What are information security rules for, if not for breaking? If nobody breaks your rules, then how will you know the true impact of such a violation? It is naive to think that the user community is sitting idly by and following the rules and policies. You can be sure they are busy finding ways to get around your controls, and often they are forced to do so to become more productive. I often hear IT departments being referred to as Dr. No, and this doesn’t have to be the case. SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe Both technology and user sophistication are growing exponentially, and the trick is to find a way to harness this energy for the benefit of the company. Obviously, these developments are also creating information security risks exponentially as well, and this is the tension you need to manage. An obvious technique is to use pilots. I see in the not so distant future a realistic demand from the user base to bring their own equipment on a structural scale. To truly understand what this means and how we can deal with it, I bought a Mac laptop and brought it into the office and simply asked my team to make it work. I asked them to imagine this was brought in by a new employee and part of that persons contract was the use of their own equipment. How would we make that work? What is it about our policies which would truly not allow such behavior? What can we change in our policy and controls to support such a trend? This experience has given us the knowledge of what this could really mean for us, and we have established additional credibility by being ahead of the game. Sometimes, going through a formal pilot is simply not enough. When I took this role in my company three years ago, one of the first things I did was have an iPhone purchased in Italy – as at that time it was one of the few places to get a simlock-free version. I brought it into the office, put it on the table, and explained to my teams that they needed to figure out how to make this work in a secure way. It was a risk, as the answer could have been that it’s not possible, or the internal politics of me owning the information security policy and openly breaking it could have turned out badly. Fortunately, through this process we were able to get more focus on the controls and policies required to support iPhones and other devices than were currently standard. Oddly, it was also a test of bring-your-own, although the attraction of making this iPhone work was enough that nobody realised that we were breaking another rule at the same time. A side effect of finding a secure (enough) way to support iPhones was that I was subsequently able to give key members of top management iPhones for them to use, and it was these people who later openly supported a project proposal for mobile applications. It wasn’t a favour for the gift of the device, it was because these people truly understood the potential of these devices for our business because they had been using them. Your rules and controls are obsolete the moment they are published, and if you don’t provide a mechanism for them to be broken, the users will move on without you. Whether this is a formal pilot or a disruptive challenge, it might as well being you challenging your own status quo. I believe the benefits of this far outweigh the costs. A conservative benefit is that you will be able to point the users to a pilot as an explanation of why they need to wait temporarily for something to be supported, or you will have the applied knowledge of why something simply can’t be allowed at this time. A personal benefit, which should not be underestimated, is that such behaviour positions you as a thought leader in emerging technologies, and your executives are looking for people to trust during all this time of change. It might as well be you they trust, before someone else breaks your rules. Chris Parker is SVP and CIO of LeasePlan He is speaking on The Consumerisation Of IT – The Dawn Of The B.Y.O. Business at Infosecurity Europe from 19th – 21st April at Earl’s Court, London Pic: TFDeusingcc2.0 Related content opinion The changing face of cybersecurity threats in 2023 Cybersecurity has always been a cat-and-mouse game, but the mice keep getting bigger and are becoming increasingly harder to hunt. By Dipti Parmar Sep 29, 2023 8 mins Cybercrime Security brandpost Should finance organizations bank on Generative AI? Finance and banking organizations are looking at generative AI to support employees and customers across a range of text and numerically-based use cases. By Jay Limbasiya, Global AI, Analytics, & Data Management Business Development, Unstructured Data Solutions, Dell Technologies Sep 29, 2023 5 mins Artificial Intelligence brandpost Embrace the Generative AI revolution: a guide to integrating Generative AI into your operations The CTO of SAP shares his experiences and learnings to provide actionable insights on navigating the GenAI revolution. By Juergen Mueller Sep 29, 2023 4 mins Artificial Intelligence feature 10 most in-demand generative AI skills Gen AI is booming, and companies are scrambling to fill skills gaps by hiring freelancers to make the most of the technology. These are the 10 most sought-after generative AI skills on the market right now. By Sarah K. White Sep 29, 2023 8 mins Hiring Generative AI IT Skills Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe