IT security pros must increase risk appetite

IT security pros must increase risk appetite

Summary: The tech team will need to overcome their risk-averse mindsets and work closely with other departments such as legal and human resource in order to implement mobile device management smoothly and support business needs.


SINGAPORE--IT security professionals will need to be more open to risks with regard to mobile device management in order to support, and not hinder, business needs. It will need close cooperation with other departments such as legal and human resource to fulfill its role though, one Gartner analyst says.

Christian Byrnes, managing vice president at Gartner, said during an information security conference here on Friday that IT security employees tend to fear risk and would over-react when it comes to managing the bring-your-own-device trend within the organization.

The worst-case scenario for risk-adverse professionals would be for them to create security policies that stop employees from carrying out their job duties, Byrnes elaborated. For example, IT would try to impose rigid security rules that makes accessing company data via workers' mobile devices more difficult, and these situations occur because the IT team lacks knowledge of the risks involved and how to protect corporate data on mobile devices, he said.

However, businesses by nature "strive on risk" for growth and IT security professionals will need to change their mindsets in order to make a positive impact, he urged.

Finding middle ground
The Gartner analyst highlighted two factors IT security teams will need to determine in order to successfully implement mobile device management (MDM): they need to know whether the corporate data can reside offline on users' devices, and how much security is needed to safeguard the information on these devices.

Explaining, Byrnes said in the case where data can only be accessed online and require low security but cannot be stored on users' devices, the IT team can provision access by using simple Web portals or filter-sensitive tools. For higher security requirements, they can set up secure portals accessed via software from vendors such as Citrix, or use SSL (secure sockets layer) for authentication and ensure protection on the device is up-to-date, he said.

For data that can be stored on mobile devices and require only low security measures, certificate control and other basic MDM security policies are recommended, he said. Other more secure tools include implementing digital signatures for specific services according to business users, he noted.

Implementing these safety measures is just one aspect of making sure MDM supports the business needs though, and security professionals will need to work closely with other departments to achieve its MDM goals.

For instance, he noted the legal department will have to be roped in to help craft security policies and ensure these meet the compliance requirements set by the government, industry, business partners, contractors, supply chain partners, and customers.

The human resource (HR) department is another important alliance for the IT security team.

Byrnes recounted a case in which one IT staff was blamed by a C-level executive after the latter's data stored on his mobile device was accidentally wiped off, with the latter threatening to fire the former. The HR department had to step in and remind the high-ranking executive that he had signed a policy requiring him to back up his data anyway, which helped prevent the IT professional from losing his job, he said.

Topics: Security, Data Management

Liau Yun Qing

About Liau Yun Qing

The only journalist in the team without a Western name, Yun Qing hails from the mountainy Malaysian state, Sabah. She currently covers the hardware and networking beats, as well as everything else that falls into her lap, at ZDNet Asia. Her RSS feed includes tech news sites and most of the Cheezburger network. She is also a cheapskate masquerading as a group-buying addict.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Won't Windows 8 change that?

    Security is a primary concern. Ignore that fact at your own peril.

    True, everything is going mobile: but Windows devices can be secured, and they will soon be available. Won't that negate the need for taking needless security risks?
  • Wrong! Wrong! Wrong!

    We already have way too many security compromises, and to posit any additional laxness is simply begging for more trouble, and ultimately significantly adverse affects on the business. Note this is the same "contributor" who would also have us believe that China is not really as much into hacking as evidence supports, etc. according to yesterday's article.
    PLEASE ZD, consider the source before hitting the "publish" button.
  • RE: In time BYOD will end because of security

    But not now and not soon. In this poor economy all business sees is saving money from no computers and less or no IT staff. Breaches are occurring and will occur. They won't be noticed at all in many cases because people are not looking and don't know how to look. Those that do occur will not reported by the media in love with the IPAD and the whole BYOD phenomenon. And when they get so noticeable they can't be ignored it will be described as an anomaly, whatever IT staff is left will be blamed like in two articles in ZDNET today for having a backward attitude and not learning new security methods. Business will be blamed for keeping XP and it will be used as a selling tool for WIN 8 or Apple or both. But the model is inherently insecure and the security breaches will become so catastrophic this will be to obvious to ignore.