Sam Curry of RSA
Sam Curry of RSA

A PC, Mac, iPad, Android, BlackBerry, and Nexus 7 all sit on Sam Curry’s desk one afternoon while he works from home. Though not everyone has access to such a range of mobile devices, this lineup offers a glimpse at the diversity of devices people now use to work.
Curry is CTO of Identity and Data Protection at RSA, a firm specializing in information security. During a phone call last week, he said that all the devices on his desk provide connectivity for his work at RSA, each with its own unique set of capabilities and limitations.
Smartphones and tablets offer many conveniences, but one of their not-so-handy features is that they are porous. These devices each connect in a variety of ways, which expands the number of ways they can be hacked.
“The explosion of apps and different ways of connecting is staggering. If you pick up a mobile device, it’s not like a PC in that it’s on one network,” says Curry. “This little phone in my hand has two baseband processors, near field communication (NFC), RFID (radio-frequency identification), Bluetooth, GSM (Global System for Mobile), Internet, Wi-Fi—it’s connected seven or eight different ways concurrently,” said Curry. Meaning that there are seven or eight different ways to enter Curry’s network, through just one phone.
Despite the lingering threat, bring-your-own-device, or BYOD, is becoming common in many work environments. It is something Curry says companies must accept, especially because for many of the young, skilled multitaskers entering the workforce, using their own devices is part of the way they work, and non-negotiable.
“I bet in the future that the notion of BYOD as a term will seem odd. My advice to companies is don’t think of this as an exception in your IT infrastructure; think of it as the new normal,” says Curry.
He notes that the biggest BYOD challenge is that many mobile devices do not lend themselves to tight security. “They haven’t yet finished evolving a set of features like desktop platforms have, that can be hooked by security and controlled.”
According to Curry, companies can no longer rely on rewriting their IT policy every few years. “You’re going to have to come up with a mature policy,” he advised.
Before building a plan for BYOD, Curry says companies should step back to examine their overall IT strategy and security outlook. Some important questions: What are we are trying to protect? Who are we afraid is going to come after us? What pathways will they take?
But instead of thinking of security as a checklist, Curry thinks companies should move to be more adaptive, with additional investment in intelligence and analytics, as opposed to taking preventative measures like employee education, firewalls, and antivirus programs, which are often more heavily funded. “If you have an ounce of intelligent security…it would change the whole game,” said Curry, “and you may find you don’t need some of those checkboxes, long term.”
Curry advises companies to run exercises to help decide which parts of a system must be reinforced first, looking at outside data about potential attackers, and focus on the parts of the system likely to be attacked first. He says it takes days and weeks for a company to be hacked, and that while there are tools to help find evidence of an attack, being able to assess the threat before it happens is essential to stopping it. “If you had a good BYOD policy and you have nobody manning the monitors, and no response team, and no intelligence capacity, and no pattern recognition, then what’s the point?” he asked.
He recommends businesses treat their BYOD strategy like a product, and that focus groups where employees demonstrate how they use their devices are useful. This creates a good baseline for deciding which tools should or should not be offered, and in combination with which employee devices. Clearing these offerings and restrictions with senior management is another essential, according to Curry, who said he often sees companies come up with a good BYOD strategy only to have it turned down by the CEO, because, for example, he or she wants to view sensitive documents themselves on an iPad.
Curry also says many businesses do not need an in-house team for building a BYOD strategy. It depends on the size and type of company, since some businesses tend to be more heavily targeted than others. For smaller businesses in less vulnerable industries, Curry suggests hiring an expert consultant or service provider.
Though desktop computers may remain part of the work environment, Curry said he thinks that mobile is where innovation will happen, and that companies should be gearing up. “The new cutting edge of computing will come on these devices and that will be the most exciting and interesting thing we all want to work with. So figure it out now.”