Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

CISO Perspective: Becoming a Business Enabler

Visibility is Key in Mobile Security: Without it We Cannot Know Where Data is Going, or How it’s Being Stored…

Visibility is Key in Mobile Security: Without it We Cannot Know Where Data is Going, or How it’s Being Stored…

A few years ago while preparing for a talk, I read a statistic about the expected explosive growth of mobile. At the time I did not believe the numbers, but looking back over the last several years, I realize that mobile really has created the biggest technological shift for the enterprise, both in the technology itself –providing employees the ability to chose their own device and tools and control how they use them — and the way that organizations manage risk.

The mobile landscape is changing rapidly, creating new challenges and opportunities for CISOs tasked with balancing business enablement and risk. The popularity of BYOD and employee use of mobile apps (whether sanctioned or not) has catapulted mobile security to the top of the priority list. Security teams and lines of business have reached a turning point on BYOD. It’s now become more important than ever for the CISO to figure out how to manage risk without inhibiting users.

Enabling BYOD for ProductivityThis begins by understanding mobile and how it is used within the organization. We’re all mobile users. I remember when I replaced by beloved Blackberry with my first iPhone and the excitement I felt at how easy it was to push the limits of what I could do. However, the CISO side of me was also frightened at how easy it was to push the boundaries  and I didn’t want my users doing what I was doing. Initially this meant that I was a little heavy-handed with the lock-down and control of mobile within my organization, but it also meant that I understood the risks and rewards of mobile.

CISOs need to be adopters of mobile themselves, using applications that make their lives easier so they truly understand the opportunities and the restrictions currently in place. Furthermore, CISOs must find ways to ease mobile adoption by implementing controls that are flexible enough for teams to switch applications without extensive delays caused by security reviews and vetting – allowing them to adopt new tools in days, not months.

This understanding goes both ways. While it’s important for IT to understand the needs of the users, while I was a CISO it was also my job as the head of IT to make sure everyone in the organization understood the potential risks of mobile. As CISOs, we need to make sure that the entire business understands the value of the corporate data they are putting on their devices. We need to explain risks of jail broken devices, downloading from untrusted third-party app stores, and storing corporate data on these devices.

I’ve said it before and I’ll say it again: visibility is key in the mobile security equation. Without it we cannot know where the data is going, or how it’s being stored. This goes beyond an inventory of apps. A recent study found that employees use seven times as many apps for work than IT estimated. We need to know which apps are actually being used as well as what data is traveling through these applications. Only then can we truly know where our data is.

Mobile is similar to desktop in the sense that users move data before we know about it. As a result, we must have controls to prevent data movement or protections to ensure that if data is moved it is encrypted and can’t be accessed from unprotected applications. This way, we are not solely relying on what we’re told, we are acting on actual data.

The number one reason mobile security implementations fail is the introduction of overreaching controls that infringe on employee privacy or restrict employees from doing their job efficiently. In these cases, users find ways around the controls, therefore increasing risk. A poll of 3,200 employees by Fortinet, found slightly over half said that they would ignore their employers’ formal BYOD policies. No one can afford for half of their employees to disregard security policies! At the end of the day, our job is not to restrict the employee; it’s to ensure they can conduct business securely.

Advertisement. Scroll to continue reading.

Similarly, privacy is not something that should be overlooked. BYOD has really changed privacy in the enterprise and has increased employee expectations of privacy. Since employees are using their personal devices for work (something that benefits the company), we must respect their privacy.

We can find a healthy balance between privacy, security and productivity by giving users input on the processes and controls that affect them and their work. The users will respect you more if you bring them into the fold rather than if they are just locked down without any consideration. If the controls are designed properly, they will work well and achieve both the privacy and productivity needs of the employee as well as the security needs of the CISO.

Of course, communication is vital to this. A recent study found that 33 percent of employees had no idea whether or not their employer had a BYOD policy in place.  Technology can help enforce security policies, but you need to connect and educate, as well. If we are transparent about why we’re implementing policies and take employee needs into consideration when creating them, I’ve found that most employees will accept and embrace them.

Mobile has changed the game for everyone, but just as this amazing technology has created new ways for us to collaborate, so too has it created an opportunity for IT to work better with our end users. While it hasn’t always been an easy road, it’s not impossible to implement security policies and solutions that will keep corporate data secure, protect the privacy of, and enable, our end users, and ultimately become business enablers.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.