"When it's not usable, users make stupid decisions." With that statement, Janne Uusilehto, head of Nokia product security, pretty much summed up the most critical part of mobile security implementations: if users don't use it, mobile security doesn't work.
Uusilheto's remarks were part of a great panel at the RSA Conference in San Francisco this week, where big-company security executives talked about the state of the state of mobile security. Though there was plenty of in-the-weeds discussions about topics like web apps versus sandboxed apps, and the ability to secure devices at a hardware level, the single point of agreement between the panelists revolved around the user experience -- and how CIOs and others might make security measures easy enough to ensure they get used.
"As much as we try to give them [users] the safe thing to do, if there's a cool new app out there, I know my data's in that app," said Dave Martin, vice president and chief security officer for EMC, when asked what keeps him awake at night. The rapid pace of innovation on the device and consumer app front, Martin said, means that folks trying to secure those products and services "are never going to be able to catch up."
Maybe the most informative takeaway I had was that even though the security officers at big companies have plenty of power, they all seemed more concerned about preserving the user experience than shutting down functionality in the name of security. There were some exceptions, of course, like the government representative who joked that his agency's BYOD policy consisted of a lockbox at the front door of headquarters, where employees could "bring their devices" and leave them there.
For the enterprise security officers though, the functionality of the new class of mobile devices and apps are already seen as being extremely important to their companies' business, and they said their objective is to make security measures as easy as possible to use. Right now, that means a lot of trial and error and sound judgements, the kinds of things that smart CIOs use to enhance their corporate standing.
When it comes to mobile security, "we're learning and iterating," said Malcolm Harkins, vice president and chief information security officer at chipmaker Intel. "We're seeing how people use [mobile devices] and understanding the user models and shaping the paths to manage risks," said Harkins, who expects his company to reach a 70 percent BYOD figure sometime soon. Some of the security measures, he said, start with having to "put a stake in the ground and see what the reactions are."
Sounds reasonable, and a measured approach. Keeping the user experience front and center is probably the best way to ensure that less stupid things happen.