Mobile Device Management and Security Trends

Market Research Study Mo Mobile Device Management

and Security Trends

By Jon Oltsik

January, 2010 © 2010, Enterprise Strategy Group, Inc. All Rights Reserved

ESG Market Research Study: Mobile Device Management and Security Trends 2

© 2010, Enterprise Strategy Group, Inc. All Rights Reserved.

Contents

Executive Summary ...................................................................................................................................... 3 Summary of Report Conclusions .............................................................................................................................. 3

Mobile Device Use and Value ....................................................................................................................... 4

Mobile Device Management and Operations .............................................................................................. 7 Security and Management Challenges ..................................................................................................................... 8

Analysis and Recommendations ................................................................................................................. 11 Enter Symantec ....................................................................................................................................................... 14

The Bigger Truth ......................................................................................................................................... 14

Research Methodology ............................................................................................................................... 15

Respondent Demographics......................................................................................................................... 16 Respondents by Number of Employees ................................................................................................................. 16 Respondents by Role .............................................................................................................................................. 17 Respondents by Industry ........................................................................................................................................ 17 Respondents by Annual Revenue ........................................................................................................................... 18

All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of the Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at (508) 482-0188. This ESG White Paper was developed with the assistance and funding of Symantec.



Executive Summary

Summary of Report Conclusions

In October 2009, the Enterprise Strategy Group (ESG) conducted a comprehensive web-based survey of 174 North American security professionals from enterprise-class organizations (defined as those with 1,000 or more employees) responsible for mobile device management and security. Respondents came from over 20 industries in the public and private sectors.

Based upon this research, ESG concludes that mobile devices:

Continue to gain popularity in the enterprise. At least 50% of employees use mobile devices for work at nearly half of all large organizations. Furthermore, mobile device spending is growing significantly at 37% of enterprises. While e-mail remains the primary mobile application, more than one-third of organizations already use mobile devices for custom applications, industry applications, and core business applications.

Have become business critical. Mobile devices have matured beyond early industry hype. An astonishing 86% of large organizations believe that mobile devices are either “critical” or “important” for business processes and productivity.

Access and store confidential data. Employees with mobile devices can access, receive, and store company confidential data, customer data, regulated data, and intellectual property at more than one-third of large organizations. This further complicates data security and regulatory compliance efforts.

Have become increasingly difficult to manage, support, and secure. Not surprisingly, many enterprises are finding it difficult to cope in areas such as mobile device management, user support, and security. Some organizations are instituting formal mobile devices policies and are beginning to manage mobile devices with the same staff and processes as laptop and desktop computers. Additionally, 80% of large organizations believe that it is “critical” or “important” to have an integrated management and security solution for mobile devices.

The data presented in this report paints a familiar picture for IT professionals. Mobile devices have quickly evolved from personal cellular phones to critical business equipment. Device population and functionality have grown, making mobile devices even more useful. Based upon this growth, existing, limited IT skills and ad-hoc management processes are no longer adequate. At the same time, device and data security have become a growing concern—one lost Windows CE device could lead to a regulatory compliance breach and millions of dollars in unforeseen costs.

This report articulates the need for a more formal, process-oriented approach toward mobile device management and security. Large organizations need to implement best practices for device procurement, configuration, and user support. Applications must be tailored to mobile users. Security controls must be adapted in order to protect the data on mobile devices while recognizing them as a growing threat vector.

Based upon the data presented herein, mobile devices have clearly demonstrated superb ROI but management costs are rising along with security risks. Maximizing mobile device benefits in the future must be supported by strong management and security processes, controls, skills, and tools.



Mobile Device Use and Value

ESG’s data clearly indicates that mobile devices have become commonplace. In 44% of the enterprise organizations surveyed, at least half of all employees use their mobile devices for work. Additionally, more than 75% of employees use their mobile devices for work at nearly one-fifth of all large organizations (see Figure 1).

Figure 1. Most Employees Use Mobile Devices for Work at Large Organizations

Source: Enterprise Strategy Group, 2010.

Aside from daily usage, large organizations are also spending more budget dollars on mobile devices themselves as well as the people, processes, and technologies used to manage, support, and secure them. A wide majority of enterprises (82%) claim that mobile device spending is increasing while 37% of all large organizations say that mobile device spending is growing significantly (see Figure 2).

100%, 2%

75% to 99%, 18%

50% to 74%, 26%

25% to 49%, 30%

Less than 25%, 22%

Don’t know, 1%

Approximately what percentage of your organization’s total employees currently use a mobile device for work on a daily

basis? (Percent of respondents, N=174)



Figure 2. Enterprise Spending on Mobile Devices


How are mobile devices being used? E-mail remains the most popular application, but 63% of large organizations provide access to internal networks and portals via mobile devices. What’s more, 30% of enterprises are also offer CRM, core business applications, location-based applications, industry applications, and custom applications via mobile devices (see Figure 3). Beyond applications, employees can also access an assortment of data from their mobile devices and some of this data is classified as confidential and/or private. More than one-third of respondents say that employees using mobile devices can access, receive, and/or store company confidential data, customer data, regulated data, and intellectual property (see Figure 4).

Figure 3. Mobile Device Application Support


Mobile device spending is growing

significantly, 37%

Mobile device spending is growing

moderately, 45%

Mobile device spending is generally

flat, 14%

Mobile device spending is

decreasing, 3%

Don’t know / unsure, 1%

How would you characterize the general trend with respect to your organization’s annual spending on mobile devices (i.e. for devices and other organizational

and/orsupporting technology costs)? (Percent of respondents, N=174)

27%

30%

31%

31%

36%

39%

63%

89%

24%

24%

25%

32%

31%

30%

18%

3%

21%

23%

24%

18%

18%

17%

13%

5%

19%

13%

14%

15%

10%

9%

4%

3%

9%

10%

6%

5%

5%

5%

2%

1%

0% 20% 40% 60% 80% 100%

Inventory applications

CRM (Customer Relationship Management) / Sales Force Automation (SFA)

Core business applications (ERP, HR, etc.)

Location-based applications

Industry-specific applications

Custom applications

Intranet access (requires authentication)

E-mail

Please indicate if your organization currently uses or plans to use the following applications on mobile devices? (Percent of respondents, N=174)

Already deployed Plan to deploy within 24 months No plans but interested

No plans or interest at this time Don’t know / not applicable



Figure 4. Confidential Data Entitlements Using Mobile Devices


In summary, mobile devices are now used by more employees for more types of applications and for access to more types of data—including confidential data—then ever before. This will only continue. Little wonder, then, that 38% of respondents said that mobile devices were “critical” to their organization’s business processes and productivity while another 48% said that mobile devices were “important” to their organizations business processes and productivity. With the advent of new mobile applications and additional mobile broadband capacity and proliferation, it is safe to say that mobile devices will play a crucial role in future business processes at large organizations.

16%

28%

35%

36%

38%

40%

0% 10% 20% 30% 40% 50%

None of the above

Administrator access to internal IT systems and assets

Intellectual property

Regulated data (i.e., data subject to security and privacy regulations)

Customer data (i.e., financial data, personally-identifiable information, etc.)

Company confidential data

In your organization, can an employee access, receive, or store any of the following on their mobile device? (Percent of respondents, N=174, multiple

responses accepted)



Mobile Device Management and Operations

The onslaught of mobile devices at large organization places an added burden on IT. According to ESG’s research data, new tasks associated with mobile device procurement, management, and support are spread throughout the IT organization (see Figure 5). This makes sense, since mobile devices are used to access a multitude of network applications from remote locations. But just what are these people doing? Offering an assortment of support services. Help desk services are most common, but more than 50% of enterprises also offer services for security and configuration management while nearly half of organizations also help employees with training, data backup, and purchasing (see Figure 6).

Figure 5. Mobile Device Support Includes Various IT Groups


18%

21%

25%

26%

30%

37%

40%

44%

0% 10% 20% 30% 40% 50%

Security group

Desktop/endpoint administrators

A dedicated mobile device support group

Network administrators

Telecom staff/administrators

General IT staff

Help desk

IT operations

Which of the following individuals or functional groups have primary responsibility for mobile device support services in your organization? (Percent

of respondents, N=174, multiple responses accepted)



Figure 6. Mobile Device Support Services Provided at Large Organizations


Security and Management Challenges

With so many new and disparate mobile devices literally “walking in the door,” it is not surprising that many enterprises are having difficulty with device management and security. As with devices such as PCs, thumb drives, and wireless access points in the past, mobile device management and security starts casually, really as more of a courtesy to employees than anything else. Over time as the technology proliferates, IT moves from ad-hoc informal processes to more structured management, security policies, and controls. This evolution is illustrated in Figure 7. Large organizations are almost evenly divided: just under one-third continue to manage and secure mobile devices using ad-hoc unstructured policies, procedures, and strategies; one-third are moving from ad-hoc to a more formal strategy; and just over one-third have already standardized on documented management and security policies, procedures, and strategies for mobile devices (see Figure 7). This data can be seen as a maturity curve with enterprises progressing clockwise from makeshift to structured management and security. The crucial factor here is whether large organizations move through this cycle fast enough to stay ahead of the problems associated with mobile device sprawl.

3%

39%

40%

45%

47%

48%

55%

57%

71%

0% 10% 20% 30% 40% 50% 60% 70% 80%

We have no formal mobile support but provide “best effort” services

Loss/theft protection

Break/fix

Purchasing services

Data back-up

End-user training

Configuration services

Security services

Help desk services

What type(s) of formal mobile device support services does your IT organization currently offer employees? (Percent of respondents, N=174,

multiple responses accepted)



Figure 7. Mobile Device Management and Security Maturity Varies


In terms of specific challenges, four issues stand out: device security, keeping up with changing technology, end-user compliance issues, and managing end-user expectations (see Figure 8). Given the amount of confidential data accessible on mobile devices, it is not surprising that device security is a high priority. ESG believes that the other three issues really center on device and user management. Devices must be provisioned and configured correctly and then maintained on a regular basis. User devices must be well supported with change management and remote device support. Finally, user training must be combined with monitoring and enforcement to assure ongoing policy compliance. All of these challenges must be addressed in order to achieve enterprise goals for strong security AND tight management controls.

Mobile devices are managed and

secured on an ad-hoc basis with little

formal policies, procedures, or strategy, 28%

Mobile devices were historically

managed and secured on an ad-hoc basis but our

organization is moving to a more formal strategy,

33%

Our organization has formal, well-

documented policies,

procedures, and strategy for

managing and securing mobile

devices, 38%

Don’t know, 1%

Which of the following statements best describes your organization’s overall mobile device management and security strategy? (Percent of

respondents, N=174)



Figure 8. Mobile Device Challenges


As far as explicit security safeguards, large organizations seem to believe that it is most important to protect against data breaches and malicious attacks against mobile devices. Once this is done, the data suggests that many enterprises will want strong device management such as configuration, asset, and backup management as well as device monitoring and software distribution (see Figure 9).

10%

16%

17%

17%

20%

20%

36%

37%

39%

41%

0% 10% 20% 30% 40% 50%

Determining which IT groups “owns” mobile device management

Lack of management and operations tools for mobile devices

Lack of technical knowledge/skills within IT

Lack of formal policies and procedures for mobile device management

Managing a variety of disparate devices

Lack of end-user training

Managing end-user expectations

End-users do not comply with organizational usage policies

Keeping up with changing technology

Device security

Which of the following would you consider to be the biggest mobile device challenges in your organization? (Percent of respondents, N=174, multiple

responses accepted)



Figure 9. Mobile Device Security and Management Priorities


Analysis and Recommendations

ESG’s data reads like a typical IT story. A niche technology arrives, gets a bit of use, and then through a combination of Moore’s law, application support, and decreasing prices, it progresses from niche to mainstream. IT has seen this with PCs, portable storage devices, and wireless access points, but mobile device proliferation and business value may trump anything that has come before it.

Clearly, the hype around mobile devices is over: large companies are investing in new devices, adding new application access, and developing custom applications specifically for mobile usage. Given this increasing business-focused role, IT must support these devices with enterprise-class security and management. Provisioning, configuring, and securing a mobile device must be measured against the same processes for laptop computers and any gaps must be addressed quickly. Like any other enterprise IT system, mobile devices must be treated as

20%

21%

23%

24%

25%

26%

27%

30%

39%

40%

43%

44%

45%

46%

48%

51%

44%

49%

47%

41%

45%

47%

45%

47%

42%

43%

39%

41%

37%

41%

37%

34%

25%

21%

24%

26%

23%

20%

24%

17%

13%

12%

14%

13%

13%

11%

11%

11%

8%

6%

6%

6%

5%

5%

4%

4%

4%

5%

4%

1%

3%

1%

3%

3%

3%

3%

1%

3%

2%

2%

1%

2%

2%

1%

1%

1%

1%

1%

0% 20% 40% 60% 80% 100%

Application whitelisting and blacklisting

Integration with compliance management systems

Remote control

Software distribution

Integration with existing asset management systems

Integration with device monitoring systems

Integration with existing backup systems for data protection

Integration with existing systems management solutions

VPN

Device wiping

Data Loss Prevention or Enterprise Rights Management

Device locking

Antivirus/antispam

Strong authentication

Device firewall

Device encryption

How would you rate the importance of the following features and/or capabilities when it comes to evaluating, selecting, and implementing mobile security and

management technology solutions? (Percent of respondents, N=174)

Very Important Important Not very important Not at all important Don’t know



valuable IT assets and thus be managed with documented processes, tight controls, and clear metrics in order to establish a baseline and measure variability.

To achieve these goals, CIOs must inject themselves into mobile device management, security, and business usage as soon as possible. ESG recommends that IT executives:

Assess current endpoint practices. Before moving on to mobile devices, it is important to establish a baseline of existing policies, procedures, and technology tools. Is data regularly discovered and classified? Do users and IT operations people understand policies and security risks? How long does it take to provision a laptop? How much does a help desk call cost? The point here is simple: find out what is broken first before exacerbating problems with an army of mobile devices. This upfront work will save a lot of money and reduce support headaches down the line.

Address specific needs for mobile devices. ESG believes that Figure 9 can be used as guideline for mobile devices security and management priorities.

1. Address mobile data security. Since users can access and store this data from local devices, it must be protected. ESG suggests that large organizations review and update data privacy policies to include mobile devices; train users on policies, security threats, and penalties; and lock-down devices with strong authentication, DLP/eRM capabilities, data encryption, and device/user behavior monitoring.

a) Address device security. Since these devices will access corporate networks, they should be treated as a potential threat vector. ESG recommends that enterprises configure devices for security, apply patches in a timely fashion, train users on risky behavior and social engineering attacks, and install endpoint security that includes antivirus, firewall, web threat protection, and application white listing.

2. Establish good procedures and tools for device management. This includes IT best practice frameworks like ITIL, COBIT, and NIST-800. It also means good management tools for device procurement, configuration, change management, remote support, and retirement.

Align mobile device and PC management and security processes and organizations. Mobile devices must be considered “endpoints” just like PCs and laptops. As such, the same group(s) responsible for PC and laptop management and security should be give similar responsibilities for mobile devices. While Figure 5 suggests that lots of groups are part of the mobile device process, most companies are already consolidating mobile device and PC/laptop support (see Figure 10). This is the right direction.

Look for integrated mobile device management and security tools. As with every “new” IT technology, a number of venture-backed startups are emerging with products centered on mobile device management and security. These firms claim that mobile devices somehow differ from others in IT and thus need their own management and security processes and tools. Yes, this has a hint of truth, but history presents lots of similar examples that evolved from the IT fringes. Given this, ESG believes that implanting separate mobile device processes and tools would be a mistake. Rather, savvy IT managers will leverage and extend what they already have in place to meet the idiosyncrasies of mobile devices. Again, large organizations share this opinion as security professionals believe it is “critical” or “important” to have integrated security and management solutions for mobile devices (see Figure 11).

Think “lifecycle management.” Closely related to the points above, large organizations should think of mobile device lifecycles from procurement and provisioning to retirement. In between birth and death, there will be constant requirements for device management to ensure that devices and users are productive, up-to-date, high performing, and safe. It is important to think through all requirements and risks up front in order to cover all lifecycle needs cohesively.



Figure 10. Mobile Device Security and Management Aligns with PC/laptop Security and Management Groups


Figure 11. Mobile Device Security and Management Aligns with PC/laptop Security and Management Groups


Yes, both mobile device and

desktop/laptop PC security are

managed by the same group(s),

70%

No, mobile device and

desktop/laptop PC security are managed by

different groups, 25%

Mobile device and desktop/laptop PC

security are managed by

different groups today but we are

planning to integrate those groups into one organization, 2%

Don’t know, 2%

In your organization, are mobile device security tasks performed by the same group(s) that oversee desktop/laptop PC security? (Percent of

respondents, N=174)

Critical, 28%

Important, 52%

Somewhat important, 15%

Not that important, 2%

Not at all important, 1% Don’t know, 2%

How important is it to your organization to have an integrated management and security solution for mobile devices (i.e., common management, command and

control, and reporting for mobile device security and other administrative tasks)? (Percent of respondents, N=174)



Enter Symantec

ESG’s data indicates three distinct mobile device management and security trends:

1. Data and device security are the highest priority, but large organizations also want common policies, processes, and tools for device management over time.

2. Enterprises believe that common mobile device management and security tools are extremely important. This is probably driven by a desire to streamline operations and lower costs while minimizing risk.

3. Large organizations want to treat mobile devices as endpoints. In other words, enterprises want to manage and secure mobile devices with the same resources and methodologies used for PCs and laptops.

Addressing requirements like these for a dynamic technology category like mobile devices will not be easy, but there are vendors, like Symantec, that can help. Symantec is a good match for large organizations because its mobile device management and security strategy:

Follows a lifecycle model. Symantec designs its products to align with four phases of the mobile device lifecycle: provisioning, management, security, and retirement. This provides “cradle-to-grave” protection while allowing for deployment flexibility. For example, many survey respondents indicated that their short-term priority was on securing mobile data and devices. In these instances, IT managers can begin by deploying Symantec Endpoint Protection Mobile Edition or Symantec Network Access Control Mobile Edition first and then follow up with Symantec Mobile Management later.

Provides tight integration. Enterprises stressed the need for integrated mobile management and security tools. This aligns with Symantec’s product strategy. What’s more, Symantec does not advocate or sell “all-or-nothing” complex product suites but rather offers modular integrated solutions for management and security. In this way, IT managers have flexibility for deployment as they can implement a single Symantec product to “start slow and grow” over time.

Aligns with Symantec PC/laptop portfolio. Symantec’s mobile device security and management products are built on top of industry leading products like Symantec Endpoint Protection, Symantec DLP (formerly Vontu), and Symantec Endpoint Management (formerly Altiris). This enables large organizations to achieve their objective of managing mobile devices, PCs, and laptops as endpoints with common processes and tools.

Symantec often stresses that, “a well managed endpoint is a secure endpoint.” Clearly, its product design, functionality, integration, and roadmap all adhere to this philosophy. This makes Symantec one of few vendors capable of turning chaotic mobile device into a well managed, secure, and valuable business tools.

The Bigger Truth

ESG believes that the data presented in this report describes a technology at a crossroad. Mobile devices are gaining popularity and are seen as a valuable business technology. At the same time, large organizations are starting to buckle under the weight of managing and securing a new army of mobile devices. Mobile device value, then, is a function of future management and security strategies. If management and security strategies are well executed, mobile device value will continue to grow. If management and security strategies are poorly executed however, business value will be compromised by complex operations, high costs, and security breaches.

ESG sees little choice here: CIOs must formalize the management and security of mobile devices with enterprise-class policies, processes, and tools as soon as possible. How? ESG’s data suggests the need to prioritize security, phase in management, choose integrated management and security tools, and lean on existing best practices for PC and laptop management and security. Working with established vendors like Symantec that align with these requirements could certainly help IT executives accomplish their objectives.



Research Methodology

To gather data for this report, ESG conducted a comprehensive online survey of IT and information security professionals from private- and public- sector organizations in North America during October 2009. To qualify for this survey, respondents were required to be responsible and/or familiar with the policies, procedures, and technologies their organization used to manage and secure mobile devices.

All respondents were provided with an incentive to complete the survey in the form of cash awards and/or cash equivalents.

After filtering out unqualified respondents, removing duplicate responses, and screening the remaining completed responses (on a number of criteria) for data integrity, ESG was left with a total sample of 174 IT and information security professionals.

Please see the Respondent Demographics section of this report for more information on these respondents.

Note: Totals in figures throughout this report may not add up to 100% due to rounding.



Respondent Demographics

The quantitative information presented in this report is based on 174 qualified survey respondents. The figures below detail the demographics of the respondent base.

Respondents by Number of Employees

The number of employees in respondents’ organizations is shown below (see Figure 12).

Figure 12. Survey Respondents by Number of Employees


1,000 to 2,499, 18%

2,500 to 4,999, 22%

5,000 to 19,999, 29%

20,000 or more, 31%

How many employees does your company have worldwide? (Percent of respondents, N=174)



Respondents by Role

ESG asked respondents to choose one of 9 titles (or “other”) that best described their current role (see Figure 13).

Figure 13. Survey Respondents by Role


Respondents by Industry

Respondents’ primary industry is shown in Figure 14.

Figure 14. Survey Respondents by Industry


Senior IT Management (e.g.,

CIO, VP of IT, Director of IT,

etc.), 43%

IT Operations, 14%

Non-IT Business Manager, 14%

Networking/Telecom, 9%

General IT staff, 5%

Applications/Database, 4%

Information Security, 2%

IT Help Desk, 2%IT Architecture/

Planning, 2%Other, 5%

Which of the following best describes your current area(s) of responsibility within your organization? (Percent of respondents, N=174)

Financial (banking, securities,

insurance), 16%

Manufacturing, 16%

Communications & Media, 11%

Health Care, 7%Government

(Federal/National/State/Local), 6%

Professional Services, 6%

Retail/Wholesale, 5%

Other, 33%

What is your organization’s primary industry? (Percent of respondents, N=174)



Respondents by Annual Revenue

Respondent organizations’ annual revenue is shown in Figure 15.

Figure 15. Survey Respondents by Annual Revenue


Less than $100 million, 6%

$100 million to $499,999 million,

14%

$500 million to $999,999 million,

18%

$1 billion to $4.999 billion, 17%



$20 billion or more, 20%

Not applicable (e.g., public sector,

non-profit), 3%

What is your organization’s total annual revenue ($US)? (Percent of respondents, N=174)

20 Asylum Street | Milford, MA 01757 | Tel:508.482.0188 Fax: 508.482.0218 | www.enterprisestrategygroup.com

Documents

Mobile Device Management and Security Trends