2012-12-03
Abstract
‘The BYOD concept needs a maturity model to ensure there is a clear path to increased organizational security’ Jeff Debrosse, Western Governors University
Copyright © 2012 Virus Bulletin
One of the latest terms to find its way into public and private organizations is ‘BYOD’ (Bring Your Own Device). While the practice of allowing employees to use their own mobile devices to access corporate networks and resources is typically considered to be cost effective and accommodates the users’ desire to use their own devices, the concept needs a maturity model to ensure there is a clear path to increased organizational security while maintaining (or increasing) cost-effectiveness.
While this article could propose a mobile security maturity model (MSMM), addressing the many permutations of organizations, needs and policies is beyond the scope of such a short piece. Instead, this article aims to act as a catalyst for organizations to think about BYOD implementations – or perhaps to think differently about them.
In the world of business and software product development, I’ve come to embrace the concept of the ‘Agile’ software development process. Through cycles known as iterations, products are progressively completed in planned and measurable phases (versions). At a certain point each version is considered production-ready. In other words, a pre-determined level of functionality and usability has been met. This process allows the developer to quickly deliver alpha, beta and subsequent releases to customers.
Applying these concepts to the mobile security maturity model allows for four areas of focus to help ensure the organization is tracking toward its BYOD goal:
Agile. Threats are evolving and infection vectors change continually. The maturity model must be evaluated regularly to ensure that it addresses the dynamic landscape of threats. The model and the organization must be structured in such a way that makes it easy to pivot and realign to the threats when the difference between the maturity model and the threatscape becomes significant enough to warrant a change.
Continuous improvement. When moving forward in the maturity model, each progression, regardless of size, should represent increased security and cost-effectiveness. Setting these two goals to pre-set, quantifiable values can help to meet an overall efficiency goal.
Time-constrained. In order to gain the maximum effectiveness of the MSMM, the time it takes to make the transition between levels should be as short as reasonably possible, otherwise scope creep and organizational malaise may set in and destroy, or at least marginalize a very important process. The key is to truly understand the time required to make the transition to each level.
Measured output. By tracking quantifiable targets (e.g. costs, number of devices, time taken to implement, etc.), it is possible to determine the organization’s overall velocity on MSMM implementations and on subsequent iterations through the model’s steps. This also increases the accuracy of forecasting and the ability to set realistic and attainable goals. Ultimately, the organization will be able to forecast long-term goals, set stakeholder expectations and determine the business value accordingly.
As companies strive to determine the best model, framework, or home-grown process for BYOD implementations, at a minimum, they will have to determine goals, stakeholders, domains and processes from the outset.
Regardless of whether companies choose to implement a mobile security maturity model, the BYOD trend is continuing to gain momentum – and is here to stay.
