Considerations

What to think about when developing your device security strategy

Consideration

The process for developing a device security strategy

Organizations should follow this process when considering improving their device security strategies:

Assess your current state
Develop your device strategy
Define your policies and controls
Roll out a plan to deploy your policy

Consideration

Assess your current state

To determine where they want to go, organizations must first assess where they are. To do a current state assessment, the project team must conduct an inventory of devices currently deployed.

Device inventory is not an easy feat, especially when it comes to selecting tools, allocating resources, and defining processes. In a Gartner report it is stated that, “Many IT organizations already have standard practices for approving new laptops, tablets, and smartphones used for worker productivity. This practice doesn’t often extend past these standard endpoints into the world of IoT.”ⁱⁱ Additionally, bring your own device (BYOD) is becoming more and more common, and organizations need to build out strategies to address it.

Finance, operations, and security teams will have different versions of asset data. These groups should work together to establish a single pane of glass to maintain visibility into devices connecting and disconnecting from the network. Additionally, asset management and security teams should collaborate using clear roles and responsibilities. This reduces the amount of duplicated work, enables productivity, and removes any conflict between the teams.

Consideration

Develop your device strategy

Organizations should identify their top device policy goals based on where they want to be in the next three to five years. Due to the ubiquity of varying types of devices, organizations should first define use cases and user personas, rather than trying to anticipate every kind of device. This should include classifying users according to their device needs, eliminating inefficiencies to reduce costs, and considering the traits of specific users. Foreword-thinking policies should include both corporate and personal devices to prepare for a future of device agnosticism.

Security teams should account for the needs of each department and work with the business to balance risk tolerance with end-user productivity.

Consideration

Define your policies and controls

Comprehensive policies should address corporate devices, guest devices, trusted or known IoT devices, and untrusted or unknown devices. Security and business leaders should define these policies based on best practice frameworks, taking into account the organization’s risk tolerance.

Many businesses are still relying on “hunches” about risk, often with qualitative rankings such as “high, medium, or low.” Leadership should develop a quantitative risk model, which can allow for better security initiative planning, prioritization, and budgeting. Only with a regular dynamic view into risk can a company confidently say that it is providing the necessary level of security.

For end-user devices, a mix of corporate-issued devices and BYOD can allow organizations to focus on security for users accessing sensitive information, offer choices to those who will benefit most from it, and save money with users that only require basic applications. Organizations should also implement an Enterprise Mobility Management (EMM) or Mobile Device Management (MDM) platform to serve as their primary defense against security threats arising from mobilization.

Consideration

Roll out your plan to deploy your policy

Without effective communication, the project will go off the rails. IT and security leaders should effectively communicate the policy by outlining, in explicit detail, what the expectations are while using devices within the company’s environment. Security teams should also regularly notify end users of additional policy changes and take the time to explain why they are necessary. End users will always push back against policy restrictions but will be more understanding when given advance notice and clear a rationale.

Implementing an application review process where end users can submit requests for new applications can also aid in reducing end user friction. This gives users a voice in adopting tools so they can conduct their jobs more efficiently. Providing clear explanations and letting the users be involved in this process makes them feel like they have a say-so in how they conduct their work.

After you have deployed your policy and controls, consider measuring the effectiveness of them to identify any gaps or weaknesses that should be improved upon. Regular reviews and updates are critical for ensuring digital agility.

¹Not tied to a particular
device’s requirements