Take one laptop, add a pinch of tablet (any flavour), smart phone and wearable, and simmer gently adding liberal sprinkle of home device as required. Serve on a bed of self-regulation, et voila; Trouble is served!
And so begins the normal route to what some would call a mobile strategy. Except this isn’t anything of the sort. It isn’t a strategy but rather a hotch-potch of technologies loosely cobbled together with no concept of the complete picture, nor what is actually being achieved.
Most modern enterprises have a need for varying numbers of their staff to be mobile. Presenting to clients, travelling to different offices, working from home, working on the move, as part of a flexible working program, present in a meeting room, working in a common space in the office or taking notes at a conference. The truism that ‘work is something we do, not someplace we go’ has never been more relevant.
There are many enablers for this trend, but the main one is that we are all being asked to do more, in the same amount of time, with a broader group of people, and with the traditional millstone of ‘place’ gradually being cut free.
What isn’t being removed, though, are the obligations we have to protect our data. In fact, we have never had so much focus on this, with stories of new data breaches appearing daily. And the new regulatory frameworks, such as the EU GDPR, demise of Safe Harbour and introduction of Privacy Shield, are all adding to the complexity of how we interact with our data.
So, a perfect storm. More chaotic data use, with complex and compounded regulations, and potentially greater financial penalties and reputational damage in the event of any data breach. Stuck in the middle of this melee is IT. Keep your users productive, but keep your data safe.
How did it become thus? How did we lose control of our endpoints? One potential starting point was the consumerisation of IT. People were able to buy better technology than their companies were able to give them. And they became much easier to use. And critically, with the introduction of the iPad, the top executive tier started demanding their use for work. It bucked every rule at the time, but Execs make their own rules. This gradually filtered down, the price point lowered, and suddenly many more people had them, and were demanding their use.
At the same time, though, people saw an opportunity for providing a better service to their clients, or just generally to make their lives easier. And as is usual, IT were behind the curve on this, and ended up trying to pick up the pieces. The ‘Trouble’ mentioned at the top. And it’s IT’s responsibility to try and package this new requirement into a coherent service that meets the business needs but also provide the necessary protections and controls. That’s part of the fun of being in IT, we’re at the centre of initiatives like this, and only we can make it happen.
So, what’s the process? As usual, you need step back and evaluate what people are trying to do, and why. Ask those who are pushing the envelope for their view, rather than berating them for trying something new. It can be difficult to filter out fluff from the substance, where the use of the latest shiny toy provides an unhelpful lens through which a real benefit can be viewed. There will be some of these, no doubt, but it’s a distraction rather than a theme.
The historic tendency to protect the perimeter of a network, where everything within is safe, everything without is not, no longer applies. Data will be distributed, but that does not mean it cannot be protected. Mobility as a practice, and cloud as an enabler, means that data will not stay still. So any controls need to apply to wherever that data is. These controls can be digital and they can be procedural. One is less useful without the other. Also, these controls need to be dynamic. As threats evolve, so do the controls to mitigate them.
Also, something is better than nothing. With unlimited budgets we could implement a full suite of tools, processes and policies, but often this is not possible. But what we can do is utilise the basic capabilities within our systems to apply some control. Couple this with a good education & awareness program, and an appropriately written set of policies, and we have the basis of a managed ecosystem rather than a chaotic unmanaged one. But do that with a bigger picture in mind.
Remember, this is all about protecting your data and information. So don’t just think about devices, although this is a good place to start. For example, would a BYOD (Bring Your Own Device), or COPE (Corporately Owned, Personally Enabled) or CYOD (Choose Your Own Device) fit your organisations budget and culture? Think instead about where the data or information resides throughout its use, and how it is used. What controls can you apply to it wherever it is, at rest and in transit? Is it better if some data doesn’t move at all, but rather access the ‘single and immovable source of truth’? That’s OK, there are systems out there that can enforce that, too.
It will require a tightly managed combination of products, processes and governance. But done in the right order, at the right pace, and with the right sponsorship and awareness, it can be achieved without breaking your budget.
King Canute demonstrates the futility of trying to stop the tide [of change]. We don’t have to, and indeed, would be foolish to try. On the flipside, allowing uncontrolled mobility is equally as undesirable. So accept the inevitable and examine how your organisation can benefit from the added engagement and increased productivity a well-cooked mobile strategy can deliver.