IT organizations (ITOs) are struggling to constrain the use of employee-owned mobile devices for work activity. On the one hand, the business benefits from increased productivity and employee satisfaction without a commensurate cost. On the other hand, organizations lose control of corporate data and set themselves up for higher transition costs later. How can organizations reap the business benefit of mobility without the loss of control?
META Trend: Investment in strategic security processes will focus on formalizing risk (2004/05) and trust (2005-07), with increasing attention to awareness/communication and policy. Demand for formal certification of security resources (internal, professional/managed services) will continue to rise through 2007. Statutory (privacy, cybercrime, critical infrastructure) and business requirements (corporate governance, mitigation of technology risk) will drive maturation of internal compliance programs until at least 2008, varying somewhat in time frame due to national/regional diversity.
Mobile devices such as laptops, personal digital assistants, smart phones, and USB storage are rapidly increasing in capability while also declining in price. By their very nature, mobile devices are more prone to loss and theft, are less mature, and often operate outside the network perimeter, making them highly vulnerable to attack. End users seeking to improve personal productivity and to achieve a better work/life balance are bypassing the budget-constrained IT procurement process and buying such devices themselves….fewer than 10% of organizations have a formal and comprehensive mobile security policy.When these devices are used for corporate activities, they open up a Pandora’s box of security and management concerns. Concurrently, organizations are struggling to more actively manage information risk in light of regulation and compliance issues. Although organizations have benefited from increased productivity and worker satisfaction at no cost, we believe security risk and future integration costs of this informal approach are rising rapidly.
Our research indicates that fewer than 10% of organizations have a formal and comprehensive mobile security policy. Organizations must develop a security policy appropriate for the type of device and the information it contains, and provide a program that will foster policy compliance without needlessly constraining personal productivity.
To get back in control of mobile security, organizations should perform the following: