"We're getting into a world now where mobility is not a lifestyle; it's a work style. Companies who don't support a mobile workforce are going to be at a competitive disadvantage," said Jack Gold, president and principal analyst at J. Gold Associates LLC, an IT strategy firm based in Northborough, Mass. The question for CIOs is how to secure this maelstrom of mobile endpoints.
In this expert podcast, Gold speaks with SearchCIO's Editorial Director Christina Torode about the hows and whys of mobile device security, beginning with step one: devising a mobile strategy.
What is the best plan of action for securing endpoint devices: going after the application layer, the device itself, or is there a better starting point?
Jack Gold: I think there's a more important starting point for most organizations, and that starting point really needs to be putting together a mobile strategy. Until you've got a strategy in place of what you're going to support, how you're going to support it, who you're going to support, which application, which devices, which users, which business processes, it's really difficult to come up with a unified mobile security plan.
Once you've put together a strategy and once you understand the kinds of users you have to support, the kinds of applications you have to support and the kinds of devices that people are looking at, then you can get down to the level of:
- How do we secure specific applications?
- How do we secure specific devices, because all devices aren't created equal?
- How do we provide connectivity?
- How do we know which users should have access to the most sensitive data?
- What is our risk profile?
If you're in a regulated industry -- health care or you're a pharma bank, as opposed to consumer-packaged goods where you're delivering groceries to supermarkets -- they're just a different risk profile. You need to assess that as well, to see what's going to be happening in your organizations.
All of that said, start with a strategy; figure what it is that you have to support, who you have to support, what kind of applications you have to support, and only then backfill and look at what you can do for your various users and various applications to make them secure.
CIOs and industry experts have said that the rewards of using mobile devices for employee productivity and improving customer engagement, for example, outweigh the risks that these devices pose to an organization. What's your take on that?
Gold: I think that can be true, and I think in many organizations it is true. I also think that many organizations don't really measure [the rewards and risks] that effectively, so they don't know. Measuring return on investment, or ROI, is something that we find very few companies do or do adequately. Some of them guess at it, but they don't really measure it. We did a survey and found that only about 39% of companies actually made any attempt to determine an ROI at all, and it was even less for companies that actually measured it.
Mobility in general is very important. We're getting into a world now where mobility is not a lifestyle; it's a work style. Companies who don't support a mobile workforce are going to be at a competitive disadvantage. That said, if you are not deploying a strategic mobility solution -- knowing what it is that you're trying to accomplish, knowing how you're going to increase productivity, how you're going to increase customer support, or how you're going to increase the amount of work one employee can do as opposed to what could be done before with two or three [employees] -- then it doesn't really make sense to spend the money, because mobility isn't free.
The answer to your question is that mobility can have some very significant positive benefits to organizations in ROI, in better customer support, increased sales, happier users in your organization or consumers in your organization, but only if you understand a path to getting there. What is it you're trying to do? How are you going to accomplish it? Then you can put together a mobility environment, and as I said earlier, put together a mobile strategy that allows you to accomplish that.
MDM [mobile device management] versus MAM [mobile application management] versus MIM [mobile information management]? The first question is, who gets access to what data?
Where should CIOs be focusing their effort in terms of tools that help manage mobile devices? Is it really managing mobile devices, or is it more managing applications and data?
Gold: Companies need to first and foremost put together an access policy. Start by building a matrix of classes of users. Certain classes of users, such as executives, get access to everything, so they need the highest level of security and the most effort to make their devices and applications secure. Lower-level employees may only get email, so there's a different level of effort needed there.
The point is, don't focus on mobile device management, as we have in the past, which was primarily an asset management piece. Focus on the data on the device: the data at rest, what data is going to be available there and how you're going to protect it. Focus on the data that's being transported over the network, VPNs and the encryptions. Focus on the applications: who's creating the data or consuming the data on the devices and how they're doing it. Again, do this in a matrix fashion so that it's not a uniform deployment on all devices. That's No. 1.
No. 2 is it's also got to be transparent. What you're doing is trying to put tools and technologies in place, whether it's all of the three-letter acronyms -- MDM, MAM, MIM -- or whatever it happens to be, don't think about it from that perspective. Think about it from the perspective of, "I've got to put a policy in place. I've got to manage a lot of users. I've got to manage a lot of devices. Only then, when I understand that, will I backfill with the transparent technology that makes that happen for my end user and doesn't get them necessarily involved in the process." Frankly, if you're relying on the end user to do it, they'll find a way around it. Most end users don't want to be bothered. It has to be a transparent technology, policy-driven, and technology that fits the use model for various users.
Users have a lot of say in IT now, but security is IT's job.
What about bring your own device (BYOD) and the democratization of IT (some call it consumerization of IT)? Is it creating a new view on what should be managed and how security is achieved?
Gold: It's absolutely creating a new view. I like to refer to it as democratization rather than consumerization, simply because it's not just about consumer technologies. Certainly that's part of it, but it's also about the influence within the organization. It's democratization of IT, and what it's doing is it's forcing companies and forcing IT within companies to look at end users as equals and sometimes more than equals. We found in our survey that about two-thirds of mobile solutions are being driven and paid for, not by IT, but by the line of business, by the users. Democratization means those folks have a lot of say in what's going on in the organization.
More on mobile device security
Four mobile device protection methods
Governance should determine strategy for BYOD
IT still has a major role, particularly in security, because they should be the guiding light to those users as to what's acceptable and what isn't, what the risk factors are. Most users will only think about applications and getting what they want. It's IT's job to work with them so that they understand what is and isn't possible and why. IT needs to look at the end user community in the lines of businesses as partners. This is a partnership. The line of business will decide what they need to get their jobs done. It's up to IT to be advisers and partners and say, 'We can do this, but here are the risks, here are the security problems, here are the support problems, here are the costs involved. If you go in this other direction, we can help, and the security would be less and the cost would be less.'
BYOD and democratization should not be seen as IT simply throwing up their hands and saying, 'We can't do anything.' It changes the role within your organization, but IT has a very important role to maintain.
Do you have a security or best practices checklist that would help CIOs with so much device diversity?
Gold: We put together a couple of whitepapers on mobile security. One is 7 Steps to Enterprise Quest: Mobile Security, which is available by request either by email or by our website at www.JGoldAssociates.com; there's also some other data there. There isn't one master checklist that is good for all organizations. Mobile is one of these technologies that is implemented differently within different organizations, so companies need to consider that. It is a good starting point, and I'd be happy to send it to your listeners.