It's been said a million times about mobile: the pace of change is rapid; it's hard for companies to keep up. Actually, it's been said so many times, it hardly has meaning any more.
But, at a recent BlackBerry Security Summit, Forrester Research, Inc. Analyst Tyler Shields directed a panel of experts and called the pace of change "absurd" and made it real with some astonishing facts.
He blames it all on the "the speed of cloud," where enterprises, governments and healthcare are operating today. Here's what that translates to in terms of the evolution of technology.
Take the landline phone, how long did it take for it to get to 50 million users? 75 years; radio – 38 years; and TV – 13 years.
Enter the age of the Internet which took 4 years to get to 50 million users; Facebook – 3.5 years; the iPod – 3 years; and AOL – 2.5 years.
Now, add the speed of cloud and speed of mobility, and see how the pace of change flees. The app called Draw Something took 50 days— that's one million users every day.
Angry Birds took 35 days to get to 50 million users.
"The pace of change is unbelievable. The speed at which we are having to deal with these problems is absolutely absurd," said Shields.
Securing the Absurdity
In analyzing mobile security today, Shields concluded that MDM, though thought to be a core piece to mobile security, is the "lowest level and most fundamental component; it is a commoditized piece." Managing the device is the easiest part, he said.
As you start to layer on security, you also layer complexity. He counted about 14 different types of solutions—from containerization and virtualization, to app wrapping to secure network gateways to antivirus software and all the 3-letter acronyms—MAM, EMM, etc.
"There are so many competing visions and solutions. More than you can possibly handle. It is very overwhelming," he said.
The Future of Security
Emerging technologies and a lot of vendors are starting to go to a more unified mobile security platform, Shields pointed out, and he believes that this type of mobile security platform is the core of where the future is headed.
"It's taking security at the application layer, the OS layer and the network layer, and merging those together into a single unified platform," he said, and believes it will be the vendors who take this approach that will be successful.
So what are the problems mobile security must address now and in the future?
To take a look at the issues in action, Shields was joined by several other experts. When asked what the threats are, Mark Weatherford, Principal with The Chertoff Group and former Deputy Under Secretary for Cybersecurity, U.S. Department of Homeland Security; Vice President & Chief Security Officer, North American Electric Reliability Corporation; Chief Information Security Officer, State of CA and Chief Information Security Officer, State of CO cited espionage, criminal activity, hacktivism and terrorism. Plus, the threats that were in the PC world have migrated over into the mobile world and have exploded, he said.
He broke it down into four major threat areas: network threats, application threats, OS threats and physical threats. Enterprise-class solutions can address the first three, but physical threats don't get enough attention and are very important. "Because people are the biggest problem. We can provide all the security tools and security controls that we want, but people tend to circumvent those," Weatherford said.
For any regulated industry, such as the electricity industry, cybersecurity is a bigger challenge. This as, he said, "More and more of the outlying infrastructures around the country use more and more mobile devices."
Mark Lobel, Principal at PwC, works across multiple industries, including financial services and healthcare. PwC data from 17 years' worth of his company's Global State of Information Security Surveys shows a big increase in attacks across platforms and particularly in regulated industries.
"Why? Because there is lots of sensitive information there," he said.
Tyler surmised then, it is not so much about the type of attacks, but about protecting data, and Lobel agreed, "That's the core of it."
In another regulated industry, healthcare, there is a "tsunami of change" according to David Jemmett, CIO of NantHealth. Between the transition to Obama Care and the push to get everyone electronic, it's hard for the software companies to actually increase or get the ability to manage that security. "And quite frankly, they were not equipped to handle it," he said.
Yet, patient health information (PHI) is one of the top types of data being targeted. With healthcare information, cyber criminals can get more than anything else—even more information than stealing personal financial data.
Healthcare was slower moving to mobile devices, but now that it's happening, Jemmett says his organization chose BlackBerry because of all the security aspects it offers.
From those 14 technologies Shields cited, the panelists all agreed, they would prefer just one provider with a unified solution. Weatherford said he talks a lot about data, and the last thing a chief security officer needs is another platform to manage, resource and train people on.
"This is why it is really important that we look at these [referring to BlackBerry] enterprise-like solutions that address the problem more holistically," he said.
Jemmett reiterates the need for built-in security, especially because of the demand for BYOD. In his industry and based on experiences he said, "We need to quit BYOD and instead bring secure devices in. That is one of the biggest risks—through connecting to networks and WiFi—where data can be stolen."
However, Lobel doesn't think there is choice with BYOD. Still, he calls complexity "the enemy of security," and goes back to the 14 solution types. "Even the best IT people, on a bad day, trying to control that many things, over time, is going to be incredibly challenging," he said.
Not only doesn't IT like complexity, users don't either. They don't want to remember lots of passwords and processes just to use their devices. This is why solutions must become more seamless.
Jemmet cites healthcare professionals who are "brilliant" people. "The last thing they want to do is be educated about any kind of IT security. They just want to do their jobs to improve our lives. As professionals changing this industry, we need to make it simple and smart for them to have something in their hands they don’t have to worry about."
Measuring and Moving On
Are there decent risk metrics out there for understanding and comparing risk against loss potential? Shields said this is a great way to determine if expenditures for security are appropriate.
Weatherford said, "Metrics are probably one of the worst things security people do. I have tried it and have done it, but it is very hard. I do think there is going to be some movement to change that."
He has been recently working on cybersecurity in the insurance industry, and said that there is a multi-billion dollar market for cyber insurance right now. Underwriters, however, are understandably leery and anxious about writing insurance without understanding the risks.
He explained, "It is one thing when you are talking about a $20 or $50 million policy. But it's a whole other thing when you are talking about a $500 million or $1 or $2 billion insurance policy. So the insurance companies are taking a much more holistic look at what the enterprise risk assessment looks like for a company. Mobile is a huge part of that."
Shields said that there is a tradeoff between user experience and security right now and asked the experts: "What does the future look like for mobile security in each of your industries?"
Jemmett: The future is making it usable for the end users, physicians and practitioners. It is actually having a ubiquitous platform so users can just log on and do their job from one type of application. Literally, one hospital I know of has 1,600 servers and 800 systems; less than 20% communicate with one another, and you have 8,000 people who work there. More than 50% are using devices. The device has to be more secure and enhanced, and we need partners to enable all the disparate systems to communicate. Right now there are about 200-300 EMR providers, but we will start to see M&A. This consolidation will be the beginning of unification of systems.
Lobel: It is obvious that the financial services industry is going to go mobile. And the focus will be on risk management because there needs to be an infrastructure that covers every type of data and protect customers as well. It will be about the interaction with the customers' devices and verifying that the person on the other side of the transaction is actually who they are. That is going to be a huge challenge and the roll out of better security tools and better security infrastructure is going to be pushed by the regulators and by the financial institutions.
Weatherford: For the energies sector, because many of the facilities are distributed in remote locations, it’s about the critical infrastructures and the ability to disable a critical infrastructure, via mobile activity. The security of that is obvious and it is one of the biggest things the government is worried about now. I would not be surprised to see further regulation around some of this.
Shields concluded, "The pace of change is so fast that we have to get to some kind of unified security platform that applies risk measurement and risk management and understanding of who the user is in a uniform fashion across each of the industries. And that's going to take some time. But I think there are some good organizations that are doing it."