I was on a mobile security panel at Interop today. We had a lot of questions about security technologies and techniques but none about user behavior. It’s always that way in security sessions and I always find it odd. Give me a car that’s ugly and clunky to drive and I probably won’t speed. But I also probably won’t ever use that car.

Outside threats are, of course, important to assess and control – we all hear of rogue apps hell-bent on stealing mobile data. But in the current mobile enterprise world, which is primarily iOS and steadily-diminishing Blackberry (Android is still waiting in the wings, still getting ready for flight), it’s the well-intentioned user doing something wrong that is the issue. The door to malware is narrow on both these platforms but the door to data loss can be wide. It’s not a technology issue. It’s a behavior issue.

Maybe it is trite to say that “the best security is education” so instead I’ll go with “changing behavior is not the same as restricting behavior.” The former is long-lasting and improves your security posture. The latter is short-lived and encourages bypass. But the latter is also comfortable to many organizations and simpler to design. It’s the path of least resistance for IT but the path of MOST resistance from the user.

Saying “Dropbox is bad – don’t use it” has as much impact on employees as me telling my kids to stop playing video games. Are you giving me an great alternative? That is the role of Mobile IT: pave the road and provide the road signs to let users know where to go and how so they can do their jobs effectively. Provide the tools for users to make the right decisions and avoid the “oops” moments. If Dropbox is “bad”, give me a better way to do my job. Make it easy for me to do the right thing. Teach me why it matters.

Mobile IT and the end-user are peers. A collaborative relationship doesn’t start with security. It starts with a clear understanding of desired user experience. It ends with an implementation that shares responsibility with the user and doesn’t catalyze him or her to drive off the road. In the middle is policy and technology, but mobile security itself starts with user experience and ends with productive user behavior.

Someone asked me today whether a captive browser might be a good way to give their users secure web access on iOS.  Sounds good on paper but the reality is more complicated.  Let’s look at the sequence of events that follow:

1. IT decides VPN plus Safari is not secure enough on iOS because the user can turn off VPN
2. IT mandates that all users must use a 3rd party captive browser for web access
3. However, users love the Safari experience and keep using Safari
4. IT turns off Safari on each iOS device in response
5. Users go to the App Store and download Opera, Skyfire, or another browser they like
6. IT turns off the App Store on each device in response
7. Users unenroll from the iOS MDM profile
8. Users once again have access to Safari, but now on unmanaged and unsecured devices

This is an example of the well-intentioned user being forced to go rogue. Security policy that damages mobile user experience will encourage even the best-intentioned user to look for ways to bypass.  In the best case, you have unhappy and less productive users.  In the worst case, you have devices that are less secure than even where you started.

I’ve seen this not only with captive browser mandates but also email sandboxes and heavy lockdown security models for mobile.

This same escalating arms race between user and IT happened in the Wi-Fi world.  Not too long ago, enterprises weren’t deploying Wi-Fi infrastructure because it wasn’t 100% secure yet.  But users wanted Wi-Fi.  They started bringing their own access points from home and broadcasting completely unsecured network access out into the company parking lot.  So the desire to eliminate Wi-Fi risk ended up increasing Wi-Fi risk.

Unfortunately, a security policy that is not sustainable is also not secure.  And the surest way to reduce sustainability is to compromise user experience. How will your users respond to a captive browser?  Will it meet their needs?  If not, what will they do and how will you react?  If the reactions are likely to escalate then you may end up with a security reality worse than your starting point.

(Thanks to Aman Kumar for putting structure around these ideas)

Half the products in my garage and pantry at home now claim to be “green” and “clean” and “sustainable.”  Is it true?  I hope so.  Am I susceptible to marketing?  Clearly.

Last week, I had a very interesting conversation about a different kind of sustainability with Craig Shumard and Serge Beaulieu, who headed up information security at CIGNA for the past several years.  Craig was Chief Information Security Officer and Serge was Director Technical Security Strategy for the company.

They brought up the notion of “sustainable risk management” for enterprise mobility.

Traditionally, every corporate IT organization carefully assesses its information risks and then clamps down hard and as completely as possible on those it is not willing to bear.

What happens in the mobile world?  The approach is similar but the pace of change in mobile is so rapid, that another variable becomes fundamental in the development of mobile risk policy: sustainability.

Sustainability is deceptively easy to quantify and measure:  in X months from now, is technique or policy Y still appropriate, effective, and respected?

A completely sustainable policy would be adopted immediately, be relevant indefinitely, and never be circumvented.  

In mobile, we see some hard and fast policies being applied.  But many times they quickly break, because they are not sustainable for a myriad of reasons:

• Users don’t see the benefit or necessity (e.g. third-party email apps)
• Users can’t easily understand or remember the policy (e.g. long list of forbidden apps)
• User requirements are far ahead of IT readiness (e.g. no smartphone allowed other than Blackberry)
• Social norms have changed (e.g. no social networking during work)
• User can’t get the value they expect from mobile (e.g. no apps, no browser, many features locked down)

The more enterprise security compromises the mobile user experience, the less sustainable is the underlying policy.

Or to put it a different way, as a CIO in the Federal system told us when he visited MobileIron:  “The more the CIO says ‘no’, the less secure the organization becomes.”

Sustainability is influenced by technical trends, social norms, and human nature.  End-users will do what they need to do in order to get their job done.  If security policy stands in the way, they will find a way to circumvent it.  And in mobile, where user experience is paramount, the little annoyances users may have been willing to put up with on the desktop now become major frustrations they are unwilling to accept.

An unsustainable policy will be expensive and onerous to maintain, will change often, will demand exceptions, and will eventually fail.

So the challenge is:  How do I develop a sustainable AND effective mobile security policy?  In my experience, in these early days of enterprise mobility, many organizations have been spending a lot of time implementing what feels effective but far too little time designing what will be sustainable. 

Ask yourself:

1. Am I starting with the mobile user experience and then defining security policy?
2. Or am I starting with the security policy and then defining mobile user experience? 

If the answer is #2, there is a good chance sustainability will become a painful exercise in the near future.

“You miss 100% of the shots you don’t take.”  Wayne Gretzky

I grew up in Canada, which means hockey was #1, #2, and #4 on the priority list (#3 was eating, #5 was sleeping).  Wayne Gretzky wasn’t talking about enterprise mobility, of course, when he said the above line, but he could have been. 

Too often, security is an excuse for not innovating.  Up until about 18 months ago, the easy answer when someone in your company wanted to use a new smartphones or go mobile with enterprise apps was “no”.  As one of my favorite analysts said a few months ago, if you want the world’s most secure smartphone, take out the SIM, put it in your filing cabinet, and lock it.  Fantastic security.  Zero productivity.

Lots of us in the industry talk about mobile security – how it is advancing, and how companies can legitimately “go mobile” without sacrificing enterprise data.  While it’s true we’ve come a long way, there is an elephant in the room that needs to be recognized:  Mobile will not be as secure as the desktop.

Or let me rephrase.  If you focus on restrictive lockdown in an attempt to make mobile as secure as the desktop, you don’t have a mobile strategy.  You have a desktop strategy on a smaller screen.

Should the focus of IT be prevention or productivity?  Of course both are important, but which is primary?  That is an important distinction because the decisions you make will be fundamentally different.

So let’s accept the fact that if I want to leverage the innovation and productivity of mobility, I am going to HAVE to deal with a different risk profile than I’m used to.  So instead of trying to force fit desktop security onto mobile, which either doesn’t work technically across devices or isn’t accepted behaviorally by users, start with the productivity goals. 

• What is the value of mobility to my users? 
• How will it let them do their jobs better? 
• How will it increase their satisfaction? 
• How will it give me business advantage?

And then put in place reasonable protections and policies that give you confidence while achieving the goal of smarter tools for a smarter workforce.  Back to hockey, you can’t score that goal without taking a great shot.  Being bounded by traditional approaches while your employees race past you is a recipe for IT obsolescence.