shop Talk video. | Keep up with key security issues with InfoWorld's Security Central newsletter. ]
The inherent promise of BYOD is that it will have less security. Think about it. Users say they want -- no, need -- BYOD because it makes their worklife easier. What do they mean? It isn't just the form factor; we've had small-form-factor computers for a long time. It isn't usability by itself because no one can tell me how the browsing and computing experience improves once the browser is fired up in any platform. The browser on my mobile device works the same was as on my full-featured computer, albeit possibly in a less functional, slower manner.
No, what BYOD means to the average user is escape: Escape from the security enforced upon them by their organization. No more controlling what applications they run. No more controlling their browser settings. No requiring proxies, antivirus, firewalls, or anything else that can get in their way. The average new BYOD user seems miffed that they have to enter a PIN. They want instant-on and instant access at all times. Who can blame them? Freedom is great.
Security has always been about restricting freedom and/or usability in some way, no matter how small. Security wants to limit a user's choices in the name of trying to prevent easy compromise, and end-users have fought us the entire way. It doesn't help that our battle for security hasn't resulted in significantly less malicious hacking (though I shudder to think about how bad it would be without security controls).
To the average user, BYOD means "my device, my way." And that scares me.
First, the sheer number of possible devices and platforms means they will likely be unmanaged (or at least less managed) as compared to their predecessors. I covered the reasons to have managed devices in a previous column. Managed computers allow an organization to ensure that end-users employ some form of authentication, are using some form of encryption, have some sort of antimalware software running, and patch the device and software -- ensuring some basic security defenses have been enabled.