Mobile Security's Budget Shortfall
Sixty-four percent of companies surveyed by the Ponemon Institute do not believe they have enough budget to adequately secure mobile devices.
Recent research from Gartner shows worldwide spending on information security growing nearly 8 percent this year, reaching $71.1 billion by the end of 2014. That figure translates to an average of $381 per employee, Gartner found. The firm cites continued adoption of mobility as one of the key drivers of security budget growth.
But is spending growing quickly enough for organizations to feel they can handle the proliferation of mobile security threats? A recent Ponemon Institute report commissioned by Raytheon found that just 36 percent of IT and information security professionals believed their budgets were big enough to securely manage mobile devices.
"Sixty-four percent claim they do not currently have or even expect to have adequate budget," said Ashok Sankar, senior director of Product Strategy and Management for Raytheon Cyber Products. "This is surprising given that risks are extremely high now. If you look at the explosion of mobile malware and put it together with end-user negligence, mobile is a very weak link when it comes to your enterprise security. It's surprising people haven't put more money into it."
According to the research, the average budget that respondents consider adequate to effectively manage mobile devices is some $5.5 million annually, or $278 per managed device. (Remember the Gartner research shows that spending will hit an average of $381 per employee this year – but that is for all security, not just mobile security.)
Current budgets vary widely, ranging from $633 per device for organizations with fewer than 250 employees to $98 per device for those with more than 75,000 employees. This is probably due to economies of scale, Sankar said.
Who Is Responsible for Mobile Security?
Another potential weakness highlighted in the research, Sankar said, is the lack of single point of responsibility for mobile security. Leading a mobile security initiative is a shared responsibility in 23 percent of surveyed organizations, the Ponemon Institute found. Senior managers in lines of business lead mobile security initiatives at 22 percent of organizations, followed by chief information security officers (CISOs) at 19 percent of organizations.
The decentralized control was a surprise, given that the research found that one third of employees use mobile devices exclusively to do their work, a number that is expected to rise to 47 percent in the next 12 months, Sankar said.
Some organizations, especially those with many mobile employees, are creating mobile excellence teams that include representatives from different areas like networking, applications and risk management, he noted.
"With that many employees using their mobile devices exclusively, mobile strategy is obviously very important. So we were a bit surprised to see decentralized control in so many enterprises, or even people making their own decisions," he said. "When it comes to mobility, you are going to draw from many different areas. A mobility excellence team can reach across these organizational functions to define a cogent mobile strategy."
Other areas of interest from the research:
More mobile devices: The typical organization manages an average of almost 20,000 mobile devices, a number that is expected to reach 28,000 by the end of this year.
Productivity trumps security: Sixty-one percent of respondents said mobile devices have increased employee productivity. Unfortunately, 60 percent also reported that mobile devices have diminished employees' security practices and 52 percent said security practices were frequently sacrificed in order to improve productivity.
Not so satisfied with mobile security solutions: Mobile device management is the most frequently used method of securing mobile devices, with 46 percent of respondents saying they use MDM, followed by secure containers (42 percent). Half of respondents report they are not satisfied with the solutions currently used. A scary 30 percent said they had no mobile security features in place.
Virtualization important: While just 17 percent currently use mobile hypervisors, 57 percent of respondents believe a virtualized solution for protecting data on mobile devices is important.
Shift in mobile app development: Sixty-seven percent of respondents said they primarily use Web-based apps to deliver content to mobile devices. Native apps, which are considered more secure because they connect less frequently to networks than Web apps, are also used by 39 percent of respondents. But Sankar said there is a shift toward native apps.
"The Web apps that are being optimized for mobile devices in many cases are falling short. I think a lot of companies are beginning to say, 'If I have an app that will really impact my company's business, then I am going to have to develop native apps to take advantage of all of the capabilities of these devices ,'" he said.
Ann All is the editor of Enterprise Apps Today and eSecurity Planet. She has covered business and technology for more than a decade, writing about everything from business intelligence to virtualization.
By Paul Rubens
October 17, 2014
While mobile device management is often found at companies with big workforces, it can also help small companies with their mobile initiatives.