There is a frightening lag between organisations’ zeal to use mobile devices and their ability to deploy them in a way that complies with regulatory security mandates. And it looks like business managers are pointing the finger at IT, while IT is pointing it right back at them in terms of who’s holding things up.
These were a couple of revelations from “Comply on the Fly,” a report just published by the Business Performance Management Forum, an organisation whose members work collectively to improve general business financial and operational performance. The forum’s members comprise cross-departmental business and IT executives in multiple industries worldwide.
When IT personnel were asked what they need to get senior management to step up to the mobile compliance challenge, 38 percent of respondents said, “A security breach,” according to Adriano Gonzales, vice president of strategy and programming for the forum. “I thought that was alarming.”
He added that 40 percent of the respondents to a 700-organisation survey, which formed the report’s basis, admitted not having necessary policies in place to govern sensitive data residing in mobile devices. However, half the organisations said that, at a minimum, 25 percent of their organisations’ mobile devices currently in use do carry mission-critical and potentially sensitive information.
Why the mismatch?
The majority of business managers basically say it’s up to IT to “make it happen,” while IT executives counter that they are having a tough time getting management’s blessing to address mobile security as a priority - and the resources needed to do it. One reason is that other compliance projects are taking precedence, observed Gonzales.
He offers a high-level methodology to fix this problem, stressing that enterprises need to band together, cross-departmentally, in a multidisciplinary approach to make sure all the compliance i’s are dotted and t’s are crossed. He suggests beginning with the following basics:
- Assess the use of mobile devices in your organisation – who’s using them and how?
- Perform a thorough risk assessment around these devices, then prioritise actions based on the risk and potential impact associated with each.
- Implement a corporate-wide governance framework tightly integrated into your overall network management systems fabric.
- Examine the details about devices and hard drives that need to be encrypted, encrypted access, and so forth, such that they match up with the auditing, archiving, and security mandates that apply to your company.
The report was built on a worldwide study conducted by the forum and its advisory board, who surveyed executives across multiple industries with director-level titles and higher.