The complexities of simplification

From a worker's perspective, BYOD is 'simply' about being allowed to work on his/her own ICT devices, rather than having to use those owned and provided by the organization.  What difference would that make? It's straightforward, isn't it?

Good questions! There are numerous differences in fact, some of which have substantial implications for information risk, security and privacy. For example, ownership and control of the device is distinct from ownership and control of the data: so what happens when a worker leaves the organization (resigns or is 'let go'), taking their devices with them? Aside from any corporate data on the devices, they had been permitted access to the corporate network, systems, apps and data.  The corporate IT support professionals had been managing the devices, and probably had access to any personal data on them.  Lines are blurred.

In a similar vein, IoT is more than just allowing assorted things to be accessed through the Internet and/or corporate networks. Securing things is distinctly challenging when the devices are diverse, often inaccessible and have limited storage, processing and other capabilities ... but if they are delivering business- or safety-critical functions, the associated risks may be serious.

The complexities beneath the surface make this a challenging topic for security awareness: we need to help workers (general staff, managers and specialists, remember) appreciate and address the underlying issues, without totally confusing them with techno-babble. That means simplifying things just enough but no more, a delicate balancing act.

In reality, dividing the awareness audience into those three groups lets us adjust the focus, nature and depth of the materials accordingly. Managers, for instance, have a particular interest in the risk management, compliance and governance aspects that are of little concern to workers in general. 

At the same time, the awareness materials should generate opportunities for the three audience groups to interact, which means finding common ground and shared interests, points for discussion. That's what we're working on now.