“I think the time has come to skew expenditures more toward the future as opposed to what we’re seeing right now. There are still more non-mobile threats that are publicly reported than mobile threats, but that’s a temporary condition. People need to think about mobile and cloud and what’s coming and start the transition now. Otherwise they will not be in a better position when we get there; they’ll be in a far worse position,”
–Phil Reitinger, president of Global Cyber Alliance and former CISO
Enterprises are actively transitioning from desktop and server environments to mobile and cloud ones. This should come as no shock to anyone in an enterprise IT or security function. Mobile devices are in every employees’ hand. Corporate architectures are app-centric, with employees downloading mobile apps without IT vetting.
Cybercrime goes where the value is and the value is increasingly going to be in the data that sits in cloud services and the mobile devices that access them.
Paying attention now can help you be in a much better security position later.
The importance of the CIO-CISO relationship
In every business there must be balance. This is especially true when looking at the IT and security functions. Both teams should embrace and protect the technology their employees use to get work done, but sometimes these teams work against each other.
For example, if it is the IT team’s goal to “keep devices up and working,” and a security team is mandated to “ensure all threats are stopped immediately,” the IT team will try to prevent devices from going offline while the security team will want to take devices offline to stop any threats from spreading and doing damage.. They work against each other.
In order to properly prepare for the future, “You need combined incentives so you’re not working against each other,” according to Phil.
This means creating balanced security policies that embrace usability and productivity by focusing on the mobile environment itself. In other words, security teams must gain visibility into the broad spectrum of threat vectors/risks associated with mobile device, while not blocking an employee’s access to important apps.
You are not going to be able to do everything you want and be compliant, too
Preparing for the future isn’t easy, but that doesn’t mean we can ignore the policies and regulations we have in place today. There are over 190 nations in the world and a growing number of them have privacy regulations.
This especially true when thinking about the mobile device and how much data can be access and transmitted through apps outside of the enterprise.
“There is virtually no way to do all the things that you want to do in terms of making sure your devices are appropriately monitored and still stay in line with all of the requirements — you’re going to have to make some compromises,” Phil explained.
- Don’t collect more data than you really need and will actually use (both conditions must be met)
- Be very straightforward with employees and government agencies about what you’re doing
Mobile threats are real today, so start securing them for tomorrow
In the not-so-distant past enterprises looked at mobile risks as an employee getting his phone stolen. With threats like Pegasus, and the reality of remote attacks, we must have the same level of concern for mobile attacks as for the desktop environment.
The move to mobile and cloud acts as a forcing function for security and IT teams to evaluate their overall security posture. Embracing that these threats are already here will put your enterprise into a much stronger position when the mobile risks to your corporate data start inundating your organization.
Learn more about the state of mobile security from CISO and current CEO of TAG Cyber Ed Amoroso in his video on evolving architecture, insufficient MDMs, and dead perimeters.
If you want to learn more about mobile security and get a personalized look at the needs of your specific organization, get in touch with us today.