Mobile Security: Still a Leap of FaithPractitioners Say Solutions Fail to Keep Pace with Threats
At a recent conference organized by ISMG in Mumbai, I had the opportunity to moderate discussions with practitioners and attendees in the audience, over a unique session held in the world cafÃ© format. Groups of delegates divided their time across a set of tables, each table focusing on a single topic of discussion in the InfoSec domain.
The topic I moderated was mobile security, and I choose to focus the conversation around the effectiveness and applicability of mobile technologies in Indian enterprises today. Hearing from the assembled practitioners gave me some distinct impressions on where the majority of the participants stood on the issue. Here are a few.
Mobile Security Lacks Assurance
Ironically, while users are increasingly more intuitive when it comes to using mobile computing devices, a large number of practitioners in the sample claim user acceptability of security technologies as a significant problem to deployment efforts.
The first question that I asked was whether attendees felt that the mitigations and security technologies in the mobile space today have kept pace with the threat landscape - especially in the Indian context.
Not surprisingly, the overwhelming response to this query was no - some emphatically so, leading me to the conclusion that mobile security technologies in the market today have not delivered the level of reassurance that security practitioners expect.
The reasons are many, but it bears noting that only six participant out of the 50 were either satisfied with the mobile mitigations available, or were ambivalent to the question - which is to say, they believed the answer would hinge on multiple variables, but the technology itself was available.
The two biggest issues that the delegates highlighted were the lack of maturity in existing solutions and their inability to sufficiently reassure user organizations that critical business data was protected. The majority of the participants felt that endpoint controls were not evolved enough to keep up with the developments in mobile platforms and the increasing versatility, functionality and power these devices provide today.
Ironically, while users are increasingly more intuitive when it comes to using mobile computing devices, a large number of practitioners in the sample claim user acceptability of security technologies, is a significant challenge to deployment efforts.
Governance and administration of the ever increasing diversity of mobile devices and the inability of security solutions to keep up with these also emerged as major issues. Device diversity and support for newer devices/platforms (or lack thereof) is giving practitioners sleepless nights and adding to the confusion.
The groups felt that finding skilled personnel to effectively manage mobile security solutions and accountability issues with mobile device management and similar solutions were holding them back from investing in these tools. Overall, if this sample is any indication, my premise holds true: While there was unanimous consensus that mobility has increased the attack surface in organizations significantly, assurance from mobile security solutions today remains low.
This is reminiscent of the BYOD story in India over the past several years, where organizations decided to embrace BYOD, rolling out policies and technologies, expecting - or rather praying - that they could nip in the bud what was obviously going to be a security challenge. Initial euphoria that policies and governance could deal effectively with BYOD challenges gave in to despair, with most dubbing BYOD as "bring your own disaster."
While the ecosystem has matured, and the technologies available to administer mobile devices are becoming increasingly granular, the sentiment of all the groups I interacted with speaks to the acceptability of mobile security technologies such as MDM to Indian security practitioners. And perhaps that organizations themselves are not equipped or mature enough to use these effectively.
Several practitioners argued that, just like in the case of BYOD, many organizations need to get their basic people and process equations right, to be mature enough to consider effectively deploying granular MDM-like security solutions. As with BYOD, where many argued that the fault lay with organizations themselves and not the idea of BYOD itself, so it is with mobile security.
With mobile security solutions, the case may be twofold - that organizations are still not mature enough to get the best out of these technologies, and that the solutions themselves have a ways to go before they gain broad acceptability in Indian organizations.