BYOD and security: A checklist for mobile democratization, deployment

BYOD and security: A checklist for mobile democratization, deployment

Date: Nov 14, 2013

Which aspects of endpoint security should be on the CIO radar? In this three-part webcast, Jack Gold, president and principal analyst at J. Gold Associates LLC, looks at the weakest links in endpoint security. In part one, Gold addressed why endpoint security should matter to the CIO. In this second part, Gold looks at BYOD and security issues, including the importance of governance and policy in these areas.

Jack Gold: From a bottom-line perspective on this democratization issue, BYOD [bring your own device] and democratization really require a new view on what management includes and how security is achieved. It's not the old days. It's changed dramatically. So what is it that you need to do? What are some strategies to deal with this diversity? It's getting very messy out there -- there are lots of devices [and] lots of applications.

One of the things that you need to think about is dealing with this popular choice, and you need to create a number of coping strategies. We've listed six on this chart. There could be more depending on your organization. No. 1 is define end-user classes. Not all end users are created equal. Some should have access to a variety of tools and capabilities in back-end systems; some, maybe not. Also, build a device matrix that is very similar. Some devices are safe, some should have access, some perhaps not so much.

Create a checklist for deployment. It's important to know what you're actually deploying out there and how you deploy it. So if I walk in with a BlackBerry, and you walk in with an iPhone, and someone else walks in with an Android device, they're not exactly the same. So figure out how you're going to deploy each of the devices.

Also, decide how you're going to improve various devices. Again, not all devices are created equal. Should you support each and every device there is out there? And the answer is probably not. There are some devices that you will support or at least offer a high level of support, and some that you won't -- or at least [will] offer a low level of support.

Also, who gets to pick the app? Is it ultimately the consumer, the end user that goes out and gets an app? Or is it IT? Or is it a combination of the two? It really should be a combination of the two. There are some apps that just aren't suitable for corporate environments.

And finally, implementing governance and policy -- this is an area where many companies don't do an acceptable job, where they don't spend enough time in governance and policy and security suffers. This chart on the right, this little graphic is something we call The Security Gap. And in a nutshell, it shows you where security and diversity -- those are the two axes, security being the vertical axis, diversity being the horizontal axis -- and IT control and user choice both converge and diverge.

One of the things that you need to think about is what is your acceptable risk gap? And what is your security gap? I'm sorry; it's acceptable risk versus a security gap. And you'll find that if you give users too much control, and IT doesn't have enough control, you run into the security gap issue. You need to assess that effectively and know when you're crossing over into that, really, no-man's-land, where you don't want to be. That's a real problem area. So, bottom line, think about building an effective device diversity strategy. If you don't have one, it really is a recipe for failure within your organization.

Now why is security different? Many organizations think security is security is security. And in fact, to some extent, that's true, but mobile security is different than general security and PC servers and the like.

There are three components to evaluate from a mobile security perspective. One is data and creation -- that is, apps, vulnerability, what are you doing, malware, encryption, those kinds of things.

More on BYOD and security

FAQ: BYOD security and compliance regulations

Best practices for BYOD security

Then there is data at rest on the device. What do I do to protect that data on the device, both from being hacked but also from users just taking that data and putting it in inappropriate places? Like taking a customer list, for instance, and putting it in Dropbox, something you probably don't want them to do. And, finally, what about the data in transit over the network? The wireless network is relatively secure, but what about VPNs [virtual private networks] and getting into the corporate back end and the like? All of these components need to be addressed.

The other issue that you need to think about is what does failed security actually cost the organization? Well, it can be very expensive. This yellow box on the right talks about the risk. Five to 10% of notebooks are lost or stolen per year. Fifteen percent to 25% of phones are lost or stolen per year. Tablets are probably somewhere in the middle. So, we're talking probably 10 to 15% of tablets are going to be lost or stolen each year.

Now, we all know that the amount of memory available on these devices is growing dramatically, and each lost record costs $258 to mitigate, according to the Ponemon Institute. So, if you're losing only 10,000 records -- which really isn't that much if you think about it, it's not lot of data -- it will cost your organization $2.58 million to mitigate. So failure is not an option here, unless you've got lots of money that you don't mind spending. And, by the way, in some organizations, highly regulated companies, it could even mean jail time for your CIO or CEO if it's egregious enough.

So think about security, and think about why it's important and think about, perhaps, getting devices with some sort of security certifications, FIPS [Federal Information Processing Standards], etc. In many industries, that's absolutely critical. BlackBerry's got it; there are some Android devices that are coming out with it as well now. Windows Phone is moving in that direction. So think about what security and why security is different. Security is often underestimated; it's taken for granted in many organizations. You have to consider it, and you have to evaluate it for all platforms that you're going to support.

Watch part three of this webcast, in which Gold provides seven steps for mobility management.

More on Security and risk management for Small Business

  • canderson

    Seven steps to enterprise mobility security

    VIDEO - In this webcast, analyst Jack Gold provides a plan for CIOs looking to protect endpoints and shore up enterprise mobility security management.
  • canderson

    What is endpoint security, and how do you shore up the weakest links?

    VIDEO - Why is endpoint security so important to today's CIO? In this webcast, consultant Jack Gold discusses shoring up the weakest links in an organization.
  • canderson

    Application performance management can make or break your brand

    VIDEO - Application performance management is more difficult and necessary than ever to the business. This webcast advises CIOs on how to get APM up to snuff.
  • Four obstacles that hold startups back and big businesses could help solve

    News - The challenges startups face range from securing office space to finding affordable housing for the team when salaries are low or non-existent. Here's how PayPal is lending a helping hand with its Start Tank incubator.

    ( Jul 18, 2014 )

  • operating system (OS)

    Definition - What is an operating system? An operating system (sometimes abbreviated as "OS") is the program that, after being initially loaded into the computer by a boot program, manages all the other programs in a computer.
  • Is it time to revamp your disaster recovery management program?

    Quiz - Disasters of all stripes -- from hurricanes to data leaks -- are bound to happen, and happen often, so a solid disaster recovery management program is a must. Take this quiz to find out if your DR plan is up to the task.
  • Cloud ERP to the rescue for fast-growing startups

    News - Two rising startups in the craft brewery business reap tangible rewards when they move from ad hoc processes to cloud ERP.

    ( Jun 23, 2014 )

  • limitation of liability clause

    Definition - A limitation of liability clause is the section in a service-level agreement (SLA) that specifies the amounts and types of damages that each party will be obliged to provide to the other in particular circumstances. In a legal context, a liability is generally a responsibility to compensate for some failure to perform according to an established or agreed-upon stipulation.

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: