Realizing all the Promises of Mobility

The SBIC has produced a new report that is mobile centric called “Realizing the Mobile Enterprise.”  The council builds on data.  In this case, it builds on a fascinating series of online polls that show a rapid litmus-like test of the mobile landscape and, in particular, the degree to which “the enterprise” (an interesting notion in itself, but more on that later) and security are both embracing and adjusting to all things mobile.  Some interesting answers popped up…

1. Have you ever broken your organization’s mobile policy to get work done: 29% yes!
2. Do you use a mobile device for both personal use and work: 79% yes!
3. Has your organization deployed any mobile apps to it’s workforce: 55% yes!
4. Of 126 organizations in one survey, only 2 hadn’t had a security incident around mobile!

Clearly, mobile is here; but it doesn’t make sense to leap into a discussion of mobile though without setting the back drop a little first with the context of what else is happening right now.

The world is changing: services are moving out of (proprietary) data centers and into the clouds (I like the plural better than the singular) while the masses are holding their smart device aloft and taking control of their own IT services.  IT in the brave new world of the consumer-industrial complex is about personal IT, and it dwarfs anything the corporate world knows in terms of power, efficiency, flexibility and availability.  Add to this mix and increase in pressure from the dark side of the Internet.  The bad guys are out there and getting more effective and prevalent.  Then perhaps the most interesting trend of all rising up against this backdrop: the rise of effective intelligence in the form of Big Data (see Ellen’s recent article on how RSA is betting big on Big Data).

This is the world we find ourselves in, and it’s adapt-or-die time for anyone who has sold into or on top of IT for the last 2 decades.  In the security world, we have known 3 dominant authentication use cases for the last decade…possibly two decades: VPN, portals and badges.  The world of authentication gravitated around and among these three with companies rising and falling, careers expanding or shrinking and technology fights going back and forth among these three.  But now, we have an unpredictable state where use cases by-and-among a completely unpredictable and expanding landscape of Linux, Windows 8, Droid, RIM, iOS devices and social networks and SaaS, PaaS, IaaS based offerings and private / community / hybrid clouds and even back into legacy data centers and networks and legacy device types that might cover everything from a classic Windows laptop right up to the Mainframes that persist somewhere behind the racks and stacks despite all the doomsayer’s calls.

Now back out again and focus on mobility.

The company that embraces mobile is going to be quick, agile, effective, efficient and attractive.  It will pull employees, partners and most importantly customers into its gravity well.  The company that doesn’t will find itself flat and unappealing.

First, it’s important to build a core competence in mobile.  This is a different set of skills that isn’t just an extension of the app-building function or familiar device management functions of companies over the last 20 years.  It also has to revolve around people who are aware and tapped into the other revolutions in the enterprise (like Cloud and Big Data) if it is to adapt and to be relevant.  And this competence, by the way, must have a security dimension too.  The bad guys are real and persistent: so don’t undo decades of work by moving to mobile in the wrong way.  You can be on the cutting edge and secure at the same time.

An extension of this is “mobile awareness” in adjacent functions.  Take the long view here: expand mobile situational awareness among the corporate security teams  and integrate take the long-term view by investing in more risk-based and adaptive controls, especially around authentication since the connections are about to become much more “genetically” diverse and rich as we move from the simple 3 use cases to an explosion of connection types.  It’s not limited to that, though, but should embrace network segmentation, data-centrism and cloud gateways too.

Next, it’s time for companies to establish real rules and principles for mobile governance.  Make this cross-functional with clear goals and an articulation of business benefits.  Will mobile save money or not?  Will mobile make money or not?  What does it do for risk?

Finally, create a tangible action plan, and I emphasize the work action.  This isn’t about quarters and years; it’s about weeks and months.  The mobile space itself is changing so fast that it effectively unrecognizable over a span of 2 years: companies in the mobile space rise to global success or dwindle to insignificance in 2 years.  It’s about being ready to ride the mobile wave, rather than build for a long-lived new mobile stasis.

This is one of the most exciting times in IT precisely because the realm of what’s possible is changing rapidly, and the ability to succeed in business is right there enabled by brand new technologies.  So too, however, is the ability to become irrelevant in a remarkably short period in time.  I highly encourage you to check out the new SBIC report and draw your own conclusions on this one for what bets you’ll make and how you’ll realize all of the benefits of mobility.  I know what bets we’re making at RSA, and now it’s time for you to place yours.