I often get asked whether customers choose BlackBerry because of its superior security. But there is also another, less obvious, dimension to this. The CIO of a global insurance giant recently said that “the end-user experience is the key metric his IT organization is measured on.” His challenge was in deciding what to trade-off between security and management tools to ensure end-user satisfaction. This may appear like a scenario from a less security-conscious and non-regulated enterprise. But every type of enterprise is pressured to maximize end-user satisfaction, even our top security-conscious government customers.
The term “good enough” security emerged during the recent surge of consumerization of IT as a way for mobile vendors to justify the use of smartphones that couldn’t clear the enterprise security bar. Personal smartphone experience and preferences have massive influence over enterprise device decisions. This so-called “pull” effect has forced many organizations to allow consumer smartphones and tablets to change their mobile strategy with little regard for their overall security posture. Facing the risk of not meeting end-user expectations, CIOs now face a dilemma: should they “play it safe” with the end-users, even if this is a bad recipe that clearly increases the risk to corporate assets? How much the risk will increase takes effort and skill to estimate.
CIOs are Fallible, Too
While we make trade-offs all the time, we tend to be particularly poor at cybersecurity and risk trade-offs due to a number of well-studied biases, as Bruce Schneier finely described in “The Psychology of Security”. We downplay risks that are taken willingly, associated with something we enjoy, and when they don’t have immediate consequences. Do you see a connection with BYOD here? We tend to believe that we will do better than others in the same activity, which makes us too bullish towards taking risks with approaches we know others are taking, no matter how risky those may really be. Furthermore, our heuristics give priority to incidents that are recent, vivid and involve people, underestimating what the bad guys could do next or what could go wrong in the future. Counterintuitively, known and understood risks, which we tend to overestimate, are easier to deal with from the security and technology perspective. Conversely, unknown and new threats, which we are wired to downplay in contrast, are what should be top of mind when planning for mobile security.
Emerging cyber threats such as spyware embedded in personal apps or targeted malware should never pose a large risk to corporate assets. The impact of such threats is well contained with security-by-design layered in the OS and proper containerization of work data. But under the hood of “good enough” security, we can find all kinds of low-grade and piecemeal security solutions relying on consumer-level security in the smartphone OS and basic application-level security.
Emerging threats can easily circumvent such unsophisticated defences that lack a solid perimeter around work data and expose your organization. Vulnerabilities come with all products, but they only become real opportunities to compromise your data if the inherent mobile defences are not deep enough and strong enough. Arguably, it is much easier and cheaper to build “good enough” security against known threats, or whatever the “threat de jour” is, than security that is resilient to not-yet-seen attack vectors. Attacks such as Logjam and OpenSSL Heartbleed, will undoubtedly keep happening in various new forms. The real question is whether your mobile security has the ability to protect your corporate jewels after the first or even second layer of defence has been broken.
In the constantly evolving cyber-threat landscape, anything “good enough” today quickly becomes not nearly good enough.
CIOs should also remember that the security competencies of the vendors they buy products from directly contribute to their own security posture and ability to protect assets. Structural weaknesses in a product quickly become part of the core IT infrastructure in most cases without the awareness of either the vendor or the customer. Always remember: You are only as secure as your weakest link.
Settling for “good enough” security is a short-sighted trade-off that increases the exposure to emerging threats to often unacceptable levels. Instead of speculating where “good enough” is, CIOs need to deliver an appropriately strong level of security on a consistent basis. When it comes to enterprise mobility, a well-designed work container with a strong security for data-in-transit and data-at-rest is the only viable approach.
Decisionmakers don’t get the Full Risk Picture
CEOs who are building sustainable businesses won’t intentionally take chances with inadequate security of mobilized corporate data. Yet how many organizations facing such mobility choices actually present a thorough risk-benefit analysis to their executive board for weighing the options and signing off on the best approach? As we’ve seen over the past few years, data breaches affect everyone from the CEO to the Board of Directors. These are the people that need to sign off on the risk. The job of the CIO or CISO is to present an objective assessment of the proposed solution and how it stacks up against alternatives in terms of productivity, usability, cost, and risk. Failing to elevate this is typically the result of personal preferences among executives caused by brand bullying, lack of IT governance, and many other organizational weaknesses.
To protect your organization’s success and future, stay clear of products and solutions that tout “good enough” security. If you want to build a world-class business, enable it with world-class security. And by the way, this is the only way to achieve world-class productivity and user-satisfaction at the same time.
Smart IT managers know that there are three very good alternatives to BYOD. But what are the strengths and weaknesses of mobile deployment models such as CYOD), COPE) and COBO)? And how do you choose what’s best for your organization?
You can find the answers in our eBook, The Definitive Guide to Enterprise Mobile Security: Strategies for Business and IT Decision-Makers.Co-edited by Manea and BlackBerry blogger Eric Lai, the e-book offers comprehensive strategies and actionable tips for tech and business managers wrestling with how to manage and deploy devices in a secure, future-proof way.
You can also view archived versions of these webinars hosted by BlackBerry security experts: