I much prefer to play a game that has rules that I agree with or that I get to decide the rules. When we were young, we’d play games and often times make up the rules as we went along. If someone didn’t like the rules, they could go home. Unless of course, we were using their ball to play… Even though our rules were probably the best, we’d have to adjust them to whatever the “ball holder” wanted, because it was “their” ball. So that meant taking our well reasoned rules and changing the game into a ridiculous series of events that only seemed to benefit the ball holder.
That always bugged me. I love logic, reason, and prefer to have things make sense in the grand overview. When I am required to change that reasoning or logic, I ask why. If the answer is as ridiculous as “the user wants it”, or “because it’s too restrictive”, or even “it’s just not fun”, the inner geek rage surfaces and I explode like a 1,000 year old volcano. Every part of my brain begins to scream in pain as it tries to conceptualize the inane request into something logical. I do my best from showing this to the person with whom I am talking, but holding back that amount of “are you kidding me” is like trying to stop Niagara falls from flowing with a fish net.
Yet, here we are with the same “it’s my ball” set of business decisions with bring your own device (BYOD). Most organizations have barely implemented a proper security defense with the equipment that they own and now we want to throw in user owned devices. Here’s a business that is attempting to secure their infrastructure with rules and strategies, and we get users with their own devices saying “it’s my device and these are the rules that I want changed”. Are we serious here? From my perspective I say, take your device and go home! You either play by my rules, or you don’t play.
But Ben, you’re rules don’t allow me to have as much fun with my device. You’re right! My rules even annoy me. I can’t tell you how annoying it is to enter a long password on my phone when I’m trying to call someone. Security implementations are not designed for fun. I hate having to lock my car, lock my house, and having keys to everything that I must carry with me all the time and remember where they are. It’s annoying. I’d love to just sit in my car and push a button and go. Without a FOB or key to have to remember. I’d love to just open my front door without a key. I’d love to leave my wallet, money, and credit cards in my gym locker unlocked and never having to remember that ridiculous combination. However, security doesn’t always equal fun. In fact, most times security is an inconvenience for most people.
The real issue with BYOD isn’t the device, it’s the person buying into the security model for your organization. If your users don’t give a squat about your security model with company owned equipment, what makes you think any new policies you put in place for BYOD is going to compensate for the added risk? If your users aren’t a part of your security defense model, adding BYOD to your organization is just asking for failure. Because you are going to continue to fight the battle of what the user wants/doesn’t want on “their” device, and your endless attempt to safeguard your infrastructure. If the user can buy into the security model for your company, and they realize that if they don’t safeguard their own device it could cost them or others their jobs, you might see more people willing to play by your rules.
If the only thing that the user sees is this is what you can’t do and don’t ask why because your too stupid to understand when you implement BYOD, you might as well just smash your finger with a hammer because I think the hammer is going to do less damage. BYOD is not about your data. BYOD is not about your policies. BYOD is about user buy-in to your security model. Without that, this is a never ending battle with not much to gain.
Users must realize that if they want to use their own device in this game, they have to buy into the rules at your organization. Buy-in starts with the IT team and executives. Let’s get security right with our own equipment first before we add devices that we can’t control nearly as well. It may not be the rules that the user wanted, but if they can agree with them and buy into them, they won’t mind them and still enjoy the game. Now, play ball!