Earlier this month, 25-year-old Rory McIlroy won the US PGA Championship, his third consecutive tour victory and second major championship in less than a month.
McIlroy’s most astounding accomplishment in taming the most demanding courses in the world is making it look easy. But what’s also well-known among golfers is that the effortlessness displayed by McIlroy is a product of intense discipline and – almost literally – a lifetime of honing his skills.
No Overnight Success
“Practice makes perfect” is not an axiom exclusive to golfers or professional athletes. Corporations, particularly those specializing in technology, reach the pinnacle of expertise through the dedication of thousands of worker-years to the pursuit of excellence in one or a select few core competencies.
Founded in 1984, BlackBerry has worked tirelessly for nearly 30 years to make enterprise mobility and security look easy. By shielding the immense complexity required to safely and efficiently extend an organization’s content and communications to a mobile workforce, BlackBerry has created the perception among some organizations – and would-be competitors – that enterprise security is a snap.
As a head of BlackBerry’s global security advisory team, I have observed first-hand how multiple national governments have discovered the hard way that mobile security is far from easy and that BlackBerry’s end-to-end solution, which strikes the optimal balance of risk mitigation and end user productivity, is not easily imitated.
The Real Deal
Outside of the BlackBerry customer base, there have been a number of well-funded attempts to deliver BlackBerry-like mobile security. They were largely technology-driven approaches that combined containerization techniques, customizations and modifications of mobile operating systems, and a familiar handheld that was supposed to appeal to the end user.
The results, in some instances, have been spectacular failures. While some of these projects made it into the hands of end users, none delivered the value that was promised and, not surprisingly, all shared a similar destiny: gathering dust in users’ desk drawers. No wonder we don’t hear much about them after their initial pompous announcements and launches.
Those projects crumbled under the pressure to meet competing requirements of three different types of stakeholders:
- National security authorities, who evaluate a solution’s end-to-end security and compliance;
- IT management, which needs a cost-effective and productive enterprise solution that scales well;
- End users, who need an easy-to-use, fun, high-performing handheld for both work and play.
Here are the top five reasons why attempts at imitating BlackBerry’s productivity-enabling approach to security have been unsuccessful:
- Critical capabilities important to end users and IT managers got sacrificed as collateral damage in the process of meeting security requirements. Technology-driven approaches, including hypervisors and thin clients, failed because though they addressed most obvious security issues, in reality they delivered miserable user experiences that road-blocked productivity and were rejected by employees.
- Productivity, enterprise integration, and application strategy ended up deprioritized and an afterthought, leaving stakeholder IT teams to unsuccessfully cobble together the required work productivity tools and apps that should have come out of the box.
- Solution complexity was severely underestimated, resulting in ever-slipping project schedules, spiraling costs, and the loss of IT flexibility that is required for successful business process mobilization.
- In spite of their focus on security, these solutions ultimately failed to ensure that security and quality metrics were consistently met, because they were developed by vendors that lacked any mature Secure Software Product Life Cycle (SDLC). So much about security still remains with what you don’t see – how the secure product is actually designed, developed, tested and certified, and supported with mature and capable security response processes. The security solution that is full of defects and deficiencies will sooner or later transform your risk to financial loss.
- The product architecture that was too hardware-dependent resulted in user devices that were already a generation out of date upon project completion. These solutions lacked a sustainable forward upgrade path, enabling customers to consistently refresh their device fleets with the latest models.
Security as Productivity Enabler
I’ve helped many organizations that have chased this BlackBerry-like approach to mobile security to eventually become BlackBerry customers. Those who tried piecemeal after-market solutions that mimic BlackBerry can easily recognize the product excellence that comes when core competencies are in their DNA.
In addition to the squandering of financial resources, these technological detours also impose productivity penalties. Enterprises that lack a rock-solid security foundation remain barred from realizing the business-transforming benefits of workforce and business process mobilization.
At the end of the day, enterprise mobility is all about helping organizations reach new productivity heights. Security’s essential purpose is to provide a foundation for business transformation by removing any risk roadblocks to new mobility projects. And like all foundations, security must be architected together with the rest of the structure it needs to support, but implemented timely and rigorously.
Similarly, you can’t manufacture experience overnight. You can’t accumulate a pedigree through partnering. There is no shortcut that can substitute for all the deliberate choices you must make over time as you build your core competencies and knowledge that allow you to excel at creating elegant solutions to complex problems.
Thus, the dream that someone in your neighbourhood will be able to piece together a BlackBerry-like solution continues to elude government customers when the need for secure communication is greater than ever.
It doesn’t matter how athletic you are, how much money you have, or who you know. You’re never going to give Rory McIlroy a run for his money after only a couple of lessons.
This is the first in a series of blogs exploring real-world mobile security issues encountered in the field. Upcoming entries will dive more deeply into shortcomings associated with attempts to build secure enterprise mobility solutions atop consumer-grade platforms.