Security professionals are well aware of the dangers to a company's bottom line caused by the loss of a laptop, smart phone or other mobile devise. What corporate secrets are now available to intruders? How will the leakage of corporate assets or confidential customer data affect the company's reputation, nevermind the costs incurred from meeting regulatory demands commiting the organization to contact everyone affected.
Persuading those in control of the corporate purse strings of the necessity of having tools and strategies in place to guard against such a scenario is no easy task, particularly in these slow economic times when budget dollars are hard to come by.
To learn about the options you have when it comes to safeguarding your mobile networks, you can hear from a panel of experts during SC Magazine's all-day eConference: Mobile Security on June 16. Recently, Illena Armstrong, editor-in-chief of SC Magazine, spoke with Craig Lucca,
manager, security administration and management, Bloomberg, who will be the keynote speaker at the eConference: Mobile Security on June 16.
Illena Armstrong: During your keynote address for our upcoming eConference: Mobile Security, we plan on asking the following polling question to our audience: “What is your biggest concern regarding mobile devices?” Attendees will be able to pick either data loss, litigation/discover issues, productivity or configuration management. What of these is most concerning to you and why?
Craig Lucca: While all of these are concerns, I have to say that data loss tops my list. Data loss events, especially ones which require an organization to notify the public, are expensive. Financial costs -- along with reputation damage -- can potentially destroy an organization.
IA: There are so many security risks related to mobile security devices. What are some basic steps that can help organizations mitigate against these?
CL: First, visibility. You have to know what your exposure points are. Laptops, mobile smart phones, peripheral devices such as USB thumb drives. Each has different vectors for exposing your data. If you don't know what you have, you can't design an effective method to protect your organization. And, second, policy. You need good policies to lay the ground work for designing your controls in order to address the threat vectors associated with your exposure points. This means standards for encryption, authorized devices and authorized use.
IA: We're all facing a pretty tight economic year, it seems. For those information security pros who are seeing flatlining budgets, what would you recommend that they do to ensure that their mobile device network and the access it allows to the overall infrastructure is best protected?
CL: You have to position security as an enabler to the business. If there is a perceived value in mobile productivity, your job is to enable the business to do so in a secure manner. Unfortunately, too many professionals don't do a good job of building a relationship with the business. If senior management didn't see you as valuable before the budget crunch, it may be even harder to do it now.
IA: When it comes to budget, getting necessary dollars is difficult even when it's not a tough economic climate. What have you found really works in ensuring you get the support and resources you need from the boss?
CL: You have to know how to talk to management. A long time ago, someone told me you need to put your argument in terms that the stakeholder can understand. CEOs, CFOs and the like, generally don't understand one type of encryption over another. What they do understand is the bottom line. If you have regulatory requirements for encryption, showing how failure to comply could result in substantial fines will get their attention. Also, team up with someone in your marketing department who can help you value the cost of the company's reputation. If you can demonstrate how a data loss event could cost your company significant dollars in reputation damage, you'll have their attention as well.