What is endpoint security, and how do you shore up the weakest links?Date: Nov 14, 2013
What is endpoint security, and why should today's CIOs be taking note of their organization's
weakest links? In this three-part webcast, SearchCIO-Midmarket editorial director Christina Torode
speaks with Jack Gold, president and principal analyst at J. Gold Associates LLC, about the
importance of mobile security. Here, in part one, Gold examines the various risk points that
organizations small and large face.
Christina Torode: Hello, and welcome to this CIO webcast on endpoint security. This is Christina Torode, and I'm here with Jack Gold, president and principal analyst at IT strategy consulting firm J. Gold Associates, LLC. Jack is going to talk about how CIOs can develop a security strategy for the myriad of mobile devices in the workplace. Thank you for joining me, Jack. Please take it away.
Jack Gold: Thank you, Christina, and thank you, everyone, for joining us today. We're going to spend the next 20 minutes or so talking about endpoint devices.
Why is mobile security so critical? And many organizations probably aren't aware just how critical it is these days. Well, there are a number of reasons. First of all, there's a myriad of device types. There are lots of different devices, from Apple devices to iOS devices to Android devices; BlackBerry's still out there, Windows Mobile devices, there are still laptops, and there are varying versions of Android out there as well. There isn't one Android; there's probably half a dozen or so that you could implement in your organization.
All of them have different levels of inherent security and vulnerability. So you need to assess all of them to understand what's going on. Further, the mobile app ecosystem is increasingly complex and potentially insecure. And consumers -- that is, generally, your users who have BYOD [bring your own device] in mind -- are focused more on convenience than they are on security. It's not always their fault: Many of them don't really have knowledge of what the risks and/or bad behaviors might be. So we'll talk about that a little bit as well in a little while. But you need to think about assessing the risk and not only you assessing the risk, but providing that feedback to your end-user community so they can work with it as well.
Consumerization is a big trend, not just with the devices with BYOD but, also, of apps. And so where are the security risks with off-the-shelf apps versus enterprise-class apps and enterprise-class requirements that you have in your back-office system? This is driving many companies to distraction; it's really difficult.
So who's in control? Who pays a price if there's a failure? All of these are issues that you need to look at from a mobility perspective. Mobile security is evolving. It's really a hodgepodge of risks, of caution, of rewards, of failures, of issues, of challenges. You need to deal with it or face really daunting penalties if there's a problem within your organization.
So what are some emerging trends? At the beginning of the year we put together a number of emerging trends. I'm going to highlight three of them for you here very quickly, and then we'll get into a little more content. But, basically, over the next two to three years, we see the following happening. In the mobile device management space, which most companies are looking at, the change of focus is going to be from the device itself to the apps. And mobile device management really becomes, longer term, a subcomponent of a larger ecosystem. It's enhanced by controls applied to data and to apps into interaction. So it's not about asset management, which is what MDM used to be. It's more about app control, app management.
Further, mobile device growth is a huge trend. The average business user is going to acquire and maintain and use, on a regular basis, three to four mobile devices. So we're not just dealing with laptops anymore -- we're dealing with smartphones and tablets and notebooks. But we may be dealing with two or three smartphones or two or three tablets. And, still, notebooks aren't going away anytime soon.
Further, the average user will have eight to 10 mobile apps that they will regularly deploy, and this is going to be driven by the low cost of these apps. You can go in the app store -- sometimes you get them for free, sometimes they're 99 cents; or even if they're $2.99 or $3.99, they're very low-cost. They have a good amount of utility, and they're very easy to get. So you're going to have to deal with the mobile device and the mobile app growth within your organization, and we'll talk about that in a little while as well.
Mobile apps and TCO [total cost of ownership] are becoming a great issue as well. And in fact, what we find is that [organizations] that don't have a strategy for mobility focused on mobile apps will really risk losing control of their mobile infrastructure, mobile ecosystem. This is going to dramatically increase security breaches. It's going to dramatically increase cost of operations, and it will decrease end-user productivity. So companies that focus on mobile app management actually see a 25 to 35% lower TCO -- mobile TCO, that is -- than those only focused on traditional asset management. So this is an area that you really need to spend some time looking at.
One of the greater trends that's going on in organizations right now is what we're calling the democratization of IT. Some people call it consumerization; I like this term better simply because it's not just about consumer tools. It's also about user preferences. And democratization means that user preferences are as important as IT directives in many organizations. The users get a say. Often they're the ones that are funding it.
So this will have an effect on cost. It will have an effect on security, and it will include a number of areas. Consumerization of personal tools: Business users are going to go out and get consumerized tools to use. They're going to access corporate assets, but are they doing it securely? What about content management? What about enforcement of policy? This is where a lot of companies fall down. BYOD is fine, but if you don't have a policy in place that you can enforce with tools, it's a real issue.
And what about mission criticality? Or is it just convenient? You can let users go out and get tools that are convenient. But if it's mission critical, it better be up and running and be working well. This small chart on the right is from a major study that we did about a quarter and a half ago now, that looked at a variety of different issues and enterprises. We surveyed 270 enterprises for a variety of challenges and cost structures and all the rest. One of the things we asked was, 'Has your company ever had a mobile security breach?' Forty-two percent had said 'never.' I think that's wishful thinking. I think there are a lot more companies that have had it than admit to it or know about it, and I think that's the real issue.
Go to part two in this webcast, where Gold discusses a checklist for BYOD and security.