For those not familiar with ISACA, it is an international IT governance organization whose members range from auditors to security architects, and from IT analysts to CIOs. I had the pleasure of talking with ISACA member (and president of IP Architects) John Pironti about ISACA’s view on the impact of the bring-your-own-device trend. The trend certainly has a way of changing many aspects of the organization, and Pironti shared his thoughts on what may be the best ways to responsibly embrace the phenomena as we chatted about what the survey results might mean to different consumers of the results.
The survey can be found at www.isaca.org/online-shopping-risk and reflects data gathered at the end of September 2011. If you take it for a spin, bear in mind that the respondents were not yet getting busy with 2012’s shopping activities, and 2011 was an entirely different year in terms of who had access to what devices and how much overall online shopping temptation consumers faced versus what we might see in 2012. Again, reaching platitudes from these exercises are not for me, as I tend to habitually consider the larger context, but I did let Pironti guide me to a few conclusions that I’m OK with. I also learned a bit about ISACA philosophy along the way.
Being fairly in tune with enterprise security concerns, I assumed that anything to do with online shopping would have to address the many unknown and potentially dangerous links that bargain-hunters are presented with as they hop around unfamiliar merchant sites, along with use of corporate email as it relates to shopping. On this topic, I was right. About 50% of all respondents saw significant danger in clicking on shopping links within email from the work PC or mobile client device, using corporate email as a contact for online purchases and using mobile shopping apps on the corporate smartphone. At the same time, almost equal numbers say that the company allows these very practices to promote work-life balance. I conclude that some behaviors are allowed, but employees don’t necessarily feel comfortable taking advantage of the opportunity.
The survey describes a number of other behaviors related to online shopping at work, and addresses using corporate assets or personally owned devices on the work network. As I digested it, I found a number of responses to be at odds with other answers. But the more I pondered it, the more the confusion made sense in the face of the mess that BYOD can create for those network owners and executives who have yet to devise a strategy for dealing with it all.
Interestingly, Pironti somewhat disagrees with the roughly 50% of respondents who said that they thought the risks of online shopping on company time and on the corporate network or devices outweighed the benefits. To Pironti, it’s not an either/or thing. This is just another train that has already left the station, and, by his reckoning, it’s far better to educate users on how to do these things safely and responsibly than it is to take a chance on them taking their activities clandestine.
I agree with Pironti that it’s best to face head-on all of the new challenges to what we used to be able to tightly control, and to ensure that users are both savvy to the dangers of their activities and educated enough to keep themselves (and the company) out of harm’s way. Providing users with a known, safe framework also goes a long way to negate the fears expressed in the survey.
For those who are just starting to let the good and bad of BYOD seep into their consciences, there is one notion that really needs to be considered. Whether your managers and directors actually use their tablets and smartphones productively or simply tote them around as executive bling, these folks are often the first to adopt new technology. Frequently without realizing potential risks, those with lofty titles tend to push the envelope of new and cool, despite being among the highest value targets in a given environment. Further reason to follow Pironti’s advice, whether it is for online shopping or other activities on today’s class of devices in the workplace: "Embrace, but educate."
At the time of publication, ISACA has no business relationship with Lee Badman.