Enterprises tend to invest more in securing the end device than the network when it comes to mobile device security. The tools exist for mobile device network security, but a lot of companies aren't investing in them
Before putting security policies in place, however, CIOs need to ask why their company is moving to mobile access in the first place. Jack Gold, president and principal analyst at IT strategy consulting firm J. Gold Associates LLC in Northborough, Mass., explains why strategy should come first, and suggests which mobile device security policies should follow.
SearchCIO.com: Most enterprises have a virtual private network in place, and are aware of the need for a VPN client on mobile devices. What are they not taking into consideration in terms of mobile device security?
Jack Gold: Before you get to that point, the CIO should be asking, "What's the corporate benefit for letting people do things from a mobile device?" It's amazing how many companies don't think along these lines because they are getting a lot of pressure from end users to just let them on the network.
Everything employees do in a company has a cost. Users don't see that, but it's true. There's a cost to buying a VPN client, to installing it and having the help desk resolve problems with it. The problem is, most companies don't look at this strategically. If you're not building out a strategic plan, how do you know where mobile is going, what to invest in, what services your end users really need?
How can a CIO make the organization stop and take stock of why they need a mobile strategy when, as you say, they are being pushed to just meet user demand?
Gold: The argument the IT group makes is, "Hey, this absurdity of letting anyone do whatever they want with mobile devices is costing this organization a fortune. We can't afford it." And when the CEO asks how much it's costing, you say, "I don't know. That's exactly why we need to stop this and figure it out."
How difficult is it to set mobile device security policies for determining what information users or a business unit, for example, should or should not have access to?
Gold: It's not that it's so hard to determine that, to set the policy. The harder part is enforcing it. I can decide that if you're a Level 10 or above, you get access to this information; if you're below, you get something else. That's pretty easy to implement into Active Directory or Exchange. There are tools online that allow you to do that, but few companies have implemented them.
More about MDM
What are some examples of these tools?
Gold: These are the new security implementations of MDM [mobile device management]. There's dozens of vendors -- folks like MobileIron, AirWatch, Zenprise and BoxTone -- that set policies. [Research In Motion's] BlackBerry has had it for years as part of BES [BlackBerry Enterprise Server]. So, a lot of these [other vendors] are trying to duplicate what BES did.
What advice do you have for CIOs trying to strike a balance between user needs and corporate security needs?
Gold: What I recommend most is to do a risk audit: What is your risk and what is your comfort level with those risks? Then move accordingly. And keep in mind that access won't be universal with all people in your company.
Let us know what you think about this story; email Christina Torode, News Director.
This was first published in February 2012