3250

What’s small, shiny and keeps CIOs up at night? The CEO’s personal devices.

CEOs are like every other employee. They love tablets, smart phones and apps. The glaring difference is that the CEO’s personal devices put the company at much greater risk than the gadgets of virtually all other employees combined. CIOs must  include chief executives in conversations as they grapple with putting BYOD security policies and procedures in place.

Many CEOs criss-cross the globe carrying the company’s most sensitive information—trade secrets, delicate details about employees, financial projections, etc—in the palms of their hands. At any given moment, the CEO could lose her data-laden device on a plane or in a coffee shop. Or possibly, a hacker on a mission to harm the company intentionally swipes the device’s information when the CEO isn’t looking.

If those risks weren’t enough, there’s also the potential for the CEO to lose her precious personal files by forgetting a password or unintentionally mishandling information.

Take what happened to the CEO of an email management provider recently. He was vacationing with his family when his five-year-old tried unsuccessfully to access Dad’s smartphone five times. The firm’s Mobile Device Management (MDM) system kicked in and wiped the CEO’s vacation pictures. Luckily for the CIO the CEO couldn’t blame anyone but himself since he was instrumental in setting the company’s BYOD usage policy.

In this instance, the CEO-sanctioned system erased pictures in the event the device was compromised because employees often take pictures of their whiteboard brainstorms. This is an example of where a business decision to guard trade secrets had a personal impact on the CEO that he probably didn’t anticipate.

These devices are extremely risky to the company and personal to employees. So it’s crucial that CIOs have meaningful conversations with employees, including the CEO, about the responsibilities of managing their own personal devices and the ramifications of BYOD usage and security policies and procedures. (see Building a BYOD Ready Infrastructure) CEOs often get special privileges, but CEOs certainly shouldn’t be allowed to muscle exceptions to BYOD rules or miss the opportunity to have a say in shaping the company’s security strategy.

Scenario planning using real-life possibilities and demos helps IT paint a vivid picture for senior leadership and employees about the risks of BYOD. My colleague, Jim Guinn, stresses the importance of employee education to protect the business and the personal interests of employees in his new cyber security video.

You have to educate people on what they are doing and what their exposures are. Not only to the corporation: You have to teach them what the risks are to them personally. It’s all about training and education and tying them to real-world issues and incidents.

Mike Phillips, CISO, CenterPoint Energy, agrees: “People get very upset if you change the functionality of their device. And the reality of it is if you are going to put something on it like a secure container or encrypt the email you might have to change the email client and the minute they connect with you you’ve changed it.”

You can view the entire conversation between Jim and Mike here.

The last thing a CIO wants is to upset or frustrate the CEO. Or worse, fail to protect the organization from the obvious risks of BYOD. Make sure the CEO understands exactly when IT will be accessing his device, for what purpose, and what could happen as a result. Make sure she is backing up her files and knows what will transpire if the device is lost or stolen. Giving the CEO a heads up and ongoing guidance will avoid heartbreak and headache.

Have you had the “BYOD talk” with your CEO? Share your best practices and concerns below.

Image shared by allensima

3250