Educating the CEO on Mobile Applications
Striking a Balance to Meet Customer, Employee RequirementsLook at where technology is taking us. Very soon all CEOs will need to mobilize their business applications in order to serve their growing population of Android, BlackBerry or iPhone users. At the same time, they'll need to address both opportunities and risks associated with this.
Consider the following:
- According to the 2011 (ISC)2 Global Information Security Workforce Study, conducted by Frost & Sullivan, which surveyed 70 percent of respondents said that more than 25 percent of the employees at their organization have mobile computing devices. Also, 66 percent of respondents worldwide reported mobile devices as a top or high concern.
- Frost & Sullivan's research shows that smart phones are growing at a rate of 21 percent in North America alone, and the newest devices-tablets and e-readers are expected to be the next devices of choice, with an expected 22 million units to be sold in North America by 2016.
As security professionals, there is an expectation for us to develop applications for these new platforms in a secure manner, says Alessandro Moretti, an ISC2 board member and a senior risk manager at a multinational bank.
"Perhaps its time for setting another expectation that includes educating our executive leaders on these emerging technologies," he says.
A CEO must understand how mobility is changing the modern day's connectivity and lives to be able to think forward and innovate. Mobile applications now have the potential to transform customer experience on a ubiquitous scale, Moretti says. An example, users of mobile devices can now access their bank accounts, check their account balance, transfer money to some other account, pay their utility bills online, etc., just by comfortably sitting at their home or office.
As a chief security leader at Intel Corp, Malcolm Harkins agrees and says, "We are in the best position to drive this initiative and discuss with our CEOs both opportunities to innovate and how the organization can strike a balance to address the IT security and risk issues involved."
What's interesting here is an indication of how the role of IT security leaders is changing to business thinkers.
Perhaps now we can clearly see them sitting in a boardroom, sharing a seat with other top executives, discussing not only the risks and exposure that these new technologies bring, but also the impact of these applications on the business, employees and its customers.
For Moretti, education of his executive team begins with making them realize how they interact their lives using mobile devices -- be it to register for their kid's classes, do online shopping or pay bills. "Engaging them in their own daily lives is key," Moretti says.
Once a CEO understands the value and risks catered through mobile functionality, it is easier to discuss mobile innovations, policy and how the company can then strike a balance to meet customer and employee requirements.
For instance, Moretti points out that when a scenario is shared with a CEO on the likelihood of corporate data being leaked through either theft or loss of their device, "You have their full attention."
Moretti also believes that security leaders play an important role in communicating with the executive leaders the need for an IT mobile enterprise policy that covers the personal and corporate use of mobile devices by employees.
"We are the ultimate owners of risk and as such in a position to help the executive team determine the need for a mobile policy, whether it's data leakage, malware prevention or unwanted use of enterprise resources," Harkins says.
Considering the impact of mobile technology on data protection and the overall organization's reputation, it is the security leader who can advice a CEO on which controls to put in place devices that can or cannot link to the network, what permission and restrictions users can have to access corporate data and access to what information needs to be restricted.
Again, CEOs need to consult with their security leaders to fully understand the balance between innovating quality products and having a comprehensive review process in place to ensure that the new applications have security built-in and are compliant with industry regulations and standards.
Ultimately, it is the CISO's responsibility to be instrumental in changing the mindset of senior executives and gaining their buy-in that security is an enterprise-wide problem, not just an IT issue. And as such, security leaders should take it upon themselves to participate in educating their executive team on issues that are emerging and making IT security a more integral part of the business.
As a security leader, what approach have you taken to educate your executive team on mobile platform and applications?