Most enterprises rank mobility and mobile worker solution deployments within their top five initiatives for the next three years. This fact is consistently indicated in surveys of business executives from a wide variety of industries. Indeed, we expect mobile deployments to expand dramatically over the next three to five years as solutions become easier to deploy, connections become faster and more reliable, and devices become more capable and less costly. Few companies have recognized, however, that the very mobile devices they deploy to enhance worker productivity and improve operations can cause a company to face an increased risk of security and compliance breaches. And few companies currently know how to mitigate such risk effectively. Further personal, non-company-issued devices that users acquire independently and bring into the workplace should cause companies great concern. Indeed, management and control of these devices is imperative if companies are to protect their data and avoid running afoul of existing and proposed regulations. Many governments (on the state, regional and/or federal level) have passed, or are passing, new regulations that will severely penalize companies that are not able to comply with data protection and security regulations.
The massive growth of mobility over the next three to five years is likely to leave company IT organizations unable to cope with the new mobile reality unless they rethink their existing management and security strategy. One of the greatest challenges to both business and IT groups within companies over this period will be effectively securing mobile solutions in the workforce, over a wide array of devices, connections and applications.
Why compliance is important – meeting a company's obligations
A well-devised and well-executed compliance strategy is essential for every enterprise. Industry-based regulations, as well as general business regulations, impose numerous and varied duties that often carry steep fines, and in some circumstances even criminal liability, for failure to comply. A single enterprise may be responsible for complying with federal regulations applicable both to its specific field of operations and to business operations in general, while also being subject to state regulations in one or more states – regulations that may not be uniform from state to state. The compliance landscape is frequently difficult to traverse without a comprehensive and integrated compliance strategy.
Compliance is an affirmative duty, which must be approached aggressively. The stakes are quite high. Besides the financial strain of hefty fines and the substantial harm to the company's reputation of an enforcement action, failure to institute a compliance strategy might lead an enterprise into traps it could otherwise avoid, such as massive notification mailings to affected customers and consumers, expensive private or class-action lawsuits, or even mandatory production of a neglected "smoking gun" that could lead to additional enforcements.
Conversely, the benefits of an effective compliance strategy can do more for an enterprise than merely spare it from legal liability. The requirements of these various regulations might be viewed as impetus for adopting and enforcing security best practices that an enterprise should be following in any event. By using appropriate technologies to ensure compliance, business processes can be improved and standardized, increasing efficiency, accountability and quality control.
The need for mobile management and security
Few companies do an effective job of managing their mobile workforces. In fact, few companies understand the optimum management techniques for mobile workers, let alone security requirements. They either ignore the problem or see mobile management as an extension of existing end-user management operations. This is a fundamental mistake, as managing mobile devices has unique characteristics that are unlike fixed management.
The first step in an effective mobile management strategy is to set usage policies, which need to be communicated to -- and agreed upon by -- the end users. Lack of this critical first step is the biggest impediment to successful completion of mobile projects. Once set, these policies can be enforced with mobile management tools.
A company must set a mobile security policy that is complementary to existing company security policy but is inclusive of some of the unique characteristics of the mobile environment (e.g., often disconnected from the network, higher loss rate of equipment, potential addition of personal files, removable storage media, data backup/transfer, etc.). Several mobile security suites exist (e.g., Credant, Pointsec), but generally they lack any significant management capabilities beyond their own security needs. It is, however, becoming common for mobile management vendors (e.g., Afaria from iAnywhere, Intellisync, iPass, Good) to increasingly include security functionality as part of their overall management suites, some through partnership with security vendors and some through their own tools.
Conclusions
Mobile security and compliance management must be a key component of any successful enterprise mobile strategy. Failure to include adequate levels of mobile security and compliance management will substantially increase the overall cost of a company's operations and could ultimately compromise its ability to do business by alienating existing and future customers, leaving the company facing large financial burdens through fines, lawsuits and other penalties. We believe all companies must institute a security and compliance policy specifically focused on mobile users, data and devices if they are to be capable of competing in the market in the long term. We expect the proliferation of mobile device types to continue, and companies that wait too long to formulate a strategy will be forced into a position of reacting to each individual incident at great expense, rather than taking the steps necessary to prevent the majority of security incidents and compliance breaches. The emerging world of increased mobility requires all companies to implement a mobile security policy within the next 12 months or risk being unable to remain competitive in the marketplace.
********************
Jack Gold's full-length white paper entitled "Compliance in the mobile enterprise" is currently available on SearchMobileComputing.com. This paper delves deeper into key areas in which mobility will expand, identifies risks and exposures, and addresses how companies should advantageously manage such mobility securely.
********************
About the Author: Jack E. Gold is Founder and Principal Analyst at J. Gold Associates. Mr. Gold has more than 35 years in the computer and electronics industries, including work in imaging, multimedia, technical computing, consumer electronics, software development and manufacturing systems. He is a leading authority on mobile, wireless and pervasive computing, advising clients on business analysis, strategic planning, architecture, product evaluation/selection, and enterprise application strategies. Before founding J. Gold Associates, he spent 12 years with META Group as a vice president in Technology Research Services. He also held positions in technical and marketing management at Digital Equipment Corp. and Xerox. Mr. Gold has a BS in electrical engineering from Rochester Institute of Technology and an MBA from Clark University. He can be reached at jack.gold@jgoldassociates.com.
