Maslow's hierarchy of needs starts with the basics ("physiological" requirements and "safety") and works its way to the highest level human need -- self-actualization. Along the way it passes through belongingness, love and esteem. Belongingness, love and esteem are two-way patterns -- we want to connect with and love other human beings, and we want others to connect with and love us. We want to have self-respect and to be respected.
As IT leaders, one of the quickest ways we can wipe out our connection with our customers and lose their love and esteem is to be the people who exert too much control on people who long for self-actualization. Perhaps I should make this more concrete -- the IT landscape is littered with CIOs who tried to limit what their internal customers could and could not do with technology. I learned a long time ago that shadow IT exists because my customers are not getting from my team what they really need.
Best mobile security defies easy answers
At the same time, we must consider some level of control against the risks of deleterious behaviors. We do need to stop someone from picking up a USB flash drive off the street, inserting it in their USB hard drive and unleashing a virus or ransomware. We do need to have controls in place so that no one loses critical client or employee data.
The balance between risk and control is exacerbated when applied to mobile devices. Mobile devices (smart phones and tablets) are, by their very nature, designed to blend the organization and personal computing experiences. My phone is filled with personal photos and photos of whiteboard architecture and flow diagrams. My apps include my corporate email and expense approval as well as my personal mobile banking.
How do we provide the best mobile security without being the jerk who is making the mobile compute experience a nightmare for everyone in the organization? What do I allow and what do I block?
When I am faced with ambiguous, seemingly no-win situations, I try to go back to some foundational principles. One of those foundation principles is to make decisions about risk only after assessing the risks. I admit that sounds a bit trite, but too often I have made decisions that treat all risks equally.
Best mobile security assesses risk likelihood/impact
For mobile devices, what are the risks? Are we storing confidential or critical data on the devices? If so, what data? If someone could get that data, what could they do to damage me or the organization? What type of information does our email contain? Would those photos of business process flows damage the organization if someone captured them? What could someone do if they had access to my mobile expense reporting app?
When it comes to assessing risks, I like to first identify the specific risks and then, for each risk, define the likelihood and impact of the risk. I then figure out the best, most pragmatic way to mitigate the risks with the highest likelihood-impact combination.
For example, what employee or client personally-identifiable-information (PII) data can someone store on their mobile phone? If someone can store a lot, there is a likelihood that we can lose the data and, depending on the depth and breadth of the PII, the impact could be significant. In this case, the best mobile security plan would have strong PII risk mitigation in place -- and that mitigation might require that we put certain controls in place. But at least, by delineating the likelihood-impact combination, we can articulate the risks and mitigating controls.
If, on the other hand, no one can receive or store critical PII on their phones, the likelihood-impact combination is smaller and we might not need to control the lives of our users. This approach aligns our security countermeasures to our users' need for individual control. And, if you are subject to information security audits, this is an approach that you can explain to any auditor (although, based on my personal experience, some auditors are not familiar with assessing risks before defining risk mitigation).
There are risks with not doing enough to secure mobile devices, but there are also risks with doing too much. Taking a risk-based approach has always helped me find the right balance.
More recent CIO advice from Nickolaisen:
The road to Agile ERP starts with a vow
CIOs: Start now on IoT security and privacy protocols
Five critical questions before taking the hyper-converged plunge