Nothing changes? IT leaders speak about the still-grim reality of selling BYOD to the board

Still a resistance to invest until it's too late...?

"BYOD just happens," said the IT director of a large international architecture firm.

The tech boss was speaking in 2016, at Computing's IT Leaders Dining Club in London, and it's frankly unnerving to hear these words spoken some seven years after the launch of the iPhone.

"You're going to have a BYOD strategy of some kind - because it just 'happens'," the IT head said. Neither he nor his peers will be indentified in accordance with the Chatham House Rules agreement of the event.

"Did you, for example, know that Office 365 ActiveSync is enabled by default? That means if you have an open Wi-Fi network in the office, you're already doing BYOD - it makes it very difficult to manage the corporate devices."

Another CIO added that even if there's no Wi-Fi available for user devices by a stricter policy, they "just use data anyway", and keep on accessing, storing and sending potentially sensitive information.

But another IT director acknowledged that workers are definitely more productive as a result of BYOD - "they do more and they work for longer," they said.

"So you could argue there's productivity gains, but personally I'd quite like to stop people having to live the kinds of lives where they want to look at email at home."

That first head of IT again: "If we let [BYOD] happen, we might get sued, or we might lose IP, but it has actually happened, and I would suggest to you if everything in your firm is data and IP - be careful.

"At one place I worked, the security credentials worked in such a way that if you had an iPhone, you got in. It didn't have to be a corporate iPhone. It was just the way the protocols worked, it would just let you in. So my personal iPhone got on the corporate network."

Again, it's hard to swallow that such conversations are still happening almost a decade after most end users began a mini supercomputer round in their pockets.
"Here is where you need proper MDM technology," identified another CIO.

"Be clever about it, and intellectualise it. I imagine everyone around this table knows what the ideal is, but also that squeezing money out of your C-level to pay for it is challenging."

And this is the rub. Not a single person around the table that night truly seemed confident that their CEO, or anybody else at C-level, would be instantly willing to have a serious talk about the real risks of mobile device-based intrusions.

"About 60 per cent of business understand that the mobile device is the most vulnerable part of the network, and people are okay with that," explained a BlackBerry spokesperson, also present.

"And so I say to people: 'If you knew these [dangers] were on their network, they'd fix it immediately. It's important that people remember that the important data is on mobile devices as well as the network."

One IT director suggested that the C-level resistance is still down to that old chestnut revenue.

"Revenue is important, and until they get hit by something that costs them revenue, they won't change."

The criticism is similar to many IT industry voices that spoke out only last week in response to the intrusion at telco Three, that saw six million customer details compromised, and which one commentator blamed on a "slavish devotion to short-term margin".

"I squeezed £2.2m out of my CEO for industry software recently for VDI recently, because they could see a direct revenue increase. But if I asked for MDM, no matter how dumbed-down I made it, they wouldn't go for it," remarked the architecture IT head.

The VP of technology at a large media firm asked if IT leaders may be "shooting ourselves in the foot" by "going for everything piecemeal". Would it, in fact, be wiser to try and sell security as a necessary part of another, revenue-leading investment?

"One of the things I find interesting is if you did a total cost to support products, you could discount things, in a way," said the VP of technology.

"If you buy a house, someone is paying electricity bills. So I think what we need to do more of, when we're presenting anything, is say, 'If you need this, it also comes with security'. So you're actually presenting fully built solutions."

"Yes, replied, the architecture CIO, "I did that, but I still actually had to say, 'We need to spend whatever million pounds for just security," it's still difficult.

In terms of business continuity, an IT director suggested only firewalls and intrusion protection seem to figure at C-level. Securing data versus securing the organisation, effectively, which links to BlackBerry's findings from earlier.

"If I ask for a Palo Alto [Networks] firewall, that's different to MDM," said the IT director.

"I'm not convinced that the C-level understands," said the CTO of a large marketing firm, explaining that three ransomware attacks in a few months had the C-level scared, and was the kind of threat they'd listen to.

"At the moment, nothing bad has happened in my company from a mobile device," the CTO added.

Dispiriting words all round, though not without hints of solutions. As well as bundling up costs to include mobile security, CIOs may be best placed to really get their teeth into some of the disasters befalling their peers, and find ways to sell genuine scare stories to the board before it's too late. If the last couple of years have taught us anything, it's that mobile phones definitely aren't safe from malicious actors. It's still early days in discovering exactly what happened at Three, but it appears that unsecured company devices were - at least in part - involved in the commercial damage that went down.

Boards need to become more receptive to the realities, and IT leaders need to double down on making the sell.