One of the big things I hear IT people, especially at larger organizations, discuss is the idea of BYOD or “Bring your own device.”  Naturally, the first question is, how will this affect security?

Let’s cut to the chase. Can BYOD be done and maintain security? Yes. Will you ever be able to do it? NO.

The problem is a simple one: management of exceptions.

While BYOD conceptually is fairly straightforward, the reality is an absolute mess. Any BYOD effort will rapidly degenerate into a management of exceptions. And this will eat up time. A lot of time. Every infinite perturbation that could exist, will. And this will demand the time consuming process of tweaking the controls to allow for all these exceptions.

Naturally, management will get frustrated and want  to bypass all the controls, because, well they’re management and they get to do whatever they want. And then the business units will start complaining that the security controls are slowing them down or causing rabies or some nonsense. And before you know it, all your grandiose controls that you probably paid a zillion dollars for – will be dismantled and useless because the business won’t allow for the complexities of managing the exceptions.

The brutal fact is is – BYOD does not work in the context of security. As a purely business concept, it has merit. But imposing security in a BYOD world is essentially impossible.

I’ll hedge my bets here and say this could change with advancements in security controls and operating systems. But, I doubt that will happen soon.

So, when your CIO says “we are adopting a BYOD approach to IT?”  Take the intelligent route and answer: “Great! I’ll be quitting this afternoon to go work at a place where IT management is not insane and setting security up for massive, epic failure.”

Andrew Plato

Anitian – Intelligent Information Security. For more information please visit