In 2012, ESG research asked 315 security professionals working at enterprise organizations (i.e. more than 1,000 employees) about the impact of mobile computing on security management and operations. It turned out that the impact was pretty substantial, 30% of organizations say that mobile devices made security management and operations \u201cmuch more difficult,\u201d while 32% say that mobile devices made security management and operations \u201cmore difficult.\u201dMobile computing and BYOD projects remain immature and difficult as we move into 2014, but large organizations are starting to gain experience. To tap into this expanding knowledge base, ESG recently conducted a research project dedicated to mobile computing security, and asked 242 enterprise security professionals to identify mobile computing security best practices that they would recommend to an organization with less experience. Here is a list of the top 5 responses along with my editorial comments. \u2022\t22% of enterprise security professionals say, \u201ccreate a full risk\/threat assessment before creating policies or deploying security controls.\u201d Good advice and often ignored as many don\u2019t put in the work upfront and then panic when the security poop hits the fan. Aside from these risk\/threat assessments, CISOs should also make sure that they have at least one person on staff that really knows what\u2019s happening in the mobile computing security world (i.e. malware, cybercrime, device vulnerabilities, etc.) so they can adjust policies\/controls as need be.\u2022\t18% of enterprise security professionals say, \u201ctest the security of internally-developed and third-party applications.\u201d Yup, many organizations are behind here but also tend to focus on internally-developed application security testing alone as they catch up. It\u2019s important to also assess third-party applications \u2013 there\u2019s a lot of insecure mobile code out there.\u2022\t18% of enterprise security professionals say, \u201ccreate specific roles and access policies for mobile users\/devices based upon multiple business\/IT factors.\u201d This is sometimes referred to as contextual security or granular access controls. The point here is that access policies should be tuned to things like user role, network (i.e. LAN vs. public network), location, device type, device status, time-of-day, new threats\/risks, etc. Mobile computing and security vendors like Cisco, Extreme\/Enterasys, Forescout, Good, IBM, Juniper, McAfee, MobileIron, and Palo Alto Networks are doing some good work here.\u2022\t18% of enterprise security professionals say, \u201crealize that mobile computing is unique and may not fit neatly into existing security controls, processes, and monitoring.\u201d In colloquial terms, \u2018don\u2019t try to put a square peg in a round hole.\u2019 There is a pattern here suggesting that CISOs should spend time understanding mobile device use cases, risk, and business use and then proceed to creating, implementing, and enforcing the right security policies.\u2022\t17% of enterprise security professionals say, \u201cinclude privacy and legal requirements into the overall mobile security strategy.\u201d In light of the NSA boondoggle, this seems like sound guidance to me. This is especially true in BYOD initiatives when the device, cellular services, and some apps and data actually belong to the user and not the corporation. If employees are afraid their CIO \u201cbig brothers,\u201d they may not use their mobile devices the way that business managers want them to.In general, security professionals emphasize the need for planning, knowledge, and specific processes and controls for mobile computing security. If those aren\u2019t best practices, nothing is.