Essential Guide

Protect information like a pro: A guide for enterprise CIOs

A comprehensive collection of articles, videos and more, hand-picked by our editors

BYOD security worries CIOs, but IT budgets don't reflect concern

New survey data shows BYOD is a top concern for CIOs, yet there's a large discrepancy for that in IT budgets. What can CIOs do to bridge the gap?

BOSTON -- Most CIOs today will admit that the concerns and pitfalls of the BYOD trend continue to be top of mind.

IT budgets however, don't reflect that concern, according to survey data released by the Society for Information Management (SIM) this week.

We don't want people to look at us as always saying no.

Sue Bergamo,
former Boston-area CIO

The release of the 34th annual SIM IT Trends Study was part of the IT Party 2.0 SIMposium here, where chief information officers (CIOs) and senior IT executives were asked to pick their three areas of greatest concern. Bring your own device (BYOD) was the fifth-highest concern among the 483 responses. But the 483 respondents listed BYOD as just the 21st-largest IT investment in their organizations.

The discrepancy for BYOD is that it takes a relatively small investment and carries a relatively big risk, according to Leon Kappelman, professor of information systems and director emeritus at the University of North Texas and lead researcher for the SIM study.

"Concern is probably not the word I would use to describe [the discrepancy]," Kappelman said. "What it points out to me is BYOD doesn't cost a lot of money; sometimes it saves you money. But it's a big worry. It's a big security problem. It opens holes everywhere."

Kappelman works with the North Texas Electronic Crimes Task Force, and a recent gathering included an FBI and Secret Service forensics expert who said BYOD "is just killing people, security-wise. It's just terrible."

In last year's survey, BYOD was seventh in IT organizational investment, but that question received 195 responses in 2012 compared with 483 in 2013. Kappelman said this was the first time the question was asked about the biggest concerns for CIOs.

BYOD security concerns linger

Kappelman led a panel that featured several current and former CIOs who discussed the findings in the survey. They expressed surprise over the BYOD and security discrepancies.

CIOs must do a better job of getting the funding to address these issues, said Sue Bergamo, the former CIO of a Boston-area email marketing company.

"We need to make sure we are shoring up those gaps and closing those holes," she said. "Our data is what's being taken."

The shortfall in funding for items such as BYOD and security can be caused by a CEO and a CIO that disagree on the same set of concerns, according to Janis O'Bryan, the former CIO and current senior vice president and chief administrative officer for Hudson Advisors LLC, a private equity firm based in Dallas.

"All of us want to be connected to data, including the CEO," O'Bryan said.

For O'Bryan, her company follows strict federal guidelines set by agencies such as the Securities and Exchange Commission and the National Security Agency, which address many lingering BYOD concerns.

Companies are setting up BYOD security policies, refreshing and replacing end-user hardware and investing in enterprise apps that can wipe data from BYOD devices, according to Bergamo and Kappelman.

"It's a real balancing act," Bergamo said. "We don't want people to look at us as always saying no, and embracing BYOD is part of it. But we always worry about it."

BYOD will happen whether IT wants it or not, and sometimes it's not worth the fight to keep it from happening, according to Bergamo.

O'Bryan said BYOD was a "tradeoff" between ensuring security standards and that the needs of the end user are met from a technology perspective.

"The business wants all these connections with BYOD, but that totally works against keeping the lights on, which is IT's table stakes," Kappelman said. "It adds to how complicated it is and how many moving parts there are."

Areas of concern higher than BYOD in the survey include analytics/business intelligence, security, disaster/recovery and cloud computing, respectively. As for other IT investments, analytics/business intelligence was first, cloud computing third, disaster/recovery 11th, and security 14th.

Other stats from the survey include enterprise application integration and legacy applications ranking as the seventh- and eighth-greatest concerns to CIOs, yet 20th and 17th, respectively, in terms of IT investment. Those areas were seen as relatively small investments with relatively big benefits, according to Kappelman.

PRO+

Content

Find more PRO+ content and other member only offers, here.

Essential Guide

Protect information like a pro: A guide for enterprise CIOs

Join the conversation

6 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Is BYOD one of your top concerns?
Cancel
Companies won't spend money to address BYOD security concerns until they have a real reason to -- i.e., a huge security/privacy breach in a BYOD environment that really opens everyone's eyes.
Cancel
Not so much for us. I run an IT shop in an SMB furniture manufacturing company. We've never had an issue with people bringing their own devices and using them at work. They know what is and isn't safe and my admin staff keeps things under control.
Cancel
The problem, IMO, is that everybody wants everything and nobody wants to pay for it. You can generalize this principle pretty far before going wrong, but WRT the security topics under discussion here, there never seems to be enough budget to implement adequate security measures, and when there is, there's seldom sufficient budget or will or follow-through to enforce them. Sorry for all the cliches, but there's no free lunch.

Dual-identity devices, like the Samsung phones mentioned in this article, offer some promise, as does software that manages identities, like persona management in Horizon Workspace. There's also a reasonable question as to what data should be accessible from what devices, and by whom.

Is anybody reading this old enough to remember Kim Philby? You know, the guy who used to have Snowden's apartment in Moscow? If you have someone like that working for you, you have serious problems that money won't solve, but at least you can make it hard to get large amounts of data at a time or store it on a device. If you make him take photographs of individual screens instead of transferring TB with a thumb drive, you can at least slow him down.

For some interesting reading, see your own link http://searchsecurity.techtarget.com/video/BYOD-at-the-NSA-Maybe-someday-with-mobile-hardware-root-of-trust? and this paper, which you might want to feature: http://www.vmware.com/files/pdf/techpaper/vmware-horizon-view-byod-federal-secure-desktop.pdf. It addresses the topic in an unusually straightforward manner.
Cancel
The problem, IMO, is that everybody wants everything and nobody wants to pay for it. You can generalize this principle pretty far before going wrong, but WRT the security topics under discussion here, there never seems to be enough budget to implement adequate security measures, and when there is, there's seldom sufficient budget or will or follow-through to enforce them. Sorry for all the cliches, but there's no free lunch.

Dual-identity devices, like the Samsung phones mentioned in this article, offer some promise, as does software that manages identities, like persona management in Horizon Workspace. There's also a reasonable question as to what data should be accessible from what devices, and by whom.

Is anybody reading this old enough to remember Kim Philby? You know, the guy who used to have Snowden's apartment in Moscow? If you have someone like that working for you, you have serious problems that money won't solve, but at least you can make it hard to get large amounts of data at a time or store it on a device. If you make him take photographs of individual screens instead of transferring TB with a thumb drive, you can at least slow him down.

For some interesting reading, see your own link http://searchsecurity.techtarget.com/video/BYOD-at-the-NSA-Maybe-someday-with-mobile-hardware-root-of-trust? and a VMware white paper that addresses this topic in an unusually straightforward manner (Google "BYOD Straight Talk").
Cancel
BYOD is here to stay, and as pointed out, having a good BYOD policy is very critical, but it is the education of staff about the policy that will make it a success or failure. An example, our hospital put a BYOD policy in place to use Tigertext for HIPAA complient text messaging, but the doctors still used their unsecure regular SMS text messaging. Even though we had a good BYOD policy, it wasn't enough, we had to bring each doctor in to admin for 15 minutes of training and explaining the HIPAA issues and how to use the app correctly. Now we have the doctors in compliance. This has significently lowered the cybersecurity risks and increased productivity for the doctors and the hospital. Here is an example of a BYOD policy similar to ours: http://www.hipaatext.com/wp-content/uploads/2013/03/BYOD-Policy-20130213.pdf
Cancel

-ADS BY GOOGLE

SearchNetworking

SearchTelecom

SearchUnifiedCommunications

SearchSecurity

Close