A bit controversial that title eh? Is Graeme at it again – biting the hand that clothes, feeds and wines him?
Not quite. But I had an interesting chat today with a chap that got me thinking. The chap in question works for a very large company indeed, and he is involved deeply with security. We were discussing over a pint the world of mobile security. Mobility is hot to trot right now – described by a colleague from Microsoft recently as one of the ‘two symbiotic megatrends of our age’, bless him. Megatrend or not, you can’t move for vendors bringing out new tablets and smartphones every two minutes, all desperate to take a bite out of Apple’s erm . . . apple. Debates are hotly contested about the merits of Bring Your Own Device (BYOD) and consumerisation.
Well tough luck everyone, there is no debate. There is no discussion to be had, because it’s here. Even if corporate IT aren’t issuing the things, people are taking their iPads to meetings, using them to write-up on the fly, emailing it to their work email address and then watching a film on the train home.
And guess what? Security isn’t even a consideration. It’s their iPad. They aren’t having some bloke in an Iron Maiden t-shirt from IT mess about with it so corporate can get all Big Brother over their personal device. And you can’t even complain to the seniors upstairs, one because they also have a shiny iPad they use, but also, why should they care? The staff are more mobile, more productive and happier than before, for less capital outlay. And even if they buy them one as part of the staff retention policy, it’s cheaper than a laptop and makes the company look cool, sexy and cutting edge.
So, if it’s happening anyway, and the execs don’t care because staff are staying, and are more productive and happy as a result, then Mr Security-IA-killjoy man, this is a risk I will put up with. So no, no money for your security project. Go away. Aha I say, but what about the risk of data loss? And reputational damage? Look at Sony? One major breach and millions off the value of the company? Or in my world perhaps, maybe the NHS Authority gets in the press and you, Mr Chief Exec, have to go and explain why you’ve lost another CD of data? In the corporate world, the Exec just sneers and asks me to have a look at the stock market right now? A man sneezes somewhere in Albania and the markets go into frightened freefall. The NHS CEO spends his days getting kickings from all over the place, and losing data is soooo last year.
The serious point here is that when senior staff balance the perceived potential risk of loss versus the returns of a happy mobile and productive workforce, it’s no wonder the shiny wondergizmos are everywhere.
So is it really dead? Is Mobile security a dead horse waiting to be flogged?
The answer is emphatically, ‘No’. And the reason is simple, it is not in Government’s long-term interest to have data losses rack up exponentially due to a flood of unsecured smartphones lying about the place. And so that means if we don’t get it right, we get regulated. Ask a banker how much it costs to meet his regulatory requirements. Ask any retailer how much fun PCI rules are. The way to avoid getting regulated is to get your house in order first so you don’t need the accursed stuff.
Explain this to your seniors, and then ask them how they’d feel about letting the blokes that drive the company vans do so without driving licences. Ask them how they would feel about letting surgeons work without knowing that they understand what they are doing and remember to wash their hands. Ask them whether they think that encrypting laptops is a good idea to stop your competitors/enemies/the press getting hold of stuff.
This is a serious uphill battle we face to remind people that it is not good enough to wing it. Go on the offensive, but stop talking about iPads and security, and start talking about regulatory costs and good old fashioned Health and Safety.