Sophos just released a study [link] titled "Risk of an Uncertain Security Strategy." Conducted by the Ponemon Institute, it surveyed SMBs (ranging up to 5000 employees) to get a better sense of how they handle security.
The report was released with the headline, "SMBs Need Help To Better Understand Cyber Attack Threats."
Predictably, many cite the study as a sign that people (namely executives) "just don't get it."
I see it differently: It provides another set of data that suggest that security, at large, is failing to create, measure, and effectively communicate value. It means the Sophos title is accurate (and broader): businesses need help to better understand.
Businesses naturally manage risk. All risks, including finding and increasing revenue. Part of the process is the search for and adoption of new solutions and technologies that reduce the cost and increase the capability of driving new revenue.
Enter: bring your own device (BYOD)
Heralded by some as the answer. Cited as others as nothing more than the coming disaster. Regardless, the BYOD phase of working is here.
When listening to the briefing points and reviewing the questions, I saw a different pattern: an opportunity to benefit business while increasing security.
Due to the continued struggle for security to create, measure, and effectively communicate value, BYOD is poised to increase security and lower risks -- while providing a demonstrable value to the business.
Making the Case for BYOD in 3 Charts
The graphs are courtesy of Sophos and Ponemon (was easier than making them again myself) from the briefing they provided.
When asked about the challenges that prevent a fully effective IT security posture, the following findings were shared:
"Intelligence to Stop Exploits is Not Actionable"
My takeaway from this image is that the big challenge is lack of experience, coupled with lack of understanding puts people in a tight spot.
"Challenges that prevent a fully effective IT security posture (two responses permitted)"
- Management does not see cyber attacks as a significant risk: 58%
- Not a priority issue: 44%
- Insufficient budget: 42%
- Lack of in-house expertise: 33%
- Insufficient personnel: 8%
- Lack of clear leadership: 6%
- No understanding how to protect against cyber attacks: 5%
- Lack of collaboration with other functions: 5%
The study focused on SMB, but these results felt similar to larger enterprises, too. It squarely supports the challenge of security to create, measure, and communicate value.
The next slide is what brought things together to for me:
"How Mobile Devices Affect Security Posture"
When probed, it turns out the person asked about how mobile devices affect security posture is the person responsible for the tech. Not the business leader.
It’s a limited field of view. It’s a perception issue, and it’s wrong.
Why BYOD increases security
Running a business, especially a small business, is hard work with a lot of moving pieces and areas that **demand** attention. Most companies are not started with security in mind. This makes SMBs a ripe target; as a result SMBs are under increasing attack.
Trying to teach/force people a new set of behaviors and wholesale change how they run their business to be more inline with current practices is expensive and risky.
Consider the number of global corporations with significantly more budget, professional expertise, and outside assistance that continue to fall prey to attacks. Daily, it seems.
The better option is to encourage businesses to outsource more. To engage in "the cloud." To allow BYOD.
The charts above suggest that the average SMB lacks the understanding, expertise, and ability to provide comparable security to popular, battle-tested, and constantly evaluated/reviewed solutions that enable BYOD.
In the process of encouraging the adoption of enterprise-grade services with robust security programs, businesses actually upgrade their security.
That creates the perfect opportunity for security to provide value.
The opportunity for security (making BYOD work by providing value)
Computing is a utility, or heading down that path. That means pooling resources and efforts to improve popular and emerging solutions is more valuable. Focus on making security an integrated and essential component of the utility of computing.
Partner with providers to help *them* adopt better ways to protect information. Improve the shared services that small, medium, and large businesses are using and likely to use.
Find a way to enhance the security without forcing trade-offs that cause people to look for "creative solutions" that lead to bigger risks.
This realization evolves beyond Draconian BYOD policies
At a recent conference, I listened to a number of CISOs explain that they love BYOD because it allows them to enforce "my way or the highway" policies and "force people into trade-offs" in the name of security.
I cringed. I even lost sleep over it. Sometimes we're our own worst enemy.
To be clear: this is not a suggestion to increase BYOD through Draconian policies and ruling with an iron fist.
That's a strategy destined for trouble. CIO recently explored that topic and concluded that approach increases legal risk in How BYOD Puts Everyone at Legal Risk.
Longer term: learn to communicate the value of security
This doesn't absolve the need to create, measure, and effectively communicate value. This approach works in conjunction with it.
Show providers the value (in fact, I have some examples of providers doing just that to explore in the coming weeks). Then help business owners, decision makers, and influencers understand what they need to know.
Not everything we know, but just the elements they need to make more informed decisions. That’s our job.