Organisations that want to realise business benefits from mobility must make a mobile security strategic business objective.
This is the view of Sinisha Patkovic, director BlackBerry security, Research In Motion (RIM), keynote speaker at the ITWeb Security Summit, held at the Sandton Convention Centre.
Patkovic said a mobile device strategy needs to balance end-user benefit, IT security risk, and the business value mobile devices bring to the organisation.
In his presentation entitled 'Security strategies for a changing world: The balance between risk and user benefit', he pointed out a mobile strategy done right can drive business value while reducing security risk.
He explained that the consumerisation of IT, where an end-user brings in their own consumer-oriented device, can bring risks to the organisation.
“Consumerisation means that it's not IT that's selecting enterprise-grade tools; it is employees who are bringing their own personal devices into the enterprise. The devices are not necessarily built to work for the enterprise, and this is a challenge.”
Consumer-business balance
Patkovic said it's difficult to get the balance right and organisations do not have as much control over individual-liable devices, because the organisation does not own them.
“An organisation is only as secure as its weakest link. Mobile will introduce some very weak links, unless done right, he said. “Increasing mobile productivity requires integration to sensitive back-end databases and servers.
“In addition, increasing integration to sensitive resources requires increasing effective, scalable and flexible security controls.”
According to Patkovic, allowing employees to bring their consumer device into the business will reduce capital costs the company would otherwise have spent on purchasing enterprise-grade devices. However, it could end up costing more in terms of maintenance and service costs, and increases risk due to fewer security controls on the devices, he added.
“Worldwide shipment of individual liable business use devices is expected to grow by 19% to reach 88.7 million units by 2013. According to IDC, more than 61% of corporate mobile devices will be individual liable devices by 2013, said Patkovic.
“In addition, Gartner predicts that by 2014, 90% of organisations will support corporate applications of some sort on personal devices.”
Struggle triangle
“Employees want mobile device choice and flexibility. IT wants ease of use, manageability and transparent control, while business executives want business critical data protected wherever it resides,” said Patkovic.
“The end-user looks for usability, personal preference and design style, while the business looks for strategic fit, productivity, enablement, cost of service and maintenance.
“And risk is often overlooked or skipped altogether. From IT perspective, the risk of a consumer device includes security breaches, loss of privacy and non-compliance.
“What the end-users want is not what the business value may be, and might not align to the IT risk management strategy,” he added.
He recommended that someone who takes all three views into account needs to make a decision on what mobile device should be integrated into the organisation and how business, IT and end-users can benefit.
“Use a risk management approach, be aware of bias and assess the risk as it impacts the overall business. IT should help quantify the risk of the device through governance.
Share