1. IT decides VPN plus Safari is not secure enough on iOS because the user can turn off VPN
2. IT mandates that all users must use a 3rd party captive browser for web access
3. However, users love the Safari experience and keep using Safari
4. IT turns off Safari on each iOS device in response
5. Users go to the App Store and download Opera, Skyfire, or another browser they like
6. IT turns off the App Store on each device in response
7. Users unenroll from the iOS MDM profile
8. Users once again have access to Safari, but now on unmanaged and unsecured devices

This is an example of the well-intentioned user being forced to go rogue. Security policy that damages mobile user experience will encourage even the best-intentioned user to look for ways to bypass.  In the best case, you have unhappy and less productive users.  In the worst case, you have devices that are less secure than even where you started.

I’ve seen this not only with captive browser mandates but also email sandboxes and heavy lockdown security models for mobile.

This same escalating arms race between user and IT happened in the Wi-Fi world.  Not too long ago, enterprises weren’t deploying Wi-Fi infrastructure because it wasn’t 100% secure yet.  But users wanted Wi-Fi.  They started bringing their own access points from home and broadcasting completely unsecured network access out into the company parking lot.  So the desire to eliminate Wi-Fi risk ended up increasing Wi-Fi risk.

Unfortunately, a security policy that is not sustainable is also not secure.  And the surest way to reduce sustainability is to compromise user experience. How will your users respond to a captive browser?  Will it meet their needs?  If not, what will they do and how will you react?  If the reactions are likely to escalate then you may end up with a security reality worse than your starting point.

Half the products in my garage and pantry at home now claim to be “green” and “clean” and “sustainable.”  Is it true?  I hope so.  Am I susceptible to marketing?  Clearly.

Last week, I had a very interesting conversation about a different kind of sustainability with Craig Shumard and Serge Beaulieu, who headed up information security at CIGNA for the past several years.  Craig was Chief Information Security Officer and Serge was Director Technical Security Strategy for the company.

They brought up the notion of “sustainable risk management” for enterprise mobility.

Traditionally, every corporate IT organization carefully assesses its information risks and then clamps down hard and as completely as possible on those it is not willing to bear.

What happens in the mobile world?  The approach is similar but the pace of change in mobile is so rapid, that another variable becomes fundamental in the development of mobile risk policy: sustainability.

Sustainability is deceptively easy to quantify and measure:  in X months from now, is technique or policy Y still appropriate, effective, and respected?

A completely sustainable policy would be adopted immediately, be relevant indefinitely, and never be circumvented.  

In mobile, we see some hard and fast policies being applied.  But many times they quickly break, because they are not sustainable for a myriad of reasons:

• Users don’t see the benefit or necessity (e.g. third-party email apps)
• Users can’t easily understand or remember the policy (e.g. long list of forbidden apps)
• User requirements are far ahead of IT readiness (e.g. no smartphone allowed other than Blackberry)
• Social norms have changed (e.g. no social networking during work)
• User can’t get the value they expect from mobile (e.g. no apps, no browser, many features locked down)

The more enterprise security compromises the mobile user experience, the less sustainable is the underlying policy.

Or to put it a different way, as a CIO in the Federal system told us when he visited MobileIron:  “The more the CIO says ‘no’, the less secure the organization becomes.”

Sustainability is influenced by technical trends, social norms, and human nature.  End-users will do what they need to do in order to get their job done.  If security policy stands in the way, they will find a way to circumvent it.  And in mobile, where user experience is paramount, the little annoyances users may have been willing to put up with on the desktop now become major frustrations they are unwilling to accept.

An unsustainable policy will be expensive and onerous to maintain, will change often, will demand exceptions, and will eventually fail.

So the challenge is:  How do I develop a sustainable AND effective mobile security policy?  In my experience, in these early days of enterprise mobility, many organizations have been spending a lot of time implementing what feels effective but far too little time designing what will be sustainable. 

Ask yourself:

1. Am I starting with the mobile user experience and then defining security policy?
2. Or am I starting with the security policy and then defining mobile user experience? 

If the answer is #2, there is a good chance sustainability will become a painful exercise in the near future.

I grew up in Canada, which means hockey was #1, #2, and #4 on the priority list (#3 was eating, #5 was sleeping).  Wayne Gretzky wasn’t talking about enterprise mobility, of course, when he said the above line, but he could have been. 

Too often, security is an excuse for not innovating.  Up until about 18 months ago, the easy answer when someone in your company wanted to use a new smartphones or go mobile with enterprise apps was “no”.  As one of my favorite analysts said a few months ago, if you want the world’s most secure smartphone, take out the SIM, put it in your filing cabinet, and lock it.  Fantastic security.  Zero productivity.

Lots of us in the industry talk about mobile security – how it is advancing, and how companies can legitimately “go mobile” without sacrificing enterprise data.  While it’s true we’ve come a long way, there is an elephant in the room that needs to be recognized:  Mobile will not be as secure as the desktop.

Or let me rephrase.  If you focus on restrictive lockdown in an attempt to make mobile as secure as the desktop, you don’t have a mobile strategy.  You have a desktop strategy on a smaller screen.

Should the focus of IT be prevention or productivity?  Of course both are important, but which is primary?  That is an important distinction because the decisions you make will be fundamentally different.

So let’s accept the fact that if I want to leverage the innovation and productivity of mobility, I am going to HAVE to deal with a different risk profile than I’m used to.  So instead of trying to force fit desktop security onto mobile, which either doesn’t work technically across devices or isn’t accepted behaviorally by users, start with the productivity goals. 

• What is the value of mobility to my users? 
• How will it let them do their jobs better? 
• How will it increase their satisfaction? 
• How will it give me business advantage?

And then put in place reasonable protections and policies that give you confidence while achieving the goal of smarter tools for a smarter workforce.  Back to hockey, you can’t score that goal without taking a great shot.  Being bounded by traditional approaches while your employees race past you is a recipe for IT obsolescence.

Last week, I saw a fantastic presentation from the most innovative IT organization in pharma talking about never building another enterprise app … instead building consumer apps for employees to use.

The week before, at CTIA, I saw some new Android “enterprise-class” phones and couldn’t help but think that design by committee never works.

Sure, there have been a ton of articles written about the consumerization of mobility and IT in general, in the enterprise.  But it did strike me that many of us have been looking at this trend through an inverted lens.

The IT organization in most companies is still adamant about trying to put in place policies and restrictions to make smartphones and tablets feel more like laptops, at least from a security and management perspective.  This is very understandable because the consequences of security failure are high and so we’re trying to keep the enterprise smartphone alive.  But we can’t resuscitate the dead (employees don’t want to use the “old-gen” devices) so we’re dressing up the newcomers to look like the predictable and known. 

But it’s no longer about IT.  It’s about the user.  And that user – that person - is a consumer 24 hours a day.  Sometimes they consume personal services, and sometimes professional, but their expectations are equivalent for both.

There will be no more enterprise smartphones or tablets.  There will only be fantastic consumer experiences that can be configured securely.  So “enterprise” becomes a configuration option, not a design constraint.  If I don’t want to use a particular phone or tablet on the weekend, I also don’t want to use it during the week. 

Instead of IT telling me “Here is the device you will use for wireless email“, I will now ask IT  “How will you give me a mobile work experience I love?” 

Command-and-control will fracture and move to cooperation.  The enterprise risk increases, without a doubt, but so does the value.  That’s a scary equation for most companies because it feels uncertain.  But it is inevitable and  I’ll write in an upcoming blog about how some IT teams are taking on this challenge one step at a time.

As he put it:  “Our challenge is that our infrastructure, applications, and databases are designed for a perimeterized world.  Our systems rely on a strong perimeter.  We need to tear that perimeter down.”

The catalyst for the conversation was smartphones, which operate almost constantly outside the perimeter.  Since the perimeter is no longer “reliable”, security becomes a matter of trust.  Which device do I trust with which data for which user under which circumstance?  The same questions, certainly, as existed before smartphone adoption.  But the answers are now much more difficult to pin down.  The trust model for mobile is a rapidly moving target.  New operating systems appear every year.  New devices appear every week.  New consumer apps appear every minute.  And end-users constantly set and change the debate.

How does a security team keep up?  The more rigid ones will likely fall behind.  The nimble ones will adopt a flexible mindset that can trade effectively between security and privacy, usability and control.  Protecting enterprise data without compromising end-user experience will be the goal.  A dynamic but rational model of trust that can operationalize the model below will be one of the important tools.

(Thanks, Terry, for the ideas behind this post)

Existing models for smartphone management take a very one-way approach to security.  IT ends up being the police force and it’s a role that is not scalable, especially since users are reticent to give up control of their phone to begin with.  Employee-owned phones just make the problem worse.

The central theme of the column is that responsibility needs to be shared in order for behavior and data to be secured.  This model of Cooperative Security requires both a change in mindset and policy, plus access to tools that support both.

Back in corporate-land, there is no personal space.  Companies are very clear that all communication on company networks / devices is company property and the employee should have no expectation of privacy.  For legal reasons that needs to extend to employee-owned devices being used for corporate work as well.

But as an employee, that grates me.  It’s my phone and I really don’t want my employer to have access to my pictures, videos, ringtones, and [yahoo/g/hot/other]mail.  I need a data boundary that I know will be respected in all but the most exceptional situations. 

Companies are realizing this too.  @hyounpark_AG at Aberdeen Group has early data that says 20% of companies allow all employees to use personal devices.  That’s actually a staggering number.  The implication is that the need to set enterprise data boundaries is a problem of the present, not just the future.  Employers needs to protect corporate data and ensure compliance while respecting employee’s personal content.

But what boundary should my company set?  Is this type of flexibility a boon to employees or a bane to legal?   

True, it’s a question of both policy and technology, but I think most importantly it is a question of end-user satisfaction.  If you have employee-owned phones, your users need a good answer.  That answer might vary company to company but, like my Left-Guy / Right-Guy problem, it can’t be ignored.