Enterprises and government agencies are mobilizing at both a brisk and alarming rate. The adoption of mobile devices and applications by end users is far outpacing that of the IT and InfoSec organizations to certify or validate the information assurance and regulatory compliance with respect to the entirety of their respective enterprises. There are devices and services such as from Research In Motion that are more mature in the complexities of enterprise security and intranet application mobility. But at least as far as the press buzz is concerned (I’m sure data will support the buzz), rapid adoption of devices that were not designed with an enterprise security focus (such as Apple’s iPhone) or mobile applications which have nothing to do with enterprise productivity or security (YouTube, Twitter clients, Facebook, and many social networking apps and services) will present ever-increasing risks to security and workplace productivity.
In a recent article in The Economist titled Big Brother Bosses, it is yet another chapter of how companies are concerned about what their employees are up to from an online perspective. Is it helping my company make money? Is it saving my company any money? Is it making the particular employee do his/her job better so there is a benefit to the company and its shareholders? In the case of a YouTube app streaming cool music videos on an employee’s iPhone while they’re taking an impromptu “break”, the answer is no.
There are many perspectives to the mobile impact towards workplace productivity, information security and regulatory compliance.
The CFO: Am I getting the most from my workforce? How do I subsidize and who do I subsidize with implications of corporate liability exposure to whatever these employees do on their mobile devices? Mobility is intuitively a huge productivity enhancement, but only if I ensure that the RIGHT employees are using these types in the RIGHT way.
The CIO: How do I support the mobilization of my enterprise without sacrificing security and productivity AND not turn my infrastructure and management upside down? This includes both the mobile phones and mobile desktops (i.e., laptops and netbooks).
The CSO/CISO: Might be same as for the CIO, but usually with a stronger and deeper focus on security now and moving forwards. (Ed.: BTW, CIO CSO CISO).
The Employee: I want to be able to do my job anytime, anywhere, and on any device. But I also don’t want my privacy intruded upon.
The HR Manager: How do I implement corporate policies that clearly articulate the right and wrong usages of mobile devices, services, and applications? More importantly, if we speculate there are issues, how do I enforce it without exposing the company to lawsuits by employees?
The Regulator: I know how to craft Sarbanes-Oxley et al requirements to the various corporations (public or private) that are bound to comply. But as perimeters break down, the IT network edge morphs, and mobile/wireless adoption continues to increase, how do I audit and verify compliance to the same regulations?
So what is the solution? There is no one-size-fits-all in terms of technology, rules of thumb, architecture or policy definition. It is literally the “it depends” answer. But here is what I recommend:
– Speak to your peers in other organizations about what they are doing about it?
– Get some free consulting from some of the private security consultants who are active in your industry/vertical?
– Ask your vendors for their opinions, but have a big grain of salt on the side.
– Read…a LOT! There are tons of information, white papers, blogs (like this one), trade rags, analyst reports, news/press, etc. Get informed so that you can refute or agree with the opinions you’ll have blasted at you.
– Don’t forget common sense! This is self explanatory.
I would love to hear your comments, flames, rhetoric, opinions, and general feedback on these topics.