The lack of a consistent inventory of mobile devices within sensitive facilities can cause problems as well. We found one instance in which a 4G data stick was installed by a cleaning crew in the back of a computer sitting at the desk of the CEO's administrative assistant. It would burst out data at 2:00 am. Finding those types of unauthorized devices are very difficult without some pretty sophisticated equipment and operational discipline.
The greatest challenge, though, will be the continued innovation in the consumer mobile device market. CIO's have proven that they are not good at helping mobile technology companies innovate. The checks that many CIO's cut to RIM/BlackBerry resulted in a 5-year lag in enterprise mobility compared to consumer mobility. The stock market has very obviously told mobile technology companies that enterprise-grade mobile security just doesn't matter. When a company like Apple, with a disastrous record of security problems and a complete inability to integrate with security tools, has such market cachet that it can continue to dominate sales and draw in enterprise customers, things are going to end badly. The Android ecosystem's fragmentation will be its demise when it comes to security. BlackBerry 10 is probably the greatest evidence of how far we've fallen from a mobile security perspective.
Compensating controls will be the norm for enterprises, because the mobile system owners & OEM's are not providing the solutions we need. So, for the next few years, enterprises will have to deploy a host of tools to compensate for the lack of security on consumer mobile devices. I see some organizations moving to bring-your-own-device or BYOD practices and justify the policy because of a supposed cost savings. Once all of the tools are purchased and implemented to properly manage BYOD with all of the risk management controls, I have yet to see an organization actually save money and time with BYOD in the long run.
Sign up for CIO Asia eNewsletters.