As mobile grows, so do security threats. I recently had the opportunity to attend a breakfast with several chief information security officers (CISOs) and hear them talk about their mobile security concerns and strategies. It quickly became apparent that everyone had their own unique company cultures and primary concerns they were trying to address. Here’s how the meeting played out:

Breakfast Is Served

We were arranged around a long boardroom table, and introductions started directly opposite me, meaning I would be the last to introduce myself and comment on mobile threats and strategies. My goal was to learn as much as possible about their concerns and educate them on my experiences without delivering a biased sales pitch. It turned out to be one of the most valuable mornings I have had in the past several years.

The first few attendees got right into the issue of protecting devices, managing the end-user experience and dealing with the cultural concerns of Big Brother. Their primary concern, which is consistent with the results of IBM’s “The State of Mobile Security Maturity” report, was how they could secure a device so that if it were lost or stolen, they could locate it, wipe it and prevent it from becoming a conduit back to the enterprise.

The challenge is doing this without having a major impact on the end-user experience and making users feel as if the company is watching their every move. This theme was consistent with what I hear every day. I was ready to jump on the topic, but there were several more attendees ahead of me.

Challenges Surrounding Access Controls and Mobile Security

The discussion around user experience led right into the topic of managing access. The CISOs talked about how they can manage access to make it as simple as possible while also maintaining security. They posed the question, “If my access control is strong enough, do I need to worry about protecting the device?”

While it still wasn’t my turn to speak, the answer is “no” — one security measure does not replace the other. They are both part of a layered-defense approach to securing the enterprise.

Then, they teed up the topic of context-based access control: How do I put some intelligence around my access-control decisions so I can decide what level of authentication is required based on context around the session? This is a topic I really enjoy talking about. Every session has so much context that goes with it, and when viewed in relation to previous sessions, the context can assist you in making the right authentication decision.

Balancing Personal and Corporate Information

From there, the discussion turned to securing content and collaboration. However, they didn’t use those words — those are the words used in the IBM Mobile Security Framework. They did talk about how they could protect documents, separate business and personal content and allow for document creation, editing, etc.

The mixing of business and personal content is a major concern for companies. How do you protect business content that is intermingled with personal memos, contacts, documents and other things? No one wants to see this month’s sales plan or the new product strategy accidentally shared outside the company. This led to discussions about secure containers and how they affect the end-user experience.

I thought we were going to miss the topic of application security, but someone finally raised questions around managing apps. How do you manage end users who constantly add and update apps on their devices? How do you identify devices that have apps with known security issues? How do you conduct whitelisting and blacklisting of apps? As long as we’re talking about identifying risky devices, how do you identify devices that contain malware or have been jailbroken or rooted?

There are several answers here. First, provide users with approved apps via a private app store or supply a list of approved apps. End users will often go with an approved option if it is offered to them. In the absence of approved apps, they go with whatever they can quickly and easily get their hands on. Second, educate users on what makes some apps dangerous and how jailbroken or rooted devices affect the built-in security features of a device.

The Need for Tough Love

Finally, be prepared to enforce your security measures with tough love. Put simply, there are certain things you cannot tolerate if you want to have a secure enterprise. Tell employees that if they insist on doing these things, they will not have mobile access to the enterprise. This doesn’t have to be a consequence that lasts forever. As soon as the risk has been remediated, they can again have access to sensitive corporate resources.

By the time the CISOs were done with introductions, they had raised all the topics I had planned to discuss for the day. It was obvious that the CISOs had the full range of mobile security concerns on their plate, even though they each had their own top priorities. I thanked them for the perfect lead-in to my pitch and started my presentation.

My presentation was laid out as the IBM Mobile Security Framework. While it carries the IBM name, it is really a blueprint that anyone can use when they develop their mobile security strategy. It introduces the following four imperatives:

  1. Protect devices
  2. Secure content and collaboration
  3. Safeguard applications and data
  4. Manage access and fraud

My key message to the audience was that they have identified the mobile threats, but as soon as they search for a solution, they should take a holistic view of the challenges and look for an integrated approach to addressing them.

To learn more, watch a panel of IBM Mobile Security experts in our on-demand webinar titled, “Take an Integrated Approach to Mobile Security and Address the Full Breadth of Threats.”

More from Endpoint

Combining EPP and EDR tools can boost your endpoint security

6 min read - Endpoint protection platform (EPP) and endpoint detection and response (EDR) tools are two security products commonly used to protect endpoint systems from threats. EPP is a comprehensive security solution that provides a range of features to detect and prevent threats to endpoint devices. At the same time, EDR is specifically designed to monitor, detect and respond to endpoint threats in real-time. EPP and EDR have some similarities, as they both aim to protect endpoints from threats, but they also have…

The needs of a modernized SOC for hybrid cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

X-Force identifies vulnerability in IoT platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…