OK, I HAD to write this one. Wherever I go these days, people seem to be using this four letter word. BYOD - Bring Your Own Device, seems to be the latest buzzword in the IT and info-sec world these days. As usual, I will try to take a practical view of BYOD with a fairy tale. (After all, this blog is practical info-sec) Once upon a time, long long ago, a mobile phone was used to make calls and send text messages. It made people’s work easier. Slowly, people started using mobile phones at work. Meanwhile, in unconnected events, emails became ubiquitous and everyone had email addresses. A smart company decided to combine the two and come up with a mobile phone that can do email as well. They were bulky black devices with a QWERTY keyboard. These became an instant hit with organizations. They decided to buy these little black devices in bulk, have its servers set up in their office and allow their best and brightest instant access … and everyone lived happily ever after. Wait! This is not how it ended. In fact, it has not yet ended. As years passed by, the big bulky devices remained big and bulky. Meanwhile, a fellow in a turtle neck held a conference where he showed a white phone with no keyboard. It was a great looking device that everyone took a fancy to. The big shots in all companies said, “I must get myself one of those.”, and they did. They carried around two phones for a while. One was the big bulky QWERTY phone and the other was the great looking no keyboard phone. The company big shots, smart people that they are, started to realize all is not hunky dory with carrying two devices. First, you do not have too many pockets left. Then you have to carry around multiple chargers, multiple sim cards and multiple numbers, pay two bills, and there is general mayhem when you cannot have phone numbers synced on both devices. There was a murmured undercurrent. “I want to use my smart looking new phone, but my company gives me this bulky phone.” They would go to their IT team and ask “can I use this phone instead of that one?” The answer was always a no. “There is no reason for us to do that. It will not improve productivity in any way.” The murmurs grew quiet. The fellow in the turtle neck, however, could not sit still. He held another conference and showed a large phone like thing. It was much larger than a phone (not thicker though) and it could do many cool things, like video conferences (in large screen mode), had a battery that lasted longer than all phones and gave a laptop like experience for mails and internet surfing. The big shots again were taken in. They got themselves one of that as well. However, the IT guys still refused to let them connect it to their own company. The new device was at a risk of being used only for entertainment or personal mails. The urge to show off this device grew in the big shots. The murmurs, quietened earlier with the ‘no productivity change’ reason, grew again. “Look how great I can make this presentation look with the new device. I don’t look cool with my laptop at the airport anymore. It increases my productivity on long drives and flights.” The arguments grew stronger, until the final nail in the coffin was, “If I buy this device myself, look at the amount of money you would save by not giving me that bulky QWERTY phone. I can use this new shiny one that I always wanted to.” In their heart, the big shots knew that their argument was flimsy. They decided to involve the general public in this as well. “We want to use shiny new gadgets. You can buy shiny new gadgets and bring them too. We will call it employee comfort, moreover say it will save additional costs. You scratch my back and I will scratch yours.” “Now all we need to do is get the info-sec guy to write a policy that makes it seem all good and secure and we can live happily ever after.” THE END. Like all fairy tales, I expect that once you grow up, you will feel silly about the entire story and say, “Why can’t the company buy this and give it to the big shots if it is really necessary. The company will own it, control it and be able to protect their own data without infringing on the privacy of any individual. In the long run, this seems more reasonable and cheaper than building skills for so many devices and not owning or controlling them!”