I've heard the same story from a multitude of CISOs: "As soon as we agreed to support BYOD and mobile devices, all hell broke loose!" How? All of a sudden there were hundreds or thousands of new devices accessing the corporate network. Many of these devices were employee-owned, unmanaged, and full of questionable applications. What's more, users were now working on multiple devices and moving sensitive data between Windows PC, iPads, Android phones and a slew of online file-sharing sites like Box, Dropbox, and iCloud. Holy threat and vulnerability, Batman!
Most enterprise organizations are now way past this early period of mobile security chaos. Yes, there are still plenty of challenges associated with mobile computing security, but did preliminary mobile computing anarchy have any positive impact on information security in the long run? In other words, did the initial mobile computing fire drills actually help CISOs recognize risks and address systemic weaknesses?
According to ESG research, the answer is unquestionably "yes." In a recent survey of 242 security professionals working at enterprise organizations (i.e. more than 1,000 employees):
- 41% of respondents say that their mobile computing strategy and implementation has helped them, "improve coordination of device and security controls." My thesis is that this is due to a combination of MDM for mobile device management and a greater focus on network access control technologies from Aruba, Bradford Networks, Cisco, Forescout, Great Bay Software, and Juniper.
- 40% of respondents say that their mobile computing strategy and implementation has helped them, "improve data access policies and controls." In this case, an army of new devices forced business executives and CISOs to investigate their access policies, data classification taxonomies, data security controls, and sensitive data monitoring. This may be related to the recent upswing in "crown jewel" security projects where large organizations identify and lock down their most sensitive data. Vormetric is seeing growth as a result of this trend.
- 40% of respondents say that their mobile computing strategy and implementation has helped them, "link security policies/enforcement with application development." This is a positive step as applications are notoriously insecure - especially new types of applications. In this timeframe, ESG has seen an increase in the use of static and dynamic application security testing tools from vendors like HP, IBM, Veracode, and White Hat security which corresponds to this data. They may also be using security libraries from Good Technology, MobileIron, and Zenprise (Citrix) as part of their development processes. Additionally, there is a greater focus on secure software development lifecycles these days. Mobile application development probably influenced this trend toward improving application development security.
- 40% of respondents say that their mobile computing strategy and implementation has helped them, "link security policies/enforcement with business processes." This is especially good news since mobile computing is most effective when it is used to change, accelerate, or automate business processes. This type of business process transformation can only be effective if security controls mitigate risk without disrupting workflow.
The whole notion of "shadow IT" and mobile computing suggest that the IT department will have less control in the future. This is a new reality, and CISOs have to learn how to support rather than fight these changes. As IT control dissipates, CISOs must gain greater oversight over the assets they DO control - data, applications, user identities, and IT infrastructure like servers and networks. Ironically, the avalanche of mobile computing security challenges may have ultimately served as a catalyst that guides cybersecurity policies, processes, and controls in the right direction.