Concerns of mobile threats and potential data leakage have businesses increasingly spending on mobile security technologies, but they frequently lack a sound strategy and policy regarding personal devices, according to a new study.
An IBM survey of more than 40 chief information security officers found mobile security to be the No. 1 most recently deployed technology in the enterprise over the last 12 months. CISOs are concerned about lost and stolen devices and data loss as employees increasingly turn to their smartphones and tablets to tap into corporate systems and files, the study found. In addition, privacy and security in the cloud are top of mind with data monitoring, auditing and federated identity and access management trending early technology deployments at big businesses.
But mobile security is where the gap between technology and policy is perhaps the widest, according to IBM. Adoption of new security technologies is not necessarily being applied with a clear understanding of what is being protected, IBM said. Policy isn't a top priority, the firm said in its "2013 IBM Chief Information Security Officer Assessment," released Monday.
"The primary mobile challenge for security leaders is to advance beyond the initial steps and think less about technology and more about policy and strategy," IBM said. "For most of those interviewed, a comprehensive mobile policy and strategy for personal devices is not yet widely used or considered important."
The firm found that 39 percent of those surveyed are planning to develop an enterprise strategy to address the bring-your-own-device phenomena, but only 29 percent have done so. The CISOs surveyed said getting mobile devices equipped with a management capability was the first priority, followed by implementing encryption and application control on mobile devices to protect sensitive data on the device.
"Although mobile is top of mind and backed by investment, capabilities are still maturing," IBM said.
Some larger systems integrators struggle to work with clients on mobile deployments because they are not typically large multimillion-dollar deals, said Bob Tinker, CEO of MobileIron, a Mountain View, Calif.-based mobile device management vendor. Mobile security deployments typically begin in a phased approach with adoption around a small, focused group of employees before a broader roll out takes place, Tinker said. Organizations are undertaking an inventory of the devices connecting to the corporate network, and they have established a set of guiding principles for mobile security, he said.
"One of reasons why many of the traditional large systems integrators have real issues gaining success in mobile is because mobile deals don’t start off huge," Tinker told CRN. "It doesn't work that way; mobile tends to run through a land and expand model."
Application security and greater control over the apps and data on the mobile device is getting the biggest focus, Tinker said. Large enterprises are creating core mobile teams consisting of IT operations, security personnel, application teams and line of business managers.
Systems integrators are working with clients to develop an effective strategy, said Tony Giandomenico, director of business solutions at Honolulu-based managed security services provider Referentia Systems Inc. The firm works with privately owned critical infrastructure facilities, healthcare providers and other clients that are considering blocking mobile devices altogether, Giandomenico told CRN. Mobile device management in combination with network access control is also being considered to restrict access to corporate resources, he said.
"Some of our customers are saying 'No, we're not having any mobile devices come on our networks,' while others are looking at some combination of security and networking to restrict it," Giandomenico said.
PUBLISHED OCT. 21, 2013