Opinions are all over the map on "Bring Your Own Device" (BYOD) to work. I've heard those who insist that 80% of us will adopt this new approach to mobile devices within a few years. Others believe that the letters BYOD stand for "Bring Your Own Disaster..."

Here are a few viewpoints and a quick poll to gauge your opinion.

Is Bring Your Own Device and Inevitable Trend?

"... Government Executive’s recent article outlining '5 Trends in Mobility' includes the BYOD wave front and center, a phenomenon seemingly buoyed by U.S. Chief Information Officer Steven VanRoekel’s vocal embrace of the power of mobility: “Going mobile doesn’t just increase productivity, but it’s a huge cost saver too.” Leading government analysts agree, calling BYOD the 'dominant trend in many civilian agencies” and 2012 “the year that tablets become firmly embedded in the government space.'”

WSJ: Should Employees Be Allowed to Use Their Own Devices for Work?

_{"... The quickening pace of breakthroughs in consumer technology is helping fuel the trend. Accustomed to managing their personal lives with the latest and most-innovative technology tools, people are becoming less patient with the older, clunkier hardware and software they have to use at work...."}

_{TECHNOLOGY SPECTATOR: Bring-your-own-device disaster}

"... Yet while BYOD is on our doorstep and the pressure to cave into the trend is overwhelming, cyber security companies like Symantec are more than happy to elucidate what will happen if a CIO gets their BYOD policy wrong.

According to the latest Symantec report on data breaches, a hacked mobile device in an organisation can be a serious security issue, with hackers looking to piggyback employee devices into a workplace’s network...."

Now it's your turn. I'd like to know your thoughts and experience with BYOD:

Over the past few weeks, there have been several high-profile breaches announced involving state government systems - one in South Carolina and one in Utah.  I say “high-profile” because the coverage of both incidents has been widespread, with tech magazines, blogs and even major newspapers and TV stations covering the situations in detail.  The headlines have not been very encouraging for our respected government colleagues, with Computerworld reporting that the Utah breach 10x worse than originally thought.

My first reaction, and the thoughts of many government CIOs, CTOs, CISOs and CSOs around the nation, was to think: “There but for the grace of God go we.” Anyone who thinks they are not susceptible to similar cyber incidents (whether from insider threats or external hackers) has not been paying close enough attention to the growing threat in the cyber world we live in. (I covered this topic briefly in the piece: Is America Outgunned in Cyber?)  

My thoughts go back to about this time last year when we experienced two major computer outages in Michigan, and the national spotlight was shining on us. True, those were mainframe computer outages and not the same as a data breaches. But I can tell you that you don’t sleep much and it is not a fun time. To be fair, Amazon, Google, Microsoft and others have also experienced extended outages and large corporations such as Sony have experienced major breaches.

As far as breaches go, Alabama, the CIA and other federal, state and local government agencies have also faced similar headline-grabbing breaches.  These are very serious situations that affect citizen data, and I am confident that the matters are being handled professionally and with care.

Here are some additional thoughts and comments that I have:

1)      Although these two (Utah and South Carolina) breaches were very different (in cause), they were similar in that they involved Medicaid systems. One involved an internal disgruntled employee and the other an external attack made easier by a lack of appropriate system controls.  Regardless, government technology teams around the nation are now on alert and checking their systems for specific protections and appropriate processes.

2)      The national network of cyber coordination and controls got the word out fast and organizations like the MS-ISAC have kept people informed on a “need to know” basis. The call from government officials to “double-check” and “take additional precautions” has been loud, because citizens are asking “what are we doing to ensure that our systems are protected ….?”

      We all need to be “plugged-in” to the right organizations, since we are in this global cyber battle together.

3)      These are teachable moments. We need to take this (and every other) breach opportunity to demonstrate the importance of cyber protections to our extended IT teams. Make lemonade out of these lemons. Communicate more by sending out newsletters, alerts, emails or whatever you need to do to get the attention of the appropriate people to reinforce the policies around people, process and technology to secure systems. Have you made your IT teams aware?

4)      Breaches will happen again. We need to keep asking: are we ready? What do we need to do to prepare? Where is our cyber program?  Is there a sense of urgency?

5)      The pundits who say that state governments are not targets are wrong. Preparation as a top priority is needed from CIOs, CTOs, CISOs and others in government.

6)      The mid-year NASCIO conference will provide an opportunity for CIOs to be briefed by intelligence community officials on cyber threats facing the nation. These types of briefings are important for all government technology and cyber leaders. Do we understand the threat? What is our risk level?

7)      Someone asked me once: What does it feel like when major outages or breaches occur on your watch? Answer:  It hurts. Like the pain you feel after losing a championship game in sports, your team regroups and commits to never let it happen again. But you wonder: can you get the genie back in the bottle? It’s tough with your reputation being tarnished a bit.

I could say more, but I have no desire to “pile-on” or criticize these states. They have excellent technology teams, and incidents like these are very difficult to stop over the long run. They will no doubt get better and learn from their particular situations as Virginia did after their major outage a few years back.

One final thought: I just returned from speaking at the CSO Confab event in California this week, and I had the chance to speak with CSOs and cyber leaders from the top companies and security teams in America. The mood is pretty pessimistic, with many speakers acknowledging that we have failed –so far.  Several of the side conversations with consultants and other experts were equally as depressing – with stories of major US companies that were recently breached and are now recovering and rethinking their approaches to cyber attacks and business processes. This trend is happening to most major enterprises – whether government or private sector.

Bottom line, the cybersecurity battle has not yet peaked or turned the corner in my view. If your government is not taking this threat seriously yet (and I mean top-level attention), now is the time to act aggressively. We each need a pragmatic cyber plan to improve. I believe that we are still in the opening innings of a long baseball game, and we (as a nation) are behind by more than a few runs. Unlike baseball, the public trust in government and other institutions is at stake.

What are your thoughts on these incidents?

A few weeks ago, Bob Lewis wrote some provocative words over at InfoWorld that most security pros probably find pretty hard to stomach. In an article entitled:  BYOD and the hidden risk of IT security, Bob basically called out most “bring your own device to work” security strategies as being more damaging to enterprises than helpful. His subtitle said this: “When employees use personal devices for business purposes, too much security can create more risk than it prevents.”

Wow! He got my attention. But I’m struggling to get to the same place as Bob. I’m still looking for the preponderance of large enterprises that have the “too much security on smartphones” problem.  I wish he had provided some compelling examples.

Nevertheless, Mr. Lewis makes several excellent points at the end of the article that I’d like to highlight:

“Risk comes in two forms. Some risks are possibilities of increased costs; the remainder are risks of decreased revenue. The former gets the most attention because those are the ones that happen in big bites -- and are the most visible.

But risks that lead to less revenue are arguably more important. They come in such forms as customer dissatisfaction, reduced innovation, poor collaboration among employees and with business partners and customers, and employee apathy.

Information security has, for the most part, focused its attention on the pitfalls of increased cost, which has led to its being one of the biggest sources of revenue risk”

He’s absolutely correct. Even though I’ve never seen a state or local government that spends too much on cybersecurity overall (most of us spend under 2% of total IT spend), governments can still over-protect in a particular security area. I do believe that government enterprises need to periodically assess whether our precious tax dollars are being spent wisely and in a manner that helps the business by enabling innovation.  Perhaps too much is being spent on old technology and not enough on the new. When security controls are put in place, are those protections overbearing on staff? As the age-old analogy goes, a patient can die from cancer, but a patient can also die from too much chemotherapy.

So what is the “right” level of security? How do you know if you have gone too far, or not far enough in protecting critical systems? Do all business functions need the same level of security? These questions can get tricky due to the “weakest link” challenge – where attackers can gain network entry by accessing your least protected department.

No doubt, security requirements vary from business area to business area within government. Protecting health records, social security numbers, credits cards and other sensitive data often requires specific legal controls and compliance policies. Protections will likely be different in areas that require access to sensitive data from other areas of government that share data openly with the public.  Bottom line, security professionals need to know the business requirements and the business needs before making those judgments.

These “right level of security” questions also bring us back to where we started in this three part series on customer service. It is important to benchmark our technology operations against peers and/or even against the best operations in the world.  One big part of any assessment includes business customers who need to be at the table throughout the assessment process.

For specific situations, such as bringing personally owned smartphones into work, I am a believer that a “one size fits all” approach will likely not work in most state governments. For example, our criminal justice organizations in Michigan are not supporters of BYOD policies, while some government departments (like Education in Michigan) think BYOD is a good idea and want to encourage more uses of personally-owned devices. These different perspectives are coming from the business side. Regardless of the viewpoint, ensuring appropriate seats at the table for business areas during policy formation discussions is paramount.

One more point, security organizations can even offer the customer better service by working together to achieve the right result. This theme came across almost five years ago in this TechRepublic blog: Security and customer service go hand in hand. Here’s an excerpt:

… I ran into a similar situation two years ago, at a law firm in Washington, D.C. There, the manager of the help desk told me that although the telephones in the firm had caller ID capability, this capability was lacking in the phones of the help desk. When I asked why, she said that some help desk analysts were deliberately avoiding the calls of “challenging” callers. By suppressing caller ID, she reasoned, this problem would go away. I responded by suggesting a better approach, namely to help the staff deal with these challenging callers, and to speak with those callers and their supervisors. In addition, I pointed out the possible unintended consequences of this policy: that the help desk analysts might become more reluctant to answer ANY calls at all.

So it is with the users who circumvent IT. It’s wrong, of course. However, remember that there’s a possible business reason for why they’re doing it. Consider talking with them to find out their needs. In particular, be creative and try to come up with alternative solutions that allow them the information they need, but which still leave your security infrastructure protected.

In conclusion, while the customer isn’t always right on security, perception is often reality. I sure want them to feel good about the systems, people, processes, policies and networks being deployed to protect their people, systems, processes, networks, products and information. We need to patiently explain the options and the risks to the business, and they need to make the goals and potential benefits clear us as well. Our vendor partners who offer security services learned this lesson as job one a long time ago. we need the same approach when working with agency customers. 

Over time, good security service is good customer service. We are custodians of their data. We need to get buy-in on the security approach. Excellent customer service includes two-way communication at every stage of the process. Building trust between the security team and business areas is what we do. 

Any thoughts or stories to share on excellent security customer service?

Every manager has a day like this at some point.

It was in late spring of 2009, and I was having one of those “open and honest” conversations with my Infrastructure Services (IS) Leadership Team regarding how things were really going with internal organizational relationships. I had moved over from the Chief Information Security Officer (CISO) role to become the Chief Technology Officer (CTO) a few months earlier, and this was the moment that I later declared to my wife that my “infrastructure honeymoon period” was officially over.

How did I get to this point? You know the drill. My boss wasn’t happy with certain projects that were running late. I needed to get to the bottom of the situation.  I assembled several direct reports and my project management office leaders for a “clear the air” meeting.   I wanted to know why various schedules and deliverables were in their present state. How did we get into this mess? Why were certain projects on track while other areas seemed to be treading water? What was holding up our progress? 

Yes, I did my homework and was well-prepared for the meeting. I delivered my 10-minute “opening speech” perfectly. But after I was finished, I was not prepared for what came next.

After a long silence, one person spoke up, “You’re not going to like the answer because of your previous role. It’s complicated, but one of the biggest reasons is security…. There are other problems as well, but we can’t nail down the technical architecture with security holding things up….”

[Note: At this point, several respected project managers provided specific details and examples of the difficulties. This went on for another 10 minutes or so. Listening to this was painful, humbling and a far cry where I expected the conversation to go.]

I responded defensively: “Let’s back up a minute. What do you guys really think about our security organization? Forget that I came from there. I have thick skin. Tell me what you really think….”  

Oops, I had inadvertently opened up Pandora’s box. Like popcorn, the answers started flying from around the room…

“Security always says no.”

“Security doesn’t offer us options.”

“Security has a chip on their shoulders.”

“We don’t really know them – very well.”

“There are a few superstars, but overall they’re a bottleneck.”

Eventually, the guilt started kicking in as the faces dropped around the table ….

“Well, it’s not all their fault, we know they want to do the right thing.”

“They are passionate and care about protecting us. But … you know….”

“It always seems like we’re in WIN-LOSE or LOSE-WIN situations and rarely a WIN-WIN with security.”

Wow… I wasn’t expecting this…

Over the next few months, I thought quite a bit about that conversation. That meeting exchange eventually compelled me to write the CSO Magazine article: “Why security pros fail (and what to do about it)” about six months later.  You can see the same material in this slide format as well that I used to present at SecureWorld and MS-ISAC conferences over the past eighteen months.

 Looking back, I can see so many blind spots that I had in both my CISO and CTO roles. (No doubt, I have new blind spots now as CSO.) One of the biggest lessons was this: Every part of ICT organizations must have a customer-service attitude and perspective to succeed.  Working out the details of what that means is a difficult, but essential, exercise that we all must go through.

No doubt, there are obvious aspects to customer service, but it takes much more effort to exceed expectations in the way that David Behen described in his hotel customer service experience described in my last blog. That kind of experience doesn’t happen by accident, and I’m sure that an enormous amount of thought and training went into the approach that was used by that hotel.

So how can this customer service theme work for security professionals? Here’s a summary slide from my CSO Magazine article on overcoming security career obstacles:

If you’re a security pro and you’ve never seen this material before, I urge you to go back and read that CSO article or the longer blog series. If you really care and desire to improve, it’s going to take perseverance and a disciplined approach. As we discussed last time, customer service is everyone’s responsibility. While we never fully “arrive” at customer service perfection, we can all strive to improve this area of our security team leadership.

We can also strive to be “lifetime learners,” and not only in matters related to new technology and security developments. Here’s an excerpt from the series on problem 7:

“We all need to learn the power of the Pareto principle, which states that 80 percent of the effect of our work comes from 20 percent of the causes. In John C. Maxwell's book Leadership 101: What Every Leader Needs to Know, he describes the power of the Pareto principle at work. Here are a few examples:

-          20 percent of your time produces 80 percent of your results.

-          20 percent of the people take up 80 percent of your time.

-          20 percent of your work gives 80 percent of your job satisfaction.

-          20 percent of the people will make 80 percent of the decisions.

-          20 percent of the presentation produces 80 percent of the impact.

Maxwell goes on to point out that we need to develop skills in four areas to be successful and maximize our effectiveness: attitude, relationships, equipping and leadership. But many security pros have given up trying to on improve at all, or only work on improving technical skills.”

Without this broader customer perspective, security is nothing more than a roadblock. The sad truth is that roadblocks eventually get removed one way or another, once they have served their purpose.  

Next time, I’ll wrap-up this mini-series on security customer service with some thoughts on balancing easy to use business functionality and security controls that likely slow users down. Or put another way, can IT security actually introduce risk by being too controlling rather than a team player?  

Do you have any thoughts or examples to share on security customer service?

   It was a warm Friday morning for March in Michigan, and the Williams Auditorium was packed with government technology supervisors, managers and directors within state government. Several hundred people had gathered for a second morning to hear the results and ask questions regarding the recently completed Gartner study, which covered all aspects of Michigan Government’s Information, Communications and Technology (ICT).

This comprehensive Gartner study took over five months to complete. Their analysis examined people, processes and technology and benchmarked us against other states and the best companies in the world. (Yes – cybersecurity was included in this “As Is, To Be, Gap Analysis.”) The day before, Gartner representatives presented the good, the bad and the ugly regarding the current situation. Now came the part that everyone was anxiously waiting to hear – what did the future hold for Michigan government ICT? What were the new recommendations that would likely change our direction?

  But before Gartner came forward, our leader, Michigan Chief Information Officer (CIO) David Behen, kicked off the morning with a motivational introduction that signaled what was to be the theme of the day. “Our customer service must improve.” Here are some (paraphrased) excerpts from what our CIO told us.

“Tough game last night.” (Michigan State had lost in the ‘Sweet Sixteen’ round of March Madness and everyone moaned.)

“Did anyone remember the question that I left you with yesterday? What was the best customer experience you’ve had in the past month?”

Note: a variety of people in the audience gave customer service examples. Some stories were funny, some inspirational, some not so good. David told a story about his great stay at a hotel in Washington DC, and how they had helped him in many (quite remarkable) ways. They had even sent a dress shirt back to him, when he left it in his room. He was amazed at how they went the extra mile exceeded his expectations. 

David Behen continued, “But the reason I asked you that question for each of you is that our number one organizational issue is improving customer service! Yesterday, we heard a lot of things, but our top priority is better service delivery and being innovative with 21^st Century technology solutions that demonstrate business value to our customers.”

Next, I wrote down some of the key phrases that were repeated over the next ten minutes. Here is a brief summary:

-          This study shows that our customers expect more. This process is all about improving customer service.

-          I’m excited (David Behen said) because we can fix several weaknesses with better communication and better alignment with customer needs.

-          We need to share what works beyond our normal boundaries and use technology tools that work best (with local governments, the federal government and other state governments).

-          We need measureable results. We will be metrics driven.

-          We must bring down our legacy application costs – we can do better at replacing old systems. Think about total cost of ownership and system lifecycles.

-          We will listen to our customers more effectively. We will realign to meet clients expectations and citizen-centric opportunities.

-          We need a “can do” and “will do” attitude from each of you. As Governor Snyder says: ”We seek relentless positive action.”

-          Transparency and accountability will be even more central.

-          We need leaders! If you’re not willing to lead by example, perhaps you in the wrong job or wrong organization.

-          Our new organization will have more matrixes – requiring improved, open, honest communication.

-          We need to be enabling, innovative and trusted partners.

-          Cultural change starts with us.

-          We will have one service catalogue which is easy to understand.

-          Decisions will be based on return on investment (ROI) and total cost of ownership (TCO) – with better project management to highlight soft and hard benefits for customers.

-          Procurement processes will be streamlined for better overall value and efficiency.  

I could go on, but I think the list provides a pretty good summary of the overall picture. Key words that kept coming up were customer service, communication, innovation, enabling, sharing, service catalogues and measurable results based on metrics. None of these words were a surprise, but now they had a more specific meaning and detailed projects associated with them. The response could no longer be: how?

What was obvious to everyone from the results was that we were an efficient and technically proficient organization – no surprises in what we were doing. However, were not as effective as we could (or needed to) be due to a lack of customer focus and alignment. Our infrastructure and security benchmark numbers were generally good, but we were not as good at addressing our clients’ expected outcomes and especially two-way communication.

Perhaps you’re wondering, what does any of this have to do with security? How does cyber fit into this equation?

Well… that’s exactly why I’m writing this piece – along with the next two blogs – on this topic. Security is a part of the enterprise and exists to serve customers as well. While security was not specifically called out by CIO Behen, we are a part of this organization. We need to be aligned with the same focus and mindset as the rest of our department. We are a part of almost every government process – and we exist to help achieve the same overall goals as our technology partners.

Bottom line, customer service is a priority for security pros too!

 If customer service is not our priority, our organization will fail. Cyber is not on an island which is separate from any of the topics that our CIO described. Rather, cybersecurity is an integral part every aspect of government ICT – and we sink or swim together. We have a seat at the table, and we are part of the team. 

I know that these are not the words and terms generally used to describe the role of security within government organizations (or any business organization). No doubt, some of you are thinking that this sounds nice, but how does it work out in the “real world?” How can security be customer focused? How can security be enablers of innovation and not the disablers of cloud computing or mobile services or other technologies? What does this look like in practical terms?

These questions will be my focus next time. But for now, it starts with our attitudes. At the end of the morning, I recommitted to providing my colleagues with excellent service – the kind that David Behen experienced at the DC hotel, if possible.  This won’t be easy, but it is essential to improve.

What are your thoughts on how security teams can provide excellent customer service?

{Note: the results of the Gartner study mentioned in this blog will be released to the general public later in April, 2012}