IT security pros must increase risk appetite

The tech team will need to overcome their risk-averse mindsets and work closely with other departments such as legal and human resource in order to implement mobile device management smoothly and support business needs.

SINGAPORE--IT security professionals will need to be more open to risks with regard to mobile device management in order to support, and not hinder, business needs. It will need close cooperation with other departments such as legal and human resource to fulfill its role though, one Gartner analyst says.

Christian Byrnes, managing vice president at Gartner, said during an information security conference here on Friday that IT security employees tend to fear risk and would over-react when it comes to managing the bring-your-own-device trend within the organization.

The worst-case scenario for risk-adverse professionals would be for them to create security policies that stop employees from carrying out their job duties, Byrnes elaborated. For example, IT would try to impose rigid security rules that makes accessing company data via workers' mobile devices more difficult, and these situations occur because the IT team lacks knowledge of the risks  involved and how to protect corporate data on mobile devices, he said.

However, businesses by nature "strive on risk" for growth and IT security professionals will need to change their mindsets in order to make a positive impact, he urged.

Finding middle ground
The Gartner analyst highlighted two factors IT security teams will need to determine in order to successfully implement mobile device management (MDM): they need to know whether the corporate data can reside offline on users' devices, and how much security is needed to safeguard the information on these devices.

Explaining, Byrnes said in the case where data can only be accessed online and require low security but cannot be stored on users' devices, the IT team can provision access by using simple Web portals or filter-sensitive tools. For higher security requirements, they can set up secure portals accessed via software from vendors such as Citrix, or use SSL (secure sockets layer) for authentication and ensure protection on the device is up-to-date, he said.

For data that can be stored on mobile devices and require only low security measures, certificate control and other basic MDM security policies are recommended, he said. Other more secure tools include implementing digital signatures for specific services according to business users, he noted.

Implementing these safety measures is just one aspect of making sure MDM supports the business needs though, and security professionals will need to work closely with other departments to achieve its MDM goals.

For instance, he noted the legal department will have to be roped in to help craft security policies and ensure these meet the compliance requirements set by the government, industry, business partners, contractors, supply chain partners, and customers.

The human resource (HR) department is another important alliance for the IT security team.

Byrnes recounted a case in which one IT staff was blamed by a C-level executive after the latter's data stored on his mobile device was accidentally wiped off, with the latter threatening to fire the former. The HR department had to step in and remind the high-ranking executive that he had signed a policy requiring him to back up his data anyway, which helped prevent the IT professional from losing his job, he said.

Show Comments