February 16, 2016

BYO culture – CIO's nightmare?

Markus Melin

Head of Tieto Security Services, Tieto

Tomi Behm

Lead Security Services Product Manager, Tieto

If you are forced to work with a company-mandated laptop that weighs a ton, takes fifteen minutes to start up and is a royal pain to use in general, why not ditch it and use your latest-model ultrabook that gets the job done quickly and without additional hassle?

As you probably know, BYO stands for "Bring Your Own". In enterprise world, this concept usually takes the form of either BYOD (employees work with their own devices, such as computers and phones), BYOA (they use their own applications) or even BYOI (they log in to services with personal identities).

But did you know that the origins of BYO culture are in alcohol restrictions?

The acronym was used in restaurants, especially in Australia, that weren’t allowed to serve alcohol to their guests. To circumvent this rule, they introduced the practice of BYOB, "Bring Your Own Bottle". The patrons could take their own wine to consume with the dinner, and everyone was happy.

In other words, BYO was born out of necessity to get around artificial limitations. People are usually clever – and lazy – and want to do things in the most convenient way possible. Why go through too much trouble if it isn’t absolutely necessary?

This is also the case with BYOD and other BYOs: If you are forced to work with a company-mandated laptop that weighs a ton, takes fifteen minutes to start up and is a royal pain to use in general, why not ditch it and use your latest-model ultrabook that gets the job done quickly and without additional hassle? 

Who’s in control here?

Here, we get to the crux of the matter. IT departments have traditionally wanted to have strict control over hardware and services that are used by employees. They have justified this on the grounds of security and ease of maintenance.

It must be admitted that they do have a point. Standardized equipment really makes IT guys’ work easier (remember what I wrote earlier about laziness) but at the same time it makes life miserable for everyone else.

The world has changed, and modern IT workers just can’t be put up with using equipment that is ill fitted to its purpose. Workers are mobile and need to connect to enterprise networks from different places and use different devices, applications and even identities – whichever is the best way to access the resources they need to get the job done.

This is good for productivity but has the downside of creating more security risks. Devices and identities can be stolen, and insufficiently protected devices can spread malware to company networks. Some industries, such as finance and banking, also have compliance requirements that need to be addressed. They handle regulated, very sensitive information that needs special protection.

The benefits, however, well outweigh the disadvantages.

IT departments just have had to let go of the level of control they used to have – and this loss of control is nightmare-inducing stuff for the CIO. Change is always difficult, but it isn’t necessary to weaken security in order to make way for modern ways of working. It’s only a matter of changing the attitude. We know this well, because we at Tieto have done this transformation also ourselves. Culturally, this was one of biggest decisions we have made.

Tear down the walls!

In the old times, it was enough to build strong walls around the company’s IT infrastructure.

Connections to outside world were strictly controlled, and security updates were deployed on all devices centrally in planned intervals. The data on company machines belonged to the company, and no one was allowed to save family photos or pet videos on the hard drive of their work computer.

BYO culture changed all this. User’s personal data and company assets live side by side, and security can no longer be contained within office walls. This means that security must be mobile and travel with the user and his/her device.

Luckily, there are good solutions that both guarantee the security and allow flexible and productive ways of working. For example, mobile device management can be used to remotely wipe data from stolen smartphones or tablets, and also to prevent risky use.

We also must remember that not all information is equal: there is a lot of data collected and stored that has little to no value for an intruder and data that doesn’t need high levels of protection, whereas business-critical or trade secret intelligence must be guarded well.

When CIOs learn to accept the fact that even though they don’t have full control over the devices but have still mechanisms to keep company valuable data safe, perhaps they’ll start having sweeter dreams.

Read more about securing data in BYO culture at www.tieto.com/security and from our whitepaper.

Stay up-to-date

Get all the latest blogs sent you now!