Earlier this week, the British government authority entrusted with making security recommendations for government agencies, recommended that agencies avoid allowing users to bring their own devices.
According to Molly Bernhart-Walker, editor at FierceMobileGovernment, the US has a similar although less well-defined BYOD policy. Some agencies have begun to pilot BYOD programs, but for the most part the US is discouraging BYOD.
It may sound like a slow-to-adopt kind of approach, but Benjamin Robbins, who is founder at Palador, a Seattle-based mobile consulting firm, says in the context of a government, it makes sense to go slowly with BYOD.
"Given the relative immaturity of popular mobile platforms I can understand why a government agency would make recommendations that are cautious and/or seen as a defensive position. Part of a government’s role in society is to provide social consistency. If that stability is thwarted via technological means it affects not only the agency but societies’ confidence in their founding platform."
Nor does he believe that it's necessarily wrong for the British security agency to take a stance like this. He says that each organization, whether a government or a business needs to establish a BYOD policy according to their own organizational needs and BYOD isn't always going to be appropriate.
In fact, Robbins says if he were in charge, he might have come to a similar conclusion. "I think models of device procurement need to be evaluated on a case-by-case and role-by-role basis. Sometimes BYOD makes sense and sometimes it does not. I think governments are wise to be cautious when it comes to electronic security. Mobile devices are dispersed endpoints that need to be evaluated on a holistic security perspective," Robbins told me.
But Robbins parts ways with the report when it states, "True security can only be ensured when device management is applied at the time of provisioning." Robbins says that's a narrow and constrained way of looking at security. He says, in his view, "True security must be intrinsic and pervasive, and not done just at the time of provisioning. Security is not something you do at one point of time and are then done. It is not a fix it and forget it problem. Security must constantly be re-evaluated and appropriate measures taken as conditions changes."
Brian Katz who manages mobile initiatives at pharmaceutical company Sanofi, and is a CITEworld contributor also thinks the policy makes sense in the context of a government entity. "For their use case it is understandable that they want to control the device through it's entire lifecycle," Katz said, but he pointed out a phone can be compromised anywhere in the lifecycle --even between the time it leaves an OEM and arrives at an operator. He also believes just managing the device itself is not the best approach saying, "Looking at it from controlling the device ignores aspects in relationship to the apps a user can access and how they actually access those apps." Ultimately these policies could mean employees carry two devices and there could be security issues with that approach as well. He believes the best approach is working from the data, up through the applications and then the device to enable those initiatives.
As far as the US goes, Walker thinks that eventually someone's got to take charge. For now, agencies are doing a lot of pilots, but no one wants to take the risk and be the first one. She says if an agency with a high security threshold--like DoD--just bit the bullet and tried it, every agency would start doing it, but until then no one wants to fail.
Governments are even more reluctant than business to take risks and they often see the BYOD approach as a risky proposition, but as more large businesses take the plunge and do so successfully, it should give government agencies like those in the US and Great Britain the ammunition to move forward with policies of their own. For now though it seems, both governments are going to take a cautious approach and see how it works out.