I poisoned the fish . . .

Too many years ago now, I had the most unusual professor teaching my freshman marketing course.

He was unusual, not simply because students could pose a silly question to him at the start of the class and he would talk about it for the duration of the class, thus avoiding any possibility that he would actually lecture on the course topic or spring a pop quiz. He also had a very unusual way of solving problems.

One Friday about midway through the school term, he spoke to the class about a problem with which he was ‘struggling’. He told us that he owned a large farm in eastern North Carolina, and on this farm he had a pond (e, i, e, i, o) teeming with large-mouth bass. Notwithstanding the fact that he didn’t fish, nor did he have any family members who fished, nor friends who fished, he erected a fence to prevent people from fishing and posted “NO FISHING” signs in prominent view all around the pond perimeter.

Despite his best efforts, however, each time he went to the farm and visited the pond, the “NO FISHING” signs were gone and there were people happily pulling large-mouth bass out of his pond. He would shoo them away, of course, (the people, not the fish) and put up new “NO FISHING” signs. This went on for months, and the silly question “Have you solved the problem of people fishing in your pond” became one of the most popular ones used each Friday to divert his attention from teaching the class  or giving pop tests. Until one Friday, when he announced “Class, I have solved the problem of people fishing in my pond . . . I poisoned the fish”.

An effective approach? Most definitely! Draconian? Uh, yeah. Optimal and forward-thinking? Hardly.

At this point, you might be thinking, why are you recounting this true (hand-over-my-heart), yet discomforting, story?

Simple, really . . because as the CEO of a company that operates in the security industry – more specifically, mobile security for the enterprise – when I see what competitors are doing to address the issues of enterprise mobile security, I can only think “They’re poisoning the fish”. They are taking the “traditional”, draconian approach to mobile security – lock up, lock down, tightly wrap, brick the phone, deny access, bury it in a sandbox, put stuff in a container and don’t let it out! What I call the “I poisoned the fish” approach.

So, rather than ask me “why are you telling me this”, you should be asking “why is this the case”.

It’s because the “fish poisoners” (who will remain nameless but their initials are MDM), are selling legacy solutions, originally built to configure, manage and support devices and were never intended to provide control over the mobile apps or data on those devices. Information Week said it best in their October 2012 article 40 BYOD vendors, One Confusing Market – “Vendors hate being told that (their) marquee product is not a great match for customer needs. But that’s the reality today in the growing mobile device management market, as IT teams try to use software meant for managing mobile devices to secure the data on those systems”.  The article went so far as to accuse MDM vendors of “slapping new names on existing products, without adding a whit of new functionality as they scramble for advantage in the market”. I see evidence of this regularly as I chat with customer prospects about what we do versus MDM vendors – a state of confusion that the MDM players happily promote in their marketing collateral.  Dumb ole fish poisoners!

But, enough about them. SpydrSafe has created a unique approach to the problem of protecting sensitive enterprise data on smart phones and tablets  – an approach architected using a clean sheet of paper (actually a white board), one we thought very long and very hard about before we wrote a single line of code, and one that was purpose-built for mobile security. We manage how mobile apps access, use and share data on Android and iOS smartphones and tablets. We are the only company in the market that can manage any app, but use a finely-crafted, granular approach to security that addresses ONLY those apps that are important (as defined by the enterprise security manager) – the ones that enterprise IT care about, the ones that obtain access to their sensitive data.

Thinking back on the time I spent in marketing class with my most unusual professor, I can’t help but believe he would be proud to know that not only did I learn a bit about marketing, despite my and his best efforts to the contrary, but I was also able to make a present  day connection of his “I poisoned the fish” problem-solving methods to the goings on in my market. Hmmm . . . I wonder if there’s a way for me to do the same with his often told anecdotes about his “two-ton limousine” – but, that’s another story completely.

Take a look at what we’re doing at SpydrSafe . . . we’re Mobile Security for the Enterprise . . . I promise we won’t poison the fish.




Legal Considerations of BYOD for the IT Pro

Take My Wife . . . Please! Okay, so it’s an old joke.  And, I’d venture that many of you reading this may not understand my reference to Henny Youngman, dubbed “the king of the one-liner” by Walter Winchell.  In fact, my own CTO admitted that he had to google the phrase to understand it. But, I digress.

So, why did I pull this out of the “old joke archive” to introduce a blog about the legal aspects of BYOD?  It simple, really.  It’s because in the world of BYOD, there is a lot of FUD being spread around about what enterprise IT can or will do with your personal data, all in the interest, of course, of selling you software that protects you from this problem . . . oh, wait, um protecting your privacy and making sure you don’t lose that photo of Sally’s last lacrosse goal or that video of Johnny’s recent piano recital. So, I’ve stepped back up on my soapbox to say, “stop with the FUD about how your personal data is going to be “owned” by your employer and let’s talk about an aspect of BYOD that doesn’t get enough attention – legal liability.

Before I go any further, my legal advisor (aka, me) requires that I provide the following disclaimer “I am not a lawyer and my comments are NOT intended to give legal advice or to replace the advice of your legal counsel”. That said, here are some thoughts on the legal aspects of BYOD.

To begin, BYOD is here already and it’s here to stay – whether you want to admit it or not. So, if you’re a corporate IT/security professional and you’re not proactively dealing with employee-owned devices as part of your day-to-day responsibilities, you’re needlessly exposing your company to increased risks with legal ramifications.

Don’t believe me?

Following is a partial list of Federal laws and regulations which directly impact BYOD – The Health Information Portability & Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health (HITECH), Graham-Leach-Bilely Act (GLBA), North American Electric Reliability Corporation and the Federal Energy Regulation Commission.  A number of state enacted laws and regulations have similar requirements.

So, what’s a corporate IT security professional to do?  Well, there are a number of things:

  1. Set policies and standards around what comprise acceptable devices, networks and service plans, how to configure and enroll acceptable devices, and the support parameters. This should happen BEFORE allowing BYOD to the extent possible (or, you may find yourself with the same problem IBM had a few months ago when, after they OK’d BYOD, subsequently discovered that 100,000 employees were using DropBox to store company data).
  2. Define security standards such as the minimum security required to access corporate networks, authentication parameters, how to deal with (and report) lost passwords and lost devices and what to do when an employee leaves the company.
  3. Define privacy standards.  Specifically, make it clear that, by policy, corporate data (what’s important to corporate IT) is segregated from personal data.
  4. Monitor compliance with established policies and standards.

BYOD does not have to expose the corporation to unacceptable risks if corporate IT/security administrators take straight-forward actions to minimize them.  These actions include, among other things, an assessment of how BYOD users will use their devices and identifying the possible risks associated the individual use cases; implementing security policies, keeping them up-to-date, and making employees aware of such policies; using easy to comply with and easy to administer security technologies; and monitoring compliance with policies with appropriate remedial actions taken when non-compliance is discovered.

Oh, and just to re-emphasize my early premise. I don’t want to see the photos of your family vacation, videos of your kids doing the Harlem shake or, God forbid, “cute” pictures of your cat.  Your enterprise IT security professional doesn’t want to either.