Should IT Managers be Worried that the Security of their Mobile Workforces will Depend on the Whims of Apple and Google?
Friends, RIM fans, consumers: I come here to bury the PlayBook, not to praise it.
Last spring I suggested that October 19th, 2011 would be a momentous day for the information security industry. In less than three weeks from today, Research in Motion’s PlayBook tablet will have been on the market for six months. I predicted that if sales of the device were less than 1/4 of the number of iPads sold, we would know what the next five years of enterprise security would look like. In short: a world in which consumer brands had relegated enterprise CIO favorites such as RIM to niche status. Security, like the broader IT landscape of which it is a part, would be well on the way to being thoroughly consumerized.
It's nearly six months since the PlayBook launched. How did RIM do? Not so well, as it turns out. In its first quarter on the market, RIM shipped 500,000 PlayBooks. Not great, but not bad for a new product. In its most recent quarter, however, RIM shipped sixty percent less: just 200,000 units in its second full quarter of sales. Worse, BGR and other sites have reported that retailers are heavily discounting the PlayBook to clear their inventories of unsold units. That suggests that not many corporations or consumers actually bought what RIM shipped through the channel.
Assuming a generous 75% sell-through rate after returns, bona fide sales of PlayBook likely didn't come to much more than about 525,000: about 90% short of my 6 million unit target. By contrast, Apple shipped nearly 14 million iPads in the last two trailing quarters, and stated that they sold every one they made. That is twenty-five times more iPads than PlayBooks sold. By that standard, the PlayBook is a failure. The PlayBook failed for many reasons.
RIM assumed that its security credentials, such as FIPS 140-2 certification, would prove so compelling that IT managers would order PlayBooks instead of those pesky "amateur hour" iPads. RIM was wrong about that: with several years of iPhone experience under their belts, the iPad is no longer threatening. RIM assumed customers would prefer the PlayBook's 7-inch form factor to those of larger devices. RIM was wrong about that, too: like the ill-fated Dell Streak, the PlayBook was too big to be a phone, and too small to do any useful work with. And perhaps strangest of all, RIM assumed customers would prefer engineering-driven features such as "true" multitasking, high-end graphics hardware and the "real" Internet — by which they meant Adobe Flash. RIM was completely wrong about that too: consumers didn't care enough about these things to move many units, and their coveted business customers cared even less.
The PlayBook is not a bad product, just a weak one; certainly, weaker than what was needed to keep the market vibrant and competitive. By contrast, Apple is killing it in tablets. Android is dominating smartphone sales. Windows Phone and Windows 8 won't be a factor until 2013 at earliest. With RIM and Microsoft as non-factors, Apple and Google win the mobile computing market by default, and will likely control it for the next five years. As a result, these two companies will increasingly influence the security of our increasingly mobile workforces.
Should IT managers be worried that the security of their mobile workforces will depend on the whims of Apple and Google? Absolutely not. In the case of Apple, the security policy options in iOS meet the needs of most enterprises. The platform protections in iOS are relatively strong, as my friend Dino Dai Zovi describes in his recent paper, limiting the risk of compromise. The App Store largely eliminates the risk of side-loading malicious mobile code. In addition, the mobile device management (MDM) APIs in iOS have enabled a vibrant ecosystem of management tool vendors to emerge. The combination of these four things means that the Post-PC iPhone and iPad devices can be safer to use than the PCs they are often replacing, and can be managed more effectively as well. Android, in my view, is still a work is progress from the point of view of enterprise security, but MDM products can help here, too. If your company has a substantial device population, you should be looking at MDM products today, and planning to deploy them in 2012.
As sad as the failure of PlayBook might seem, security-conscious IT managers shouldn't mourn. That the PlayBook wasn't — and won't be — a hit is not surprising in retrospect. What would be surprising, though, is if we fail to learn the important lesson from its example. Consumerization is here. It is not going away. It will steamroller attempts to standardize; it will squash legacy device brands; and it will cause the devices touching your company's network to perpetually churn as employees to impulsively replace their gear. Be prepared, and get ready for your next big adventure.