Security Experts:

CISO Perspective: Becoming a Business Enabler

Visibility is Key in Mobile Security: Without it We Cannot Know Where Data is Going, or How it’s Being Stored...

A few years ago while preparing for a talk, I read a statistic about the expected explosive growth of mobile. At the time I did not believe the numbers, but looking back over the last several years, I realize that mobile really has created the biggest technological shift for the enterprise, both in the technology itself --providing employees the ability to chose their own device and tools and control how they use them -- and the way that organizations manage risk.

The mobile landscape is changing rapidly, creating new challenges and opportunities for CISOs tasked with balancing business enablement and risk. The popularity of BYOD and employee use of mobile apps (whether sanctioned or not) has catapulted mobile security to the top of the priority list. Security teams and lines of business have reached a turning point on BYOD. It’s now become more important than ever for the CISO to figure out how to manage risk without inhibiting users.

Enabling BYOD for ProductivityThis begins by understanding mobile and how it is used within the organization. We’re all mobile users. I remember when I replaced by beloved Blackberry with my first iPhone and the excitement I felt at how easy it was to push the limits of what I could do. However, the CISO side of me was also frightened at how easy it was to push the boundaries  and I didn’t want my users doing what I was doing. Initially this meant that I was a little heavy-handed with the lock-down and control of mobile within my organization, but it also meant that I understood the risks and rewards of mobile.

CISOs need to be adopters of mobile themselves, using applications that make their lives easier so they truly understand the opportunities and the restrictions currently in place. Furthermore, CISOs must find ways to ease mobile adoption by implementing controls that are flexible enough for teams to switch applications without extensive delays caused by security reviews and vetting – allowing them to adopt new tools in days, not months.

This understanding goes both ways. While it’s important for IT to understand the needs of the users, while I was a CISO it was also my job as the head of IT to make sure everyone in the organization understood the potential risks of mobile. As CISOs, we need to make sure that the entire business understands the value of the corporate data they are putting on their devices. We need to explain risks of jail broken devices, downloading from untrusted third-party app stores, and storing corporate data on these devices.

I’ve said it before and I’ll say it again: visibility is key in the mobile security equation. Without it we cannot know where the data is going, or how it’s being stored. This goes beyond an inventory of apps. A recent study found that employees use seven times as many apps for work than IT estimated. We need to know which apps are actually being used as well as what data is traveling through these applications. Only then can we truly know where our data is.

Mobile is similar to desktop in the sense that users move data before we know about it. As a result, we must have controls to prevent data movement or protections to ensure that if data is moved it is encrypted and can’t be accessed from unprotected applications. This way, we are not solely relying on what we’re told, we are acting on actual data.

The number one reason mobile security implementations fail is the introduction of overreaching controls that infringe on employee privacy or restrict employees from doing their job efficiently. In these cases, users find ways around the controls, therefore increasing risk. A poll of 3,200 employees by Fortinet, found slightly over half said that they would ignore their employers’ formal BYOD policies. No one can afford for half of their employees to disregard security policies! At the end of the day, our job is not to restrict the employee; it’s to ensure they can conduct business securely.

Similarly, privacy is not something that should be overlooked. BYOD has really changed privacy in the enterprise and has increased employee expectations of privacy. Since employees are using their personal devices for work (something that benefits the company), we must respect their privacy.

We can find a healthy balance between privacy, security and productivity by giving users input on the processes and controls that affect them and their work. The users will respect you more if you bring them into the fold rather than if they are just locked down without any consideration. If the controls are designed properly, they will work well and achieve both the privacy and productivity needs of the employee as well as the security needs of the CISO.

Of course, communication is vital to this. A recent study found that 33 percent of employees had no idea whether or not their employer had a BYOD policy in place.  Technology can help enforce security policies, but you need to connect and educate, as well. If we are transparent about why we’re implementing policies and take employee needs into consideration when creating them, I’ve found that most employees will accept and embrace them.

Mobile has changed the game for everyone, but just as this amazing technology has created new ways for us to collaborate, so too has it created an opportunity for IT to work better with our end users. While it hasn’t always been an easy road, it’s not impossible to implement security policies and solutions that will keep corporate data secure, protect the privacy of, and enable, our end users, and ultimately become business enablers.

view counter
Adam Ely is the Founder and COO of Bluebox. Prior to this role, Adam was the CISO of the Heroku business unit at Salesforce where he was responsible for application security, security operations, compliance, and external security relations. Prior to Salesforce, Adam led security and compliance at TiVo and held various security leadership roles within The Walt Disney Company where he was responsible for security operations and application security of Walt Disney web properties. Adam is a CISSP, CISA, NSA IAM, MCSE and holds an MBA from Florida State University.