CSO Roundtable : Effective Mobile Security

Although BYOD security gets the headlines, IT managers find issues like device management, scope management and support just as challenging.

At the recent CSO Australia Mobile Security roundtable, held at AusCERT, 21 guests thrashed out their experiences and concerns.

It's clear that there are few holdouts in the BYOD realm, and most of them are constrained as much by regulation, compliance and policy as by inclination. Of a diverse group of organisations, covering business, government, healthcare, education, law enforcement and aerospace, only one—Australian Aerospace—stated a clear no-BYOD policy.

Most of the rest said that they're still developing their BYOD policies.

What's driving adoption?

It's easier to tar managers with a generational brush—that they expect graduates entering the workforce to accept the same kind of workplace they had, 20 years ago, but that's not so. There's a strong consensus that the HR department has become an important driver of BYOD adoption. The reason? Partly to help attract talent.

As New Hope Group's MIS Manager Chris Evans put it: “The motivation comes from HR, because they want good candidates. They need to attract and retain the talent so there's a big push in that direction.”

Evans said that regardless of the original source of a BYOD policy, “it's become a company-level decision, a C-level decision. People want, at the very least, to get e-mails on their personal device, 24x7.”

Darren Moore of Tatts Group agreed, saying “HR is also our biggest customer. They are the ones that want it first—them and the C-level executives.”

The arrival of new CEO Robbie Cooke last year has greatly accelerated BYOD, he noted: Cooke is former CEO of the Wotif group, and has brought a new culture to Tatts.

“The CEO wants travelling access—we have had to change and turn around very quickly,” Moore said.

Kim Johr, ICT Infrastructure Manager at the Moreton Bay Regional Council, said staff satisfaction has driven the council's decision to trial BYOD. “The staff are doing more anyway, and they feel more satisfied. So there's value in that respect.”

“Staff need to be enabled to move around, to do their job in more than one location,” he said. And with that support, staff are happier.

What's in your strategy?

For nearly everyone at the round table, BYOD is a still-nascent part of their total IT strategy. E-mail access is overwhelmingly the dominant application and there is some caution about extending the application footprint of BYOD.

“Organisations often miss the fact that it is about managing mobile employees, not mobile devices,” said Ian Yip, Identity, Security & Governance Business Manager, for table sponsors NetIQ. “Organisations often start by focusing on securing devices and realise at a later stage they need to look for a solution that is focused on identity.”

“We have limited the scope of the implementation by design,” said New Hope's Chris Evans. His concern is regulatory: with every action of grant-supported companies scrutinised, the risk that a careless BYOD strategy could undermine the organisation's audit position is significant.

“If someone wants e-mail our answer is yes. We are trying to encourage the workforce to be more tech-savvy,” Evans said, but expanding simple access into broader application access is a more vexed question.

Stephen McCarthy agrees: “As soon as you get past e-mail, if the BYOD doesn't work, people will demand support from IT,” he said.

Managing devices

There's no consensus on the best way to approach mobile device management, but great dissatisfaction in what's currently on offer from vendors.

At one extreme, there's no support at all. Kathryn Priol, director of ICT at John Paul College in southern Brisbane, said students are free to bring their own machines, but the college only provides support for its own devices.

However, Max Network's Stephen McCarthy said in a business context, support is critical.

“Not supporting something is not tenable, because if someone can't do their work, it starts to escalate all through the company anyway. Someone who can't do their work quickly becomes a business problem. And IT ends up in the firing line anyway,” he said.

“There is no mobile device management solution that lets you say 'here is an app, now you can forget it',” New Hope Group's Chris Evans said, and the result is that device management falls back to the IT department, with little support from the outside.

At the other end, Moreton Bay Regional Council's Kim Johr said “Regarding mobile device management – we're happy to take care of that ourselves. We can do it better and with more granularity.”

Colin James, CTSO at Vodafone New Zealand, noted however that MDM “is only one part of the story. Securing the information is important—to have security controls on a document at the time of creation is important.”

While cloud services like Dropbox are offered up as solutions, James described it as a “nightmare”.

Is it secure?

Which naturally raises the question of security: can it be secure? It's a vexed issue, because so many vulnerabilities exist.

Yip suggests focusing on identifying and concentrating on understanding the flows of critical information. “Access to information should be controlled and be able to be tied back to individuals—and monitored at all times,” he says.

New Hope has a simple, if strict, approach for devices: if someone wants their own device to have access to the business, it comes with strings. When the employee leaves, the device is wiped.

“We wipe the whole device if the person resigns,” Evans said.

“We allow it, and we have set it up so that we can remotely blow the device away when a staff member leaves,” Evans added.

As a regulated entity—gaming being more regulated than practically anything except for healthcare and telecommunications—Tatts Group's Paul Bilic noted that “pushing board papers out to the executives is a security challenge.

“Policy and governance are playing catch-up,” he concluded.

Location, location, location

McCarthy also noted that for Max Network, BYOD brings challenges simply in maintaining access to networks. The BYOD debate has become generalised on the assumption that everybody lives and works in cities.

“Most of our people are in the regions, and communications either die or costs so much you can't use it,” he said. “In non-metro locations, latency, cost and performance can make mobility far less usable.”

“It's never the user's problem, it's a problem that costs the business,” he added.


Join the CSO newsletter!

Error: Please check your email address.

Tags BYODIan YipNetIQCSO Roundtable #ausert2013mobile securitysecuring your device

More about CSODropboxMISNetIQNetIQVodafone

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Richard Chirgwin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts