Two of the big areas of concern around the consumerization of IT and BYOD are security and compliance. Whenever I start talking about users being able to do whatever they want, or users bringing in their own devices, people in the audience consistently bring up questions around these topics.
A lot has been written by actual security professionals on the topic of "security versus compliance," so I'm not going to get into all of the details and analysis of that relationship. Rather I just want to look at how the two issues relate in terms of the consumerization of IT.
When it comes to consumerization, I can summarize the relationship of compliance and security with the following Venn diagram:
Fig 1. The Venn diagram of "Compliance" versus "Security"
People have long argued that if you're secure, then you're compliant, but I don't buy that (especially in the context of consumerization and FUIT). There are just too many weird things in the compliance world that have nothing to do with security anymore.
It's easy to understand how we got here. The problem is that for the compliance part, the regulations were written at very specific times and now describe concepts and best practices that are ten or twenty years old. It would be great would be if the regulations were written like, "You must be secure." But that's a subjective statement that's impossible to audit against, so instead the regulations have to be examples, for instance, "You must use AES-256 encryption on your laptops" since that's easy for an auditor to look at and then check "compliant" or "non-compliant" on the audit form.
Being compliant while not being secure is evident in this photo. (I don't know how to attribute it as it's all over the internet and I can't find the original source.)
Fig. 2. This gate is compliant
I'm sure that the gate in the photo above is compliant with whatever regulations cover gates. It's the right height. It has barbed wire across the top so it's the right level of security. Whomever ordered it probably said, "We need to restrict access to this road," so they consulted with the regulations which said, "You secure a road with a gate. The gate must be six feet tall, made of metal, etc." So they went and had their gate built. And this gate would even pass an audit, because the auditor would consult the same regulations as the people who built the gate. "You need to secure a road. The book says you need a gate. Let's see... Yep! That's a gate of the proper height with the right amount of barbed wire! Here's your compliance sticker."
Let's be honest, it's really about cost
So far most people reading this probably agree with the sentiment of this article. So what's the big problem? Like everything, it always comes down to money. Companies only have a finite amount of money to spend on IT (and IT security), and when it comes down to it, you are legally required to spend the money to be compliant. But do you have to spend the money to be secure? No! (I mean just cross your fingers and hope you don't have a breach, and if you do then blame someone else and get a job somewhere else.)
It's easy to spend money to be compliant. You buy X product to solve the "256-bit AES encryption" requirement of laptops, you buy Y product to enable "two factor authentication," you buy Z service to hunt for simple passwords. Those expenses are predictable AND you stay compliant. Score!
But how do you protect against FUIT and the greater unknown threats? Earlier this week I wrote an article describing how to rethink network and device security. While many people agreed with the general idea, some didn't like it because it was more expensive than the current approach. (By a lot!) I argued that to truly be secure, you have to do things like use an SSL-VPN for all your users (for all devices, on-premises and off), and you have to buy more advanced networking gear (each user on his own VLAN) and more advanced wireless gear (four devices per user). How much does all that cost?
It's way easier to ignore all that and to just buy the minimum you need to be compliant. And if you have to buy two million of your customers a one-year subscription to a credit score monitoring service since a user brought in their own device and saved that info into Dropbox, then that's fine. Your defense is that you were compliant and you fired that employee. Problem solved!