Top 5 MDM Must-Do Items

Whether mobility is a problem or an opportunity depends not on software but on your policies.

Michael A. Davis, CTO of CounterTack

November 15, 2011

4 Min Read
InformationWeek logo in a gray background | InformationWeek

I delivered a keynote last week on risk management. More than 300 CISOs attended this conference, and the major topic of discussion was still mobile security and mobile device management. I say "still" because that's been the case at every speech I've given this year. During the Q&A session, one questioner expressed his opinion that the MDM field is growing fast, with 20-plus vendors offering a flood of technologies—all of which seem to do the same thing, albeit in slightly different ways.

I understand his frustration, and I will most likely get hate email for saying this, but he's right. MDM technology is all pretty much the same; maybe 10% of features are unique, usually around self-registration capabilities and enhanced encryption. And I don't see that changing, even though Google and IBM got in the game this week, each announcing it will have an MDM product available soon.

So assuming it doesn't much matter which MDM vendor you partner with, what does determine your mobile device management project's success? It's all about planning, process, and policy enforcement, and there are five critical factors here.

1. Establish a mobility council. The best mobile device management projects have limited IT involvement. Establish a mobility council made up of an odd number of people from a bunch of areas of the business, and with only one person representing IT. Have this council provide input on policies, applications, and processes, and have each member spread the message from the top down. IT's role? Translate the MDM technology speak into understandable business terms. Never say, "We can't do that." Say you'll find a way to minimize risk without curtailing opportunity. Then do it.

2. Decide who is paying for the MDM software. Most organizations I work with that are allowing use of personal mobile devices ("bring your own device," or BYOD) are charging the per-year cost of the MDM user license back to the business unit, or even the employee. This approach can lower costs overall, because the business will think about who needs this capability, and eliminate a lot of the hit on IT's budget. Make sure the organization is ready for this type of chargeback system, though. If not, it will cause a whole lot of pain. Many smaller business units won't be happy about having to pay for something that used to be "free." It's the role of the mobility council to explain your reasoning.

3. Define how new devices will be registered. Does the MDM software provide a self-service registration option, or will IT need to be involved? This is an area of some differentiation, so ask vendors about the process required and whether you can automate, combine steps, or otherwise reduce the time and effort to register devices within the MDM software. An enrollment process that is slow, complex, or otherwise painful will cause users to push back against loading the MDM client on their devices. This step is so important that failing at it could literally make or break your mobility plans. To ensure success, use mobility council members as beta testers, ensuring that you get technical and nontechnical users. Ask for blunt feedback.

4. Document the device replacement/repair process. We've discussed how the wireless store is one of your biggest mobile threats. If you're not implementing BYOD, keep hot spares in the office. If you are implementing BYOD, make sure remote employees are authorized and informed before they bring a used-for-work device in for replacement. This is a major issue for many organizations, as most users are accustomed to just stopping by an AT&T store and replacing a phone. Without a process, your sensitive corporate data just went into a bin in the carrier's back room.

5. Work out how you will handle encryption. Do you require encryption of data on mobile devices for compliance or regulatory reasons? Some MDM systems can provide this capability, as we discuss in our MDM Buyer's Guide, or enhance the native encryption on a phone, but make sure you have a policy that aligns with regulations before you go off and implement encryption on employee devices. Also, many times the use of encryption means employees must adjust the applications they use; for example, they may need a new email app. If so, ensure that you've had mobility council members or IT test the app and that you have new procedures documented and available to users. You don't want the help desk to get bogged down teaching people how to use their calendars or add attachments to a message.

MDM technology may lack differentiation, but it can work--if the IT team doesn't end up alienating users and motivating them to bypass your controls.

Read our report, State Of The IT Service Desk: Change Management Remains Key. Download the report now. (Free registration required.)

About the Author

Michael A. Davis

CTO of CounterTack

Michael A. Davis has been privileged to help shape and educate the globalcommunity on the evolution of IT security. His portfolio of clients includes international corporations such as AT&T, Sears, and Exelon as well as the U.S. Department of Defense. Davis's early embrace of entrepreneurship earned him a spot on BusinessWeek's "Top 25 Under 25"
list, recognizing his launch of IT security consulting firm Savid Technologies, one of the fastest-growing companies of its decade. He has a passion for educating others and, as a contributing author for the *Hacking Exposed* books, has become a keynote speaker at dozens of conferences and symposiums worldwide.

Davis serves as CTO of CounterTack, provider of an endpoint security platform delivering real-time cyberthreat detection and forensics. He joined the company because he recognized that the battle is moving to the endpoint and that conventional IT security technologies can't protect enterprises. Rather, he saw a need to deliver to the community continuous attack monitoring backed by automated threat analysis.

Davis brings a solid background in IT threat assessment and protection to his latest posting, having been Senior Manager Global Threats for McAfee prior to launching Savid, which was acquired by External IT. Aside from his work advancing cybersecurity, Davis writes for industry publications including InformationWeek and Dark Reading. Additionally, he has been a partner in a number of diverse entrepreneurial startups; held a leadership position at 3Com; managed two Internet service providers; and recently served as President/CEO of the InClaro Group, a firm providing information security advisory and consulting services based on a unique risk assessment methodology.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights