By Richard Dornhart, National Practice Manager – Security, Data#3
As we’ve discussed in previous posts, enterprise mobility should be approached as a “people first” strategy not a “technology first” project.
However, whenever mobility discussions arise within a business, typically the first thoughts are often based around securing and managing the mobile device. That’s because the IT department sees mobility as a risk – how do you protect corporate data if a device is lost? What if confidential information is being downloaded outside the corporate firewall?
This thinking then generally leads to mobile device management (MDM) and a technology first approach, which is understandable because in the early days, mobility was always about the device and how it is managed, locked down and “protected”. But not any longer.
This isn’t to say that security and device management are not important because they obviously still are. What we’re advocating is a user first, technology second philosophy instead. Business is predicated on people and productivity so technology should be viewed as something that can support that, not constrain it.
It’s about a framework approach that considers every element of mobility, bringing them together to deliver on the enterprise mobility promise – ‘The Anywhere Workplace’.
So if it’s not just about MDM, then how do you address security and management concerns?
The first step is to shift the discussion away from the device. The device is not nearly as important as who is using it, where they’re using it and what it’s being used for. The conversation shifts from the device to the information that is on the device, or being accessed via the device – that is the real asset.
Users also have multiple devices these days and they constantly shift between those devices depending on where they are and what they’re doing. This is only going to increase as the wearables market heats up with new products and new capabilities, so focusing on the device becomes even less relevant.
Security in this situation must be frictionless. If security is implemented as a device centric function, it acts as a roadblock – and people will look for ways around that roadblock. You need to provide users with a consistent, platform experience, regardless of whether the device is a 1 inch smartwatch or a 65 inch conference screen. An experience in which security is an intrinsic component linked to the user and the information being accessed, not an IT enforced add-on.
This is where context comes in, knowing who should be accessing what information, where and when. This can only work if you have an inherent understanding of the different user roles within an organisation and can document it via a user segmentation exercise – the topic of a previous blog post.
However, that’s not the only consideration, you must also understand your information. Information is constantly evolving and organisations are struggling with the burden of unstructured data. The solution is to carefully classify this information to provide context. For example, sensitive financial information may accessible inside the office but not outside the office. When combined with user roles, your systems can then make informed decisions. Policies can dictate how that data can be used and where it can be consumed, giving you comfort that situations and combinations of information and devices you may not have considered are fully protected without impacting the user experience.