Protecting your organization’s data is of paramount importance, yet so is empowering employees to use their own devices. Can security pros handle this balancing act?
In today’s global, connected society, businesses of all sizes must prepare for the unknown so they have the flexibility to withstand unexpected and high impact security events. To take advantage of emerging trends in both technology and cyberspace, organizations need to manage risks in ways beyond those traditionally handled by the information security function, since new attacks will impact both business reputation and shareholder value.
Today’s Mobile Landscape
The surge in personal mobile devices being used in the workplace –bring your own device (BYOD) and bring your own everything (BYOx)–has been widely documented. Gartner predicts that by 2016, two-thirds of the mobile workforce will own a smartphone and 40 percent of the workforce will be mobile. Furthermore, the variety of connected devices (tablets, phablets, wearables), usage contexts, mobile applications and cloud computing services add even more complexity.
As the trend of employees bringing mobile devices, applications and cloud-based storage and access in the workplace grows, businesses of all sizes continue to see information security risks being exploited. These risks stem from both internal and external threats, including mismanagement of the device itself, external manipulation of software vulnerabilities and the deployment of poorly tested, unreliable business applications.
BYOx initiatives present considerable challenges, as does the widespread adoption of social media. Today’s CISO and CIO must embrace these technologies or risk being sidelined by those more agile. While safeguarding your organization’s data is of paramount importance, empowering employees to use their own devices, applications and cloud-based storage safely and flexibly is essential to better workplace productivity, competitiveness, as well as keeping workforce morale and talent retention high.
Safeguarding Your Data
With an increase in the number of consumer-based devices, as well as an increase in the amount of data being shifted across multiple borders, organizations need to be on their toes in terms of safeguarding sensitive data. Since BYOx will be the device of choice for most users moving forward, organizations need to wise up and fix some of the issues that have been there for quite some time now by investing the appropriate time and resources in managing this core critical business component.
It goes without saying that business leaders recognize the enormous benefits of digital and how the Internet—in particular today’s growing usage of connected devices—greatly increases innovation, collaboration, productivity, competitiveness and engagement with customers. Unfortunately, they have difficulty assessing the risks versus the rewards. One thing that organizations must do in this day and age is ensure they have standard security measures in place.
The ISF recently released Information Risk Assessment Methodology version 2 (IRAM2), which has many similarities to other popular risk assessment methodologies. However, whereas many other methodologies end at risk evaluation, IRAM2 covers a broader scope of the overall risk management lifecycle by providing pragmatic guidance on risk treatment. The IRAM2 risk assessment methodology can help businesses of all sizes with each of its six phases detailing the steps and key activities required to achieve the phase objectives while also identifying the key information risk factors and outputs. IRAM2 provides businesses of all sizes with a simple and practical, yet rigorous risk assessment methodology that helps businesses identify, analyze and treat information risk throughout the organization.
Additionally, the ISF has introduced a practical approach for creating key performance indicators (KPIs) and key risk indicators (KRIs) that support informed decision-making. This offers businesses of all sizes with the assurance that the CIO, CISO and the information security function are responding proactively to priorities and other needs of the business.
The ISF approach encourages CIOs and CISOs to forge a path to having the right conversations with the right people. It has been designed to be applied at all levels of an organization, and consists of four phases:
*Establish relevance by engaging to understand the business context, identify common interests and develop combinations of KPIs and KRIs
*Generate insights by engaging to produce, calibrate and interpret KPI/KRI combinations
*Create impact by engaging to make recommendations relating to common interests and make decisions about next steps
*Learn and improve by engaging to develop learning and improvement plans
This approach will provide a way for CIOs and CISOs to succeed by engaging with audiences to identify common interests, determine relevant data, generate reliable insights and create impact supported by the right KPIs and KRIs. This, in turn, supports informed decision-making.
The Time Is Now
Time is critical and businesses need to formulate a response to the growing trend of mobile devices in the workplace with a sense of urgency. Focusing on the organization’s information as a guiding principle for considering risk as part of a BYOx program can bring a great deal of clarity to decision-making as it facilitates the definition of device-agnostic solutions which could be re-used for other BYOx deployments. This approach must be tempered against the willingness of executives to increase their risk appetite to enable BYOx.
An information-centric perspective is key to managing BYOx risk, keeping the focus where it should be rather than on the technical details. The proliferation of new devices and applications means that organizing a BYOx risk management plan around a single technical solution can be restrictive. A focus on information is more likely to result in an agile and adaptable program.
About the Author
Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.