Rethinking Mobile Security: Q&A With MobileIron CEO Simon Biddiscombe

Mobile security is no longer an add-on for enterprise mobility, rather a baked-in layer of the digital transformation process. Threats to mobile devices are skyrocketing, and protecting them – along with all endpoints in the company – is now the responsibility of everyone in the organization.

In Enterprise Mobility Exchange’s ongoing monthly column, Sit Down With The CEO, we caught up with MobileIron’s Simon Biddiscombe about the state of the mobile enterprise, and how security, UEM, GDPR and the cloud are all transforming how devices are protected. The following is a question and answer session between EME and Biddiscombe.

Enterprise Mobility Exchange: A recent report showed some 32% of enterprises are sacrificing security for speed on mobile devices. Why is the MDM, EMM market such a necessity with the growth of mobility and daily attacks?

Simon Biddiscombe: You should never have to trade security for speed. But you may need to re-think your approach in order to have both.

The challenge companies face today is that their people work very differently than they used to because they are using cloud services on mobile endpoints. We call this modern work. The benefit of modern work is that you move information to the edge of the network, so people can make better, faster decisions. The challenge is that your data is no longer confined to your data center and corporate networks, so you need a new security approach – and it has to encompass all endpoints. As a result the category has evolved from Enterprise Mobility Management (EMM) to Unified Endpoint Management (UEM).

There’s the technology piece, and there’s also a personal piece. It’s important to educate employees about security best practices. Even the well-intentioned insider still needs to be reminded of her responsibility to protect company data, regardless of how it is stored or accessed. Our phones, tablets, and laptops have a lot of business information on them and they have a lot of personal information too. It’s also absolutely essential to communicate to employees what data, IT can and cannot see on their device, and why they need to see the things they do. Having visual privacy policy guidelines helps employees understand how UEM software protects their personal information.

Having talked about endpoint security, I also want to emphasize the importance of securing cloud data on mobile endpoints. People assume cloud services are automatically secure because they require a username and password but that’s not true. Business data accessed via mobile apps and browsers is highly vulnerable because:

        Apps store data is persistently on devices

        Users can access data from cloud services using unsecured apps and browsers

        Cloud data can be accessed using unsanctioned apps that were built on cloud service provider APIs

EME: With GDPR bearing down, how important is it for enterprises to treat the entire landscape of endpoints – mobility included – with the utmost importance and security?

SB: Enterprises need to be able to secure the entire landscape of endpoints and GDPR has put a spotlight on this. It’s important to note that GDPR affects far more companies than just ones in Europe. Any company with employees or customers in Europe has to adhere to the GDPR requirements as well.

One way to look at this challenge is to highlight the top three areas where companies are making mistakes for mobile GDPR compliance – that way, they can fix these areas as soon as possible.

For starters, enterprises are allowing employees to download business apps to unprotected phones and tablets. Those business apps (Salesforce, Office 365, Workday, etc.) include personal information like contacts, names, employee details, etc. If that phone is lost in a cab, the company cannot protect the data. All endpoints need to secure by a UEM platform.

It’s also important to note that enterprises are being reactive instead of proactive. The mobile teams are waiting for the legal/compliance teams to give them a questionnaire instead of, in advance, doing a health and compliance check on their mobile deployment.

Lastly, we hear from talking to our customers that they are worried that they will need a big consulting engagement to achieve compliance. But, GDPR compliance on mobile can be achieved with structured deployment of technology with minimal process change or consulting required.

EME: As EMM begins to evolve into UEM, how should CIOs and IT Directors begin shifting a multi-pronged approach of various management measures into a single-dashboard mindset, i.e., casting a net over the entire enterprise?

SB: There’s no reason for CIOs to be planning for multiple dashboards in the future. MacOS and Windows 10 have simplified endpoint security because any device running one of those operating systems looks like a mobile device. That’s a very good thing because it means that IT can secure them using the same lightweight, modern management tools that they use for their mobile devices. As CIOs plan for their Windows 10 migration, they should be simultaneously planning to retire their old CMS tools and move to a modern security and management solution.

Having UEM capabilities provides visibility and IT controls needed to secure, manage, and monitor any corporate­ or employee ­owned mobile device or desktop that accesses business critical data. Our software works by building an adaptive data perimeter around clouds and endpoints to control where business data goes and to provide a seamless user experience. Cloud and endpoint security are tightly coupled because data flows back and forth from cloud to app and must be secured end-to-end. UEM is foundational for this architecture because it’s the system of record for device trust and a necessary policy enforcement point.

EME: Beyond UEM what are the most interesting technologies that you’re investing in?

SB: We’re particularly focused on developing new solutions for cloud security and to protect against a variety of threats.

The mobile threat landscape is evolving. Employees readily connect to unsecured Wi-Fi, download business data to unsecured endpoints, or take actions that expose their data to malware. The number of reported cyber-attacks targeting mobile devices has doubled every 6 months for the last three years. Business data is being downloaded every day to hundreds of millions of devices that may not be protected by a security solution. And the surface area CIOs need to protect is getting more complicated. Most large organizations support Android, iOS, macOS, and Windows endpoints, which then access cloud services from dozens, if not hundreds, of application providers.

Securing this multi-cloud, multi-OS world is complicated, and we’re focused on developing solutions that address our customers’ business needs without compromising security. As I said at the beginning, you never have to trade security for speed.

EME: Thanks for the great insight, Simon!

Click below for previous Sit Down With The CEO columns:
Phil Poje, TechOrchard
Tom Hogan, Kony