From: HSToday.us
By: Dan Verton
A new survey of more than over 100 federal IT security managers, including senior management, IT operations, and risk and audit managers, shows that while government expands its use of mobile devices in the workplace, only about a third of agencies – 38 percent — have a strategy for monitoring those devices.
The so-called “bring your own device,” or BYOD, policy has been a hot-button security issue for the past several years, particularly since the mobile computing world has exploded with a wide array of device options, from smart phones to tablets, all of which introduce new complexities and potential security vulnerabilities for agency networks and sensitive information.
But in the new 2012 Federal Information Security Initiatives Trend Study released today by San Francisco-based nCircle, 62 percent of respondents said their agency did not have a strategy for monitoring the new devices that are flooding onto their agency networks.
“Almost twice as many folks do not have a strategy for monitoring the variety of mobile devices being introduced into the government space, as those who do,” said Keren Cummins, director of federal markets for nCircle. On a more encouraging note, “it appears that a significant majority of agencies do indeed have a mobile device security policy in place, and that they enforce it,” Cummins added. In fact, the survey found that 91 percent of respondents acknowledged having a policy in place governing the use of mobile devices.
“This is one of those places where the cost savings and the enthusiasm associated with an initiative got a little bit ahead of the technology being available to secure it,” Cummins told Homeland Security Today. “People started bringing their own devices and I think some agencies discovered that they had a bring-your-own-device program without necessarily realizing it,” said Cummins. Agencies then immediately put policies in place for mobile device use, “but there weren’t necessarily technologies [available] that fully supported monitoring and compliance,” she said.
Greg Garcia, principal at Garcia Cyber Partners in Washington, DC, and the former Assistant Secretary for Cyber Security and Communications at the Department of Homeland Security, said the number of respondents without a strategy for monitoring mobile devices seems alarming at first glance. “What it looks like you’re reporting is that they have a policy on mobile but they’re not implementing it well enough to see whose devices are on the network and who shouldn’t be on the network,” said Garcia. “That indeed would be problematic. A strategy without implementation is a hallucination.”
Tiffany Jones, Director of Public Sector Strategy and Programs at Symantec Corp., Mountainview, Calif., said she agrees that the statistics cited in the survey are troubling. “But the reality is it’s probably worse than that,” said Jones, who also served as the Deputy Chief of Staff for the President’s Critical Infrastructure Protection Board in the White House.
Jones said she has had several recent discussions with federal customers who are concerned about the influx of new devices and the impact they are having on both network and data security. “We’ve seen this before,” said Jones, referring to the slow evolution away from perimeter network security with the introduction of the laptop computer. “But federal agencies are now coming to the realization that smart phones are more than just a device and their employees are not just using them as mobile phones,” said Jones. The major concern now, she added, is securing the data that is crisscrossing between federal networks and personal devices.
Cummins said she has seen more activity in industry focused on specific aspects of security monitoring for mobile devices, but nothing comprehensive yet. She expects that to change. “I don’t think this is a case where the agencies were asleep at the switch,” said Cummins. “I think they were kind of trapped between what was happening with BYOD and what was available in terms of monitoring.”
General Dale Meyerrose, president and founder of the Meyerrose Group and the former Chief Information Officer for the Director of National Intelligence, said the statistics cited by the new survey are problematic but not surprising in two important respects.
First, the Information Age has accelerated the BYOD phenomenon in the workplace and has also blurred the lines between personal lives and work, said Meyerrose.
“Second, most IT organizations are more skilled at setting up rules than solving problems,” Meyerrose added. “I think that the statistics that you cited bear that out. It’s difficult for the IT community to keep up with work force demands–let alone get ahead of them. However, the usual “just say no” to the creep of consumerized devices into the workplace heightens distrust in the credibility and skill of the IT organization.”
Meyerrose said he is personally “elated” by the current BYOD movement, because it is “causing the IT community to face up to reality.” But, he added, “the current environment changed many in the IT and security business from an ostrich with its head in the sand to looking like a deer staring into the headlights of an oncoming vehicle.”
Leave a Reply