I’ve never actually seen lemmings jumping off a cliff but I have observed companies blindly following others into bad decisions regarding their security. It seems CEOs and CIOs are unwilling to spend the time analysing their requirements and undertaking a robust selection process to ensure those requirements are met. They prefer to “follow the crowd”.
One area in which I’ve seen bad decisions being made is in the selection of mobile device management solutions. Many companies prefer to select the same solution as their competitors. I assume the thinking is “we need a solution so that we don’t get left behind” and “if our competitor has chosen a solution it must be good”. Unfortunately, there are then two companies with sub-optimal solutions.
There is no doubt that support for mobile devices is essential for all companies these days but one size does not fit all. In fact, there is great diversity in the deployment of MDM solutions. A solution for staff is necessarily different from a solution for business partners, and much different from a solution for customers. For staff, companies must decide whether they will issue corporate devices, over which that have complete control, or support a BYOD strategy whereby they encourage their employees to use their own phones for company business. If it is the latter, they will probably want to put a “protected zone” on each staff’s phone over which the company has complete control. These sections in the phone’s memory can be deleted if the device is lost or the staff member leaves the company.
For business partners putting a protected zone on their phone presents a challenge because most people will not let a third party interfere with their phones and tablets. Indeed, they might be corporate devices issued to the business partner’s staff. This means less control over the remote device and it is therefore important to segment the business application(s) that these organisations can access so that access to protected areas remains restricted and only appropriate facilities are exposed externally. A business process mapping exercise will typically identify the transactions that need to be supported and the interface required to facilitate access by external devices.
Customers are generally easier to support, unless you need to positively identify users as they access your facilities. If you are going to offer customers the ability to write to your facilities i.e. purchase from your website, and you want to track their access, a mechanism to have the user identify themselves is a good idea. Since customers generally will not register for a username and password a better solution is required. A better solution is to provide your customers an “app” for interaction with your company. This provides the ability to use modern technology to positively identify them via the device they are using every time they access your facility.
The next challenge is to adequately manage the application you put on external devices. If it is to provide your business partner access to you inventory levels the challenge is modest, if you are tracking customer access for marketing purposes and you want to understand how your users transact business with your company, you will want to track their transit through your site so that you can identify problem areas, hopefully before the application is deployed. That means you need an application development tool that facilitates keeping your customers happy and your facilities protected.
So – there’s no “cookie-cutter” approach to mobile device management. To select a product based on what everyone else is doing is abrogating your responsibility to your company. You need to know what you want before you go to market, you need to document your requirements and you need competent staff to properly manage the search and selection process.
To do anything less is too lemming-like.