Employees are demanding access to enterprise apps and data on their personal smartphones and tablets.  Marketing wants to drive greater mobile interaction with consumers.  Partners highlight new opportunities to integrate by leveraging mobile collaboration.  At many companies, these activities are either getting kick started or already in full throttle to seize the business value potential of mobility.  Now, the challenge of securing the rapid transition into a mobile enterprise is left to the Chief Information Security Officer (CISO).  CISOs constantly find themselves with short lead times to anticipate organizational needs and establish security models that will govern new behaviors.  However, with smartphones and tablets the pace of adoption has been significantly faster and associated technologies gained widespread popularity in the consumer space first before broad adoption in the enterprise.   The result is that CISOs not only find themselves reacting to a trend with significant momentum but also find themselves without the power to impose traditional controls – they don’t own the devices or manage its configuration.  To confound the issue further, there is a demographic change taking place within organizations too.  The younger generation entering the workforce is accustomed to consumer technologies that have superior user experience compared to enterprise solutions.  They have come to expect that the tools and processes they employ adapt to their behaviors rather than they having to conform to limited capabilities of solutions in place.

When it comes to mobile security, some organizations responded quickly and have instituted one or more core elements of their security strategy and looking to enhance their implementations.  However, many are still experimenting with approaches or still evaluating their options.  CISOs have long known that among the first steps in managing new technologies is to establish corporate policies and guidelines as a reference for early adopters to self-manage their usage behavior.  Early adopters, being good corporate citizens provided implicit and explicit feedback on those policies, helping the CISO enhance the policies before broader rollouts.  As policies grow sophisticated technology solutions are required to enforce those policies and measure compliance.  With mobile technologies, the rapid pace of adoption results in a proportionately large early adopter community, and this requires CISOs to short circuit the process from policy definition to infrastructure deployment.  Initially corporate policies start off being highly restrictive but progressively become more accommodating of the Bring Your Own Device (BYOD) trend.  The forcing function being the business value that mobility promises.  The process of defining mobile security policies has to take into account the operational priorities of the organization.  At first, a single set of security policies may be applied consistently across the entire organization but a better understanding of the different types of users and their requirements can lead to more diverse sets of security policies being applied with greater specificity – i.e based on a user’s role, responsibilities and other contextual information.  Administrators require security solutions that allow them to incrementally but rapidly create enforce and manage new policies.  With policies the burden of education also falls into the hands of CISOs.  This is particularly important given the demographic changes mentioned earlier.  Solutions that deliver contextual information to users as to the reason why a security protocol is place for the specific task they are undertaking will have greater compliance than those that may not.  Additionally, this will train users to be self-vigilant as well in areas that have not been completely security enabled.

Security policy choices will govern the makeup of the security infrastructure required to enforce them.  Today, a very common starting point has been device security.  CISOs see a new type of endpoint attempting to connect to the enterprise and one that is possibly not owned by the organization.  To achieve parity with how traditional devices are managed, they want greater visibility and control over mobile devices.  A Mobile Device Management (MDM) solution provides the infrastructure to manage the device security and provide a delivery channel for other security capabilities (i.e. antimalware).  Mobile App Security is quickly becoming another important focus point.  Organizations recognize that mobile apps are the basis of the interactions between mobile users and enterprise data/services.  Large organizations that develop some of their own apps will look to investing in a Mobile App Platform that supports developers by enforcing security best practices at design, development and test time.  Vulnerability testing of mobile apps is gaining in awareness among IT groups because many mobile apps are being built by line of business teams but IT still is responsible for keeping them secure.  User security is sometimes assumed but mobile can bring some unique requirements such as needing to authenticate and authorize not just the user but their device as well.  User security offers the fastest way an organization to empower mobile users, especially if they have made significant investments in web apps, which are easily consumable on most tablets. 

The pace of change and innovation in mobile is amazing.  Many CISOs observe this and realize that no matter what policies and infrastructures they have or will have in place, they may not be sufficient.  New capabilities and behaviors will precede security methods and best practices but CISOs want to stop being reactive and regain the initiative.  Only by having visibility across their mobile enterprise and the various security solutions they employ can they quantify their risk exposure and be proactive in responding to emerging threats.  Mobile specific security intelligence will grow in significance with increasing enterprise maturity in mobile security. 

As always I invite your comments and questions.  If you will be at Impact in Las Vegas this week come let’s connect at the Mobile Meetup to continue this discussion.