I recently wrote about the business social networking site Wisegate, which brings together high -evel security and IT professionals to discuss and collaborate on their top-of-mind issues. Wisegate just released a report that summarizes what members are doing about creating and implementing mobile device management (MDM) policies for personally owned devices. Now that there are more than 1.2 billion mobile Web users in the world (as reported by mobile consulting firm mobiThinking), a set of BYOD policies is on every enterprise information security officer’s agenda.
The Wisegate report features what one member in particular has learned as his company developed and implemented its “bring your own device” (BYOD) policies, but it includes considerations and advice from the larger group. Here’s a partial list of the topics the members have shared:
- Which mobile operating systems they have agreed to support, and which ones they prefer to avoid at this time
- What mobile device management (MDM) solutions they have tried and which ones meet their current needs
- The legal issues of doing a complete data wipe if a device is lost, stolen or misplaced, or if the worker leaves the company
- What to put in a user agreement, and how often to have workers re-sign the agreement
- Who to involve in developing the corporate policies
Given that these CISOs have “been there, done that,” it’s highly useful information for other companies that are developing or evolving their policies and definitely worth a read. Wisegate members also acknowledge that they don’t have all the answers and are, themselves, still struggling with various issues, like what to do about corporate data that makes its way onto a worker’s personal cloud storage space, or how to conduct eDiscovery if a data breach is suspected.
Here’s a sampling of the members’ insight:
- Wisegate members would prefer to avoid Android mobile operating system. In their opinion, the OS is not ready for the enterprise and it suffers from too many security risks. One problem they cite is the “chaotic” and insecure Android application marketplace, where apps are not screened for malware and developers are not vetted. This makes it too easy for smart device owners to pick up a virus that can easily be spread enterprise-wide if the device is connected to a company network.
- So if the CISOs don’t like Android, what OSes do they find acceptable? Blackberry OS from RIM and iOS from Apple. Blackberry has always been enterprise-friendly and Apple makes a stronger effort to meet enterprise needs than most vendors, according to the members.
- A mobile device management platform is an absolute necessity to manage all these devices. Many of the members like Good for Enterprise from Good Technology Inc., Advanced Management from MobileIron, and MaaS360 from Fiberlink Communications. Which product to choose is highly dependent on what policies a company wants to enforce. Members recommend evaluating and piloting several products.
- Many companies allow (or even prefer) workers to supply their own devices and data plans for network access because they believe it saves money. Wisegate members urge other CISOs to consider that BYOD may not be a cost saving strategy once you factor in the cost to manage and support these disparate devices and to mitigate the security risks they pose. It might be more cost effective in the long run to have the company purchase and own a very select set of devices that can be locked down to meet specific business requirements.