Security Practices and the Consumerization of IT

In my last blog post, I mentioned Ernst & Young’s 14th annual Global Information Security Survey. One very interesting aspect of this survey is related to the use of mobile computing platforms.

The report states, “our survey shows that the adoption of tablets and smartphones ranked second-highest on the list of technology challenges perceived as most significant, with more than half of respondents listing it as a difficult or very difficult challenge.”

IT Security Controls for Mobile Computing Graph
I think this data highlights one of the challenges that many organizations are grappling with around the “consumerization of IT.” IT departments are being challenged as they are asked to support a rapidly increasing list of devices from a plethora of vendors. The survey teases out some of the strategies and tactics that many organizations are evaluating and/or employing to manage the risk of having corporate data on devices that don’t have as granular security controls as they’d like or are used to. Some of these devices might not have basic security or management capabilities. This challenge is compounded by risks associated with these devices connecting to ubiquitous social networks and the creative ways many people are choosing to connect and share data these days.

Given that managing a growing of devices becomes more challenging as the list grows, many of the CISOs and CSOs I have discussed this topic with are focusing their efforts on securing and managing corporate data instead of the devices used to access the data. While this approach is not without its own challenges, it helps put some of the findings of the survey I mentioned, into perspective.

Encrypting corporate data and/or segregating corporate data from personal data that might cohabitate on computing devices are becoming aspirational goals for many organizations. In the meantime, I can see the wisdom of the survey respondents focusing on policy adjustments and security awareness. Establishing acceptable use policies and increasing awareness of those policies and why good data hygiene is critical, are very effective practices whether your workforce is using mobile devices and/or desktop PCs. If you haven’t had the time or resources to focus on security awareness, the Microsoft security awareness program tool kit and guide might help you get the jump start you need.

About the Author
Tim Rains

Chief Security Advisor, Microsoft Worldwide Cybersecurity & Data Protection

Tim Rains is Chief Security Advisor of Microsoft’s Worldwide Cybersecurity & Data Protection group where he helps Microsoft’s enterprise customers with cybersecurity strategy and planning. Formerly, Tim was Director Cybersecurity & Cloud Strategy in Trustworthy Computing at Microsoft, where he Read more »