Top 5 MDM Must-Do Items
Whether mobility is a problem or an opportunity depends not on software but on your policies.
I delivered a keynote last week on risk management. More than 300 CISOs attended this conference, and the major topic of discussion was still mobile security and mobile device management. I say "still" because that's been the case at every speech I've given this year. During the Q&A session, one questioner expressed his opinion that the MDM field is growing fast, with 20-plus vendors offering a flood of technologies—all of which seem to do the same thing, albeit in slightly different ways.
I understand his frustration, and I will most likely get hate email for saying this, but he's right. MDM technology is all pretty much the same; maybe 10% of features are unique, usually around self-registration capabilities and enhanced encryption. And I don't see that changing, even though Google and IBM got in the game this week, each announcing it will have an MDM product available soon.
More Security Insights
- 2012 IBM X-Force Annual Trend and Risk Report
- Intelligent Role Management for Improved Security and Compliance
So assuming it doesn't much matter which MDM vendor you partner with, what does determine your mobile device management project's success? It's all about planning, process, and policy enforcement, and there are five critical factors here.
1. Establish a mobility council. The best mobile device management projects have limited IT involvement. Establish a mobility council made up of an odd number of people from a bunch of areas of the business, and with only one person representing IT. Have this council provide input on policies, applications, and processes, and have each member spread the message from the top down. IT's role? Translate the MDM technology speak into understandable business terms. Never say, "We can't do that." Say you'll find a way to minimize risk without curtailing opportunity. Then do it.
2. Decide who is paying for the MDM software. Most organizations I work with that are allowing use of personal mobile devices ("bring your own device," or BYOD) are charging the per-year cost of the MDM user license back to the business unit, or even the employee. This approach can lower costs overall, because the business will think about who needs this capability, and eliminate a lot of the hit on IT's budget. Make sure the organization is ready for this type of chargeback system, though. If not, it will cause a whole lot of pain. Many smaller business units won't be happy about having to pay for something that used to be "free." It's the role of the mobility council to explain your reasoning.
3. Define how new devices will be registered. Does the MDM software provide a self-service registration option, or will IT need to be involved? This is an area of some differentiation, so ask vendors about the process required and whether you can automate, combine steps, or otherwise reduce the time and effort to register devices within the MDM software. An enrollment process that is slow, complex, or otherwise painful will cause users to push back against loading the MDM client on their devices. This step is so important that failing at it could literally make or break your mobility plans. To ensure success, use mobility council members as beta testers, ensuring that you get technical and nontechnical users. Ask for blunt feedback.
4. Document the device replacement/repair process. We've discussed how the wireless store is one of your biggest mobile threats. If you're not implementing BYOD, keep hot spares in the office. If you are implementing BYOD, make sure remote employees are authorized and informed before they bring a used-for-work device in for replacement. This is a major issue for many organizations, as most users are accustomed to just stopping by an AT&T store and replacing a phone. Without a process, your sensitive corporate data just went into a bin in the carrier's back room.
5. Work out how you will handle encryption. Do you require encryption of data on mobile devices for compliance or regulatory reasons? Some MDM systems can provide this capability, as we discuss in our MDM Buyer's Guide, or enhance the native encryption on a phone, but make sure you have a policy that aligns with regulations before you go off and implement encryption on employee devices. Also, many times the use of encryption means employees must adjust the applications they use; for example, they may need a new email app. If so, ensure that you've had mobility council members or IT test the app and that you have new procedures documented and available to users. You don't want the help desk to get bogged down teaching people how to use their calendars or add attachments to a message.
MDM technology may lack differentiation, but it can work--if the IT team doesn't end up alienating users and motivating them to bypass your controls.
Read our report, State Of The IT Service Desk: Change Management Remains Key. Download the report now. (Free registration required.)