Selling mobile security to the board can be done if you focus on the benefits presented by securing people and email.
Speaking at the Gartner Security and Risk Management summit in London, John Girard, vice president and distinguished analyst in Gartner’s Info Security and Privacy Research Centre said that the best way to sell mobile security to the board is “people, people, people, people and people”.
He said: “If we sell security on the basis of fear, and if we only buy when we are uncomfortable, then we are more often uncomfortable than comfortable. We want security when trying new things and need to explain that security has a business benefit.”
He encouraged looking at the issues that mobile security can address – devices, storage, sharing and apps; and with mobile security you can turn a complaint into a useful action. “If you have a policy for phones and tablets, you need one for laptops; and vice versa,” he said. “Have a policy for Dropbox, but also one for using it on laptops for and phones. The best way to sell security is to point out the same damage potential.”
Girard also encouraged IT teams to get management to use a solution, because if you can convince management to use a solution, then the rest of the company fall in line. “Who is a noisy person, and if you have a fight back from the end-user, you cannot focus on selling to management,” he said. “How can you explain and sell benefits? Do your job more easily if you use company tools than your own.”
He concluded by saying that a complaint and barriers can be used as a way to sell benefits, and to make sure you have a failure plan and how to deal with it, as management will see that you are planning ahead, and will ask what next steps are.
In a separate presentation on achieving mobile security easily, Dionisio Zumerle, principal research analyst with Gartner Research said that mobile security can “take the fun out of it”, but it does not see traditional client management in this area as the concept is about enabling, and using corporate storage and locking things down.
He said: “Mobile Device Management (MDM) is interesting, as it is not a security tool and security is not buying MDM.” Asked by IT Security Guru who was buying MDM technologies if security were not, Zumerle said it was often IT operations, IT service management and, in larger firms, enterprise mobility managers.
To bridge the gap, Zumerle recommended four ways: install agent on device and make decisions on what to do; use MDM and a hook for capabilities where the magic quadrant “leaders” partner with security “leaders”; exchange ActiveSync so it is agentless, so you can do vulnerability management and it is built on device; or be passive which is like network access control, so it is not granular or gives you possibility to intervene.