By Dennis Jones
What central question should you ask when orienting your company’s mobile security posture? You might be tempted to say, “Secure or not secure?” But according to a recent Cisco blog by Paul King on evaluating mobile security risk, that wouldn’t be quite right. Posing the question in that manner introduces a binary choice. By nature, any binary choice is facile and limiting. Mobile security should be complex and expansive. Moreover, ask any security official worth their salt whether the company is fully secure, and you’ll get an unqualified “no.” No company can be fully secure. And even the most confident security official won’t put his neck on the chopping block by issuing a resounding affirmative. So what should you ask in order to start a more productive conversation about mobile security?
King suggests instead asking, “Are you happy with our level of risk?” Indeed, another “yes or no,” but this question should yield a far more wide-ranging conversation. That’s because the respondent now has to evaluate how much mobile security risk the company is willing to tolerate in return for other business advantages, like increased productivity, more collaboration, greater accessibility, more flexibility, lower costs, etc.
Why the Sophie’s choice? King justly reminds us that cybersecurity threats have been rising in number and improving in sophistication. It’s a classic conundrum: hackers are agile, adaptive, and astute. They are facing off against less responsive incumbents, companies who are either under-resourced or lumbering and overly bureaucratic. King shares a telling anecdote about the companies with which he’s spoken. Companies fall into two camps: those that have been hacked and know it and those that have been hacked and don’t yet realize it. In other words, in this cybersecurity environment, it’s impossible to ensure 100 percent security, 100 percent of the time. That is unless you have a more or less completely closed system. But that security posture will inevitably come at the price of accessibility with external partners, flexibility for remote workers and overall productivity for the business.
By having your security official answer whether they are happy with the present level of mobile security risk, you begin a dialogue. Your security official might say no, which shifts the conversation to what extra precautions you can take to lower mobile security risk to an acceptable point. But your security official might give you a qualified yes, which opens up space for a different type of discussion. And then, you have to weigh the value of pursuing business objectives versus the value of mitigating security risk. To that end, King provides the following questions you should be able to answer when evaluating the choice between business change and mobile security risk:
- What is the value of this change to the business?
- How does this improve the business, i.e. competitive advantage, innovation, etc.?
- What are the risks that could result from this change to the business?
- What would be the financial cost of a worst-case scenario?
- What would be the non-financial impacts?
- What is the position with respect to legislation, regulation, brand reputation?
- If we choose not to reduce a risk, what can we do to manage it?