Gizmodo has an article out that outlines the status of Bring Your Own Devices (BYOD) at the White House. Namely, that Chief of Staff John Kelly has just banned the use of all person cell phones. Coincidentally, this action came at the same time as the new book Fire and Fury about the Trump White House and the goings on there for the past year was released to the public.
The Gizmodo article outlines a series of missteps related to the use of personal mobile devices and for the most part I agree. However, when the author states, “The upside to today is that the new White House ban on personal phones is actually a step in the right direction” I have to take some exception to this as an Information Security leader. Not because, as the article points out, the younger staffers are upset that their parents can’t text them, but rather because mobile devices are an embedded way of life in today’s business world and there are a multitude of high value target companies out there that have found ways to securely make this work (to include my own, McAfee). Banning devices, rather than finding ways to integrate them securely into operations, is not the answer in my opinion in almost all cases. As I’ve said elsewhere, our job as Information Security professionals is to find a way to say “yes” securely, rather than saying “No”.
To be fair to Kelly though, simply banning the outright the use of mobile devices likely was the result of the White House CISO being fired and nobody put back in his place to formulate a reasonable policy backed up by Information Security technology and strategy, or it was simply a knee-jerk reaction to the release of the book that likely would have occurred even if the CISO had been in place. So where does the White House go from here? It’s almost assured that the President, being an avid user of Twitter, will continue using his device and because leadership by example drives organizations, the staff will soon follow and within days or weeks this will likely become a distant forgotten news item as the reins are loosened.
The WH will continue to be technologically insecure until best practices are carried out from the top down, proper information security leadership is put in place, strategies are formulated and enforced and more than just talk occurs.