Enterprise Security Professionals Offer Their Mobile Computing Security Advice

In 2012, ESG research asked 315 security professionals working at enterprise organizations (i.e. more than 1,000 employees) about the impact of mobile computing on security management and operations. It turned out that the impact was pretty substantial, 30% of organizations say that mobile devices made security management and operations “much more difficult,” while 32% say that mobile devices made security management and operations “more difficult.”Mobile computing and BYOD projects remain immature and difficult as we move into 2014, but large organizations are starting to gain experience. To tap into this expanding knowledge base, ESG recently conducted a research project dedicated to mobile computing security, and asked 242 enterprise security professionals to identify mobile computing security best practices that they would recommend to an organization with less experience. Here is a list of the top 5 responses along with my editorial comments. • 22% of enterprise security professionals say, “create a full risk/threat assessment before creating policies or deploying security controls.” Good advice and often ignored as many don’t put in the work upfront and then panic when the security poop hits the fan. Aside from these risk/threat assessments, CISOs should also make sure that they have at least one person on staff that really knows what’s happening in the mobile computing security world (i.e. malware, cybercrime, device vulnerabilities, etc.) so they can adjust policies/controls as need be.• 18% of enterprise security professionals say, “test the security of internally-developed and third-party applications.” Yup, many organizations are behind here but also tend to focus on internally-developed application security testing alone as they catch up. It’s important to also assess third-party applications – there’s a lot of insecure mobile code out there.• 18% of enterprise security professionals say, “create specific roles and access policies for mobile users/devices based upon multiple business/IT factors.” This is sometimes referred to as contextual security or granular access controls. The point here is that access policies should be tuned to things like user role, network (i.e. LAN vs. public network), location, device type, device status, time-of-day, new threats/risks, etc. Mobile computing and security vendors like Cisco, Extreme/Enterasys, Forescout, Good, IBM, Juniper, McAfee, MobileIron, and Palo Alto Networks are doing some good work here.• 18% of enterprise security professionals say, “realize that mobile computing is unique and may not fit neatly into existing security controls, processes, and monitoring.” In colloquial terms, ‘don’t try to put a square peg in a round hole.’ There is a pattern here suggesting that CISOs should spend time understanding mobile device use cases, risk, and business use and then proceed to creating, implementing, and enforcing the right security policies.• 17% of enterprise security professionals say, “include privacy and legal requirements into the overall mobile security strategy.” In light of the NSA boondoggle, this seems like sound guidance to me. This is especially true in BYOD initiatives when the device, cellular services, and some apps and data actually belong to the user and not the corporation. If employees are afraid their CIO “big brothers,” they may not use their mobile devices the way that business managers want them to.In general, security professionals emphasize the need for planning, knowledge, and specific processes and controls for mobile computing security. If those aren’t best practices, nothing is.