Nice idea in theory, impossible to make a strict rule in practice.
It starts with the two-factor authentication. Why spend $25 per employee on a yubikey, or several hundred bucks per employee on a company smartphone, when they can use their personal smartphone for free?
Then it's the business travellers, some of whom are very senior people. The CTO is spending the night in a hotel for work, it's well outside of work hours, he'd like to log into his personal netflix account on his work laptop.
Then it's the all-hands meeting about the big reorg - 9am US time, but 8pm for the team in Poland. Of course they're not going to stay in the office to watch that on company equipment, frankly they're doing us a favour by watching it at all.
Then the people wearing headphones in the office want to connect to spotify....
IMHO any large company whose security strategy relies on nobody doing work on a personal device or personal stuff on a work device is destined for failure. You can follow the rule yourself if that's your preference - but if you try to make it mandatory and enforce it effectively, you'll find there are a lot of stakeholders who are unhappy about it...
> IMHO any large company whose security strategy relies on nobody doing work on a personal device or personal stuff on a work device is destined for failure
Every place I've worked for ~25 years has restricted the installation of software on work devices. If the CTO wants to watch netflix, they'd need to take their own laptop or use their phone. Same with Spotify at work.
There has been more allowance for accessing work resources from personal devices in some orgs, though in many places that has also been strictly banned. At my current place, Slack sits in a grey zone where we use it for work but have to maintain discipline around what we discuss. IMO we shouldn't be using it at all.
MFA is almost a separate category - while technically "work stuff" it is reducing attack vectors rather than increasing them.
It starts with the two-factor authentication. Why spend $25 per employee on a yubikey, or several hundred bucks per employee on a company smartphone, when they can use their personal smartphone for free?
Then it's the business travellers, some of whom are very senior people. The CTO is spending the night in a hotel for work, it's well outside of work hours, he'd like to log into his personal netflix account on his work laptop.
Then it's the all-hands meeting about the big reorg - 9am US time, but 8pm for the team in Poland. Of course they're not going to stay in the office to watch that on company equipment, frankly they're doing us a favour by watching it at all.
Then the people wearing headphones in the office want to connect to spotify....
IMHO any large company whose security strategy relies on nobody doing work on a personal device or personal stuff on a work device is destined for failure. You can follow the rule yourself if that's your preference - but if you try to make it mandatory and enforce it effectively, you'll find there are a lot of stakeholders who are unhappy about it...