Why Mobility is Good for Security

I should get the Pulitzer for these headlines. It’s only an matter of time until they add blogging to the list of literary/artistic mediums.

What it should say, is that BECAUSE of Mobility/BYOD, the spectre of information security raises its head higher than it usually does (which isn’t saying much), thus getting the attention of the senior management who are either entirely focused on running their business, or busy running it into the ground.

I actually had first-hand experience a while ago of an organisation that is on its way to becoming a BYOD-free zone, and considering what they do, I don’t blame them. At least until they get their security culture and policies sorted out anyway.

Which is kinda the point, as very few things I can think of have put the business side and the IT side into greater confrontation.  Business wants increased productivity AND cost savings, and IT Security want …well …IT security.

I don’t think anyone can deny the inevitable increase in productivity when your work email is sent to the same device you spend vast portions of your life on (usually in order to avoid talking to actual people).  But then you also can’t deny that confidential information on a device that is insecure (currently) is a VERY bad idea.

I know there are BYOD ‘solutions’ out there, but none of them work, and most of them are downright crap.

So where do businesses screw-up?; easy, they look IMMEDIATELY to technology to solve the problem that only education and policy can solve (again, currently).

Here’s a scenario:

  1. A salesperson wants to send a classified contract to legal, should they;
    1. Just send it, because it’s to an ‘internal’ department?
    2. Password protect it if they have that ability on their mobile device?
    3. Never try to send it from a mobile device?
    4. Follow the corporate policy?
    5. Wait until the next day to send it securely from a known-good device?

The correct answer is d.

Hang on – you may say before hearing the explanation – why are b., c. and e. wrong?  They are not wrong, they’re just not right given that policy ALWAYS trumps what you think is the right thing to do.  If corporate policy says you can post classified docs to Facebook for feedback, so be it.  You’re company will be out of business, and your CEO in jail (hopefully), but that’s a perfect segue to my next point…

Do you think you have the right to question your company’s policies?

The answer is that you absoLUTEly have not only the right, but the obliGAtion to question policies if you consider them in any way discriminatory, incomplete, redundant, inappropriate, unworkable …you name it. Not only that, you have a further obligation to help enforce those policies, it’s your company as well.

Policies are supposed to be the parameters upon which the corporate culture if founded.  They define the CEOs perspective on everything from community programmes, to acceptable use, to expenses, and if the CEO doesn’t bother to create them (or at least approve them), as well as evangelise them, they will not be followed.

So, back to my favourite phrase; “Let’s be very clear; The CEO sets the tone for the entire company: its vision, its values, its direction, and its priorities.  If the organisation fails to achieve [secure BYOD though policy enforcement] , it’s the CEOs fault, and no-one else’s.

If you don’t think policy is the way to go on this, let me ask you one question; Would you follow company policy if this was the language in it; ‘All employees are strictly forbidden to send confidential information from their mobile devices.  All confidential data must be deleted immediately, and the matter reported to [department].  Any breach of this policy will result in dismissal, and subsequent legal action if deemed appropriate.’

I would.

The 4 Foundations of Security

So far I have focused on the Core Concepts of security, and how they are the basic building blocks of a security programme.  Well, – and to continue the cliched architectural analogy – these 4 things are the foundations on which those building blocks sit;

1. Management Buy-In / Culture – Hah, weren’t expecting that, were you!?  At least 3 of my posts have placed the vast majority of the responsibility – for everything from PCI compliance to customer service – firmly on the shoulders of the CEO (or equivalent).

Unless your company IS a security company of some sort, security is an expense, and whether or not that expense is seen as a business enabler (which it is) depends on the CEO’s attitude towards it.

Whether you’re starting an assessment at your client’s site, trying to implement a security program at your current employer, or interviewing for a job as a internal auditor, asking what the CEO’s attitude is toward security will determine the difference between success, and banging your head against the wall.

It may well be your JOB to change the CEO’s attitude toward security, if so, you’d better have a VERY good argument, and it had better involve making, or saving a ton a money (or making them look good …or both).

2. Policies & Procedures – Amazing how many people groan at this, and even security professionals cringe at the ‘paperwork’ they have to troll through.

That’s a shame really, because without that paperwork, you will never HAVE security. It’s your company’s instruction manual for how to do what you do, properly, responsibly, and securely.  Anyone who’s put together a chest of drawers from Ikea knows exactly what I mean; maybe, and I mean MAYBE, you could work it out for yourself, but how much more painful would that be?  It’s bad enough WITH the instructions!

Your policies and procedures let all employees know what to do, and as importantly, what NOT to do.  It’s enough that the thieves want to steal your data, why make things worse by not preventing your own employees from giving it away!?

3. Governance – As I have mentioned in previous articles, few phrases in security are perceived to be more ambiguous, open to interpretation, or complicated.

Wikipedia says; “Information Technology Governance is a subset discipline of corporate governance focused on information technology (IT) systems and their performance and risk management.”  It also says; “IT governance systematically involves everyone: board members, executive management, staff and customers. It establishes the framework used by the organization to establish transparent accountability of individual decisions, and ensures the traceability of decisions to assigned responsibilities.”

I can simplify this to; “IT Governance is the business side and the IT side having meaningful conversations.”  Group hug anyone?

It does not have to be complicated, it just has to be appropriate.  You don’t have to hire additional people to run it, you just have to assign the tasks, responsibilities, and accountability.  You don’t have to follow its decisions rigidly, all businesses have an exception processes (usually informal, and often consists of someone very high on the business side telling you to do something anyway).

IT, and especially IT security, are often seen as roadblocks to the business, and circumvented where possible.  The IT departments themselves are often just as much to blame for this.  IT’s job is to help the business do something right the first time, and they can only do this if they are in on the plans from the beginning.

4. Education & Training – While this is closely linked to policy and procedure, I’ve broken this out separately because of its importance.  You simply can’t expect non-security experts to keep up with the latest threats all by themselves, it’s not their job.  In the same way that I do not keep up with changes in the tax codes (that’s my account’s job), or the latest in social media advertising (that’s marketing’s job), everyone else relies on us to tell them what they need to know.

This training and ongoing education cannot become marginalised, and must be kept fresh and interesting.

If your security programme is not where you want it to be, or you are frustrated at the lack of progress, there is a very good chance that one or all of these foundations is missing.

I’m not saying you can’t hope to make ANY progress, but it will be needlessly inefficient, time consuming, and expensive.  Not to mention much harder to maintain.  I have only ever seen organisations achieve Business As Usual security when all 4 of these foundations is in place.

I will be individually expanding on the 6 Security Core Concepts, and putting them into context with these foundations.  Eventually I hope to provide more specific guidance on how to take this theory and put it practical use, but it’s time for dinner…

[If you liked this article, please share! Want more like it, subscribe!]