Jokes aside, some IT managers say there's no option other than BlackBerry for security

BlackBerry heavily promotes its sales to defense and security-conscious groups despite its being up for sale

The plight of BlackBerry has gotten so bad that heavy satire has stepped in.

In one example, a website recommends "how to upgrade your BlackBerry Smartphone to Android 4.2."

What follows at is a jailbreak that devolves into instructions to take the BlackBerry into the kitchen, fry it in a pan until crispy golden brown, then head out to buy an Android-based Samsung Galaxy S4.

Funny to some, but not so funny to IT workers, especially those who have staked their reputations on the security of BlackBerry as second to none, including the more popular Android and iOS operating systems.

"As for alternatives to BlackBerry, there aren't any," wrote Sandra Smith, an enterprise IT manager, in an email to Computerworld, although she didn't identify her organization. "Due to the Snowden revelations, we now realize that if you are running Microsoft/Google/Apple, you need to protect yourself from your OS and not use your OS to protect you."

IT managers and analysts note that the strength of BlackBerry's security comes from the BlackBerry Enterprise Service (BES) server software that is still used by thousands of government and enterprise customers globally. The BES software runs through the BlackBerry Network Operations Center (NOC) and through 500 global carriers but is separated from popular OS ecosystems like the ones working with Android, iOS and other mobile operating systems.

"BES is smart because it's not part of that ecosystem" of other operating systems, Smith said. "Sometimes exclusion is a plus. BlackBerry hardware and its OS will survive because of BES. We are all sitting here quietly paying as BES subscribers because we know and see the value."

But BlackBerry faces serious problems. Poor sales of its smartphones led to a $1 billion writeoff in the third quarter and plans to lay off 4,500 workers.

The security protections afforded by BlackBerry have become paramount in some large businesses and government agencies -- more important than an employee's desire to use a gold-colored iPhone 5S at work, or a decision by the organization's developers to stop building BlackBerry apps.

On Thursday, for instance, enterprise file sharing vendor Egnyte said it will no longer develop for the BlackBerry platform. "BlackBerry is severely challenged," said Egnyte CEO Vineet Jain in an email to Computerworld. "The future of technology rests in mobile and apps and it is no coincidence that companies are not willing to spend time and money developing apps for the struggling BlackBerry platform."

Even so, BlackBerry is still pitching itself as a premiere security solution.

Just this week, BlackBerry announced that global auditing firm KPMG in Italy bought 3,500 new BlackBerry 10 smartphones and is migrating to BES 10, which includes mobile management that can also control iOS and Android devices in addition to BlackBerry devices.

"With BlackBerry 10 we have found the best solution in terms of usability, security, connectivity and price," said KPMG Milan IT Lead Partner Davide Grassano in a statement. KPMG users will have access to shared files and internal resources while BlackBerry software also works to prevent the accidental leakage of business documents and attachments, he added.

On Oct. 1, BlackBerry said NATO had approved the use of BlackBerry 10 smartphones and BES 10 for classified communications in 28 countries in North America and Europe.

Also Oct. 1, BlackBerry said the National Police of Colombia is upgrading to BlackBerry smartphones and BES 10. It is one of 25,000 BES 10 test or functioning upgrades installed globally.

On Aug. 8, BlackBerry announced the U.S. Defense Information System Agency had authorized support for up to 30,000 Z10 and Q10 smartphones by year's end. It also authorized use of BES 10 to operate under the most stringent security requirements used in Department of Defense networks.

BlackBerry's record is sufficient to keep many of the most security conscious organizations happy, but there's debate as to whether other third party vendors, which support Android and iOS, can't also be highly secure, at least for the security needs of 99% of organizations.

Many government agencies need assurance that smartphones and their supporting servers can pass a FIPS 140-2 certification, which refers to the Federal Information Processing Standards requirement used to accredit cryptographic modules used in both software and hardware.

Jack Gold, an analyst at J. Gold Associates, has consistently called BlackBerry the "gold standard" for security, but admits that some third party products come close, even if they aren't exactly the same.

"If customers need the FIPS security that BlackBerry offers, there is no immediate need to replace them," Gold said. "BlackBerry will not just disappear overnight despite what some doomsayers have predicted."

BlackBerry's special position at the top of the security heap comes from the fact that its network operations center (NOC ) is linked to BES servers and also to the handheld hardware, Gold said. And the NOC, even under a future owner, is not going to disappear.

"I don't expect to see the NOC or BlackBerry infrastructure just shut down, whether BlackBerry goes private or someone buys them," Gold added. "There's no imminent threat to shutdown and no real need to migrate off BlackBerry."

BlackBerry has entered into a preliminary agreement with Fairfax Financial Holdings where Fairfax would pay $4.7 billion for BlackBerry and make it private. Other investors are looking at buying all or part of BlackBerry, including its two founders, Mike Lazaridis and Doug Fregin, Cerberus Capital Management, a private equity firm, and PC maker Lenovo.

Bob Egan, an analyst at Sepharim Group, advised IT managers worried about the future of BlackBerry to begin weighing alternatives. "That is not to say that enterprises should run overnight away from BlackBerry, but it does suggest that they need to proceed with far more caution and a consistent review of the [competitive] environment the past," he said.

If they haven't already, organizations should definitely negotiate with Blackberry for end-to-end service level agreements, which could be used if BlackBerry service or security gets disrupted, he said. Also, he said the terms of the agreement must represent the views of any BlackBerry customer's business leaders and its IT, risk, procurement, compliance and auditing organizations.

For those IT managers who feel they "have no choice but to deploy and use BlackBerry," Egan said they are probably more constrained by the procurement rules of the organization than by actual security needs. While FIPS 140-2 certifications are widely required before government and financial organizations can make smartphone or server acquisitions, it isn't always clear what level of certification is required. There are four levels, with Level 4 the highest and most secure.

BlackBerry has posted listings on its website of security approvals its products have received, including a FIPS 140-2 validation certificate for BlackBerry OS version 10. But none of the site's validations indicate what level of FIPS 140-2 BlackBerry has achieved. A BlackBerry spokeswoman said that BlackBerry has attained end-to-end FIPS 140-2 certifications for all BlackBerry 10 products.

Some organizations won't need the highest level of FIPS 140-2 certification, Egan noted. What BlackBerry hasn't made clear is whether its end-to-end FIPS 140-2 certification is up to Level 4 for all components of a system. Customers need to evaluate whether they need the highest level of security and also request that BlackBerry provide a certification that indicates the security level under FIPS 140-2, he said.

"There is no question that BlackBerry has a strong technical security method and history -- probably the best in mobile," Egan added. Other companies are meeting certain levels of FIPS 140-2, such as Apple with FIPS 140-2 Level 1 for its cryptographic module in iOS 6, with the same modules used in iOS 7. Samsung's Knox approach also promises some FIPS 140-2 certification, while MobileIron, Mocanna and Appearian also have some FIPS 140-2 certified modules, he said.

"For any IT manager, it's imperative to evaluate mobile security solutions against two factors: technical risk and business risk," Egan added.

This article, Jokes aside, some IT managers say there's no option other than BlackBerry for security, was originally published at

Matt Hamblen covers mobile and wireless, smartphones and other handhelds, and wireless networking for Computerworld. Follow Matt on Twitter at @matthamblen or subscribe to Matt's RSS feed. His email address is

See more by Matt Hamblen on

Read more about mobile security in Computerworld's Mobile Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags BlackberryAppleconsumer electronicsGoogleMicrosoftsecuritymobile securitysmartphones

More about AppleBlackBerryCerberus Capital ManagementGalaxyGoogleKPMGLenovoMicrosoftMobileIronNATOSamsungTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Matt Hamblen

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts