A Primer for IT CIOs
By Vanessa James
Like it or not BYOD (Bring Your own Device) is becoming more entrenched in today’s IT business culture.
In turn, it may be safe to say that this rapid occurrence has caught many managers within the industry off guard, at least to some extent, for along with BYOD come unique security issues and concerns. Training new employees as to the “dos and don’ts” with regards to their personal mobile devices and the security and financial implications associated with this ever-growing phenomena is an important and essential facet of the IT enterprise.
Now that the IT industry is gaining a better understanding of BYOD and the threats and shortcomings associated with it having well-defined and developed training protocols can be an effective tool to prevent the problems from occurring in the first place. Proper training may also allow new employees the opportunity to begin their work without trepidation or fear that an error on their part could lead to revenue or data loss or some other calamity associated with BYOD security.
But where does the training material come from, the actual written material discussed with new hires in a classroom setting? The answer: ‘in-house,’ as most enterprises have plenty of knowledge and know-how to address and alleviate the security issues commonly encountered with BYOD. Much like ‘Best Practices’ are developed and implemented so too should training curriculums.
However, it is increasingly important that written instructions and how they are delivered in the classroom are well-developed and as easy to understand as possible. Poorly written instructions can cost IT businesses time, money, and customers and may do less in terms of neutralizing the threats associated with BYOD than they are designed to.
The following guidelines will help you get a start in writing well-organized, clear-cut instructions to address the BYOD phenomena and its implications for the enterprise.
Organize the Information and Explain the Overall Goal
Explain to new hires in no uncertain terms what IT companies face regarding BYOD, the reason behind the training and why it has been initiated.
Provide timelines as to the rise of the phenomena and how it relates to the performance of job duties and company productivity today.
Discuss in detail the company’s ‘Mobile Device Security Best Practices’ (determining how the device is used–i.e. business v. personal, and separating each–what policies are in place and why, monitoring of devices, security controls on devices etc.) and make sure that the information is in logical order, easy to follow and flows easily from section to section. Use bullet points and numbers to mark each step.
Discuss the newly emerging BYOD “threat landscape,” the nature of each individual threat (malware, SMS spoofing, etc.,) how each is manifested (lost devices, downloading disingenuous apps, opening infected e-mails etc.,) and by whom and for what purpose. Examine the impact these threats can have on the day to day functions like data base performance, disparate software etc.
Focus on what the employee must do to comply with company best practices. Highlight the information the training officer must provide to ensure that they will be successful and that the end result–eliminating the potential for security issues facilitated by the use of personal mobile devices–will be achieved. This will help to only include information that is directly related to the instruction.
Consider providing some BYOD “horror stories” to illustrate the depth and magnitude of allowing security threats to take hold due to improper device management. Describe the repercussions and implications of carelessness and just exactly what these actions can do to the company financially and emotionally. While not everyone agrees with the “Scare Tactic” model it can be effective in driving home the point and illuminating the need for diligence.
Do Not Omit Steps and Be Exact
To ensure that instructions are complete, include every step in eliminating threats along with supporting information such as definitions, standards, explanations, and examples.
Provide all of the relevant information needed to affect the end result. For instance, if instructions call for using specific tools, security controls, firewalls, etc. list this information in detail.
Discuss which devices are acceptable in the workplace and why, define access policies (for example, agree to password protect their device as a prerequisite to accessing corporate information,) examine what support channels are available (like help desks, the cloud etc.) and how best to access and utilize them, address the regularity and importance of monitoring and reviews, the use of software and what it provides, etc.
Having an understanding of your audience will help you determine how much information to include. For instance, instructions about the intricacies of management software would be written differently for people who have never used the software than for those who have.
And finally, simply encouraging employees to take ownership of BYOD and use common sense while using their device on the job is likely one of the most important pieces to the BYOD puzzle.
Keep it Simple and to The Point
When at all possible use short, concise sentences, even for those new hires with a thorough background in IT, technology, gadgetry etc. Long, wordy sentences can make instructions confusing and can complicate the point or message.
Take Your Time
Once the instructions have been written you should take the time to thoroughly review them. Put yourself in the position of the trainee and follow the instructions, guidelines etc. as if you were the one being educated.
It is also good practice to ask someone else to follow your training curriculum to determine if it is complete and inclusive of the most cogent points. Testing it will help you identify and eliminate inconsistencies, vague or irrelevant information, and add other variables that can make your training not only informative but more engaging, interactive and less dry.
By being proactive in assuring that new hires get off on the right foot regarding BYOD security CIOs, managers etc. can respond effectively to the BYOD phenomena and all it entails. This could mean the difference between an enterprise staying at the forefront of the industry with little to no down time performing the services they were designed to or wallowing in a sea of uncertainty, discord, and inevitable financial and emotional expenditure brought on by something as simple as leaving a mobile device in a taxi or downloading a disingenuous app.
Vanessa James is a professional business technology blogger, writing about CIO leadership and issues facing the business technology sector. She is published on TechRepublic, IT Manager Daily and The Higher Ed CIO blog. She currently writes for database performance monitoring provider Confio.