The Mobile Aware CISO: Security as a Business Enabler
1. Security as a Business Enabler
The Mobile
Aware
CISO
Sam Phillips
September, 2015
2. 3
The Mobile Aware CISO: Security as a Business Enabler
SIMPLIFY CONNECT INNOVATE TRANSFORM
Identify, Characterize
Risk and Stabilize
Connected-Life without
Complexity
Reach and Deliver
Great Experiences
Secure Anywhere,
Anytime Access
Security Enabling Future and
the Possibilities
Customer-Driven Business
Model
Driving Opportunities
and Growth
Deliver innovation and
confidence through
Security
3. 4
Secure Mobility Driving Innovation
SIMPLIFY CONNECT INNOVATE TRANSFORM
• Bank balances
• Account transfers
• Check deposits
• Online Stock Trading
› Card-less ATM
› Photo bill pay
• Mobile check-in
• Mobile boarding passes
• Inflight point of sale
• Electronic flight bags
• In-flight monitoring &
maintenance
• In-flight Entertainment
• Mobile payments
• Point of sale terminals
• Loyalty / in-store promotions
• Location Awareness
• Interactive Display
• Real-time transactions
(Uber, Hailo)
• Tele-healthcare
› Diagnosis
› Treatment
› Follow-up care
• Wearable medical devices
Banking Airline Industry Retail Healthcare
4. 5
1990’s 2020’s2000’s1980’s1970’s 2010’s
Data Rate: 2400 24k 24 M 2.4G?
Keyboard Touchscreen Intuitive Typing Contextual Response
Voice Voice over Data Voice over WiFi
Text Ubiquitous Texting
First Secure Phones Non-Govt Secure Phones Global Secure Phones
SIMPLIFY
CONNECT
Gaming Music General Purpose Apps App-based Productivity Business
Service Apps
Camera’s Bluetooth Wearables Embedables
Peripherals / Injectables
INNOVATE
Cloud-Service Reliance
Enterprise of Things
TRANSFORM
Evolving Mobile Capability
5. 6
Evolving Information Assets and Business Processes
Integration
Basic email
& Calendar
Connect
Applications to
existing back-end
systems
Develop custom
applications
aggregating back
end systems
Create purposeful
applications focused
on the user need
Business Value
SIMPLIFY CONNECT INNOVATE TRANSFORM
SecurityNeed
Each new capability requires
the CIO
- and the enterprise to
think differently about
both:
The Business and Security
Vendors may need prodding,
integration, and process
help before a solution is
Enterprise Ready
6. 7
Samsung Business Services Supporting the CIO/CISO
Application Support Services
• Application Development and
Migration
• Application Development
Consulting & Training
• Enterprise Applications
• Application Platforms
Technical Support
Services
• Flexible Support Options
• Tech-to-Site
• Device Repair
• Extended Warranty
Mobile Management
Services
• Device Provisioning
• EMM Assessments
• EMM License Sourcing
• EMM Migration Services
Security Services
• Mobile Security Policy
Review
• Mobile Security Architecture
Review
• Comprehensive Mobile
Security Assessment
Samsung Business Services
offers a comprehensive suite
of services to fully support
the enterprise mobile
ecosystem
7. 8
Mobile Strategy
Elements
Platform Tools Applications Services
Business Goals &
Capabilities
Establish Clear Roles &
Ownership
Focus on User Experience
Establish a Roadmap
Manage what matters
Communicate
End-to-End Security
Plan for Internet of Things
Employees, Customers, & Metrics
Native, Cross Platform, Container, & Virtualized – Secure APIs
LOBs, IT, Insourcing, Outsourcing
Govern Mobility Globally, but Empower Your Business Departments Locally
Architectural guidelines to allow innovation and transformation
Automate IT Functions, Build in compliance, Establish Governance,
Strategy, Roadmap, Mobile Security Awareness
Wearables, Data Management, Analytics, Value Chains
Protect (sensitive) Information, Measure & Manage Risk
- security, financial and competitive risks
Pulling it all Together – the Enterprise Mobile Strategy
8. 9
• User experience is critical for mobile applications as they are enabled in the palm of a hand
• Many of the great devices’ security and productivity features work within Application APIs
(e.g. multi-tasking, fingerprint scanner, stylus, keyboard case accessories)
• Mobile Applications need to be secure from initial deployment
Securing Applications
9. 10
• Hardware to Application level security
• Real-time device protection from the moment you turn it on
• Management Tools
• Corporate data security to keep strict isolation of personal and
corporate apps and data
Hardware Root of Trust
Bootloader
TrustZone
Kernel
Android Framework
• Build a strong foundation where
ever you are
• Pick and chose components to
meet and manage your risk
• Ensure that you have the levels
of security available when and
where you need it
• Without the solid core, your risk
stays high - everything above
the foundation is at risk with
weak foundation
Device Security
10. 11
• Understand what the business really wants to do with
mobile
• Establish a Business Council or Center of Excellence to
focus on the Demand Side – what are the business
drivers and value from enabling/adding mobility?
• Identify clear roles, responsibility, and ownership
• Clearly Identify what needs to be protected and the
tradeoffs with user experience that will keep people
inside the lines - understand your threat horizon
• Build out tools and implementation strategies
• Help drive Innovation and Transformation of your
Business
Summary/Next Steps for the CIO / CISO
Editor's Notes
Abstract: Business adoption of Mobile has gotten ahead of CISOs and the CIOs they work with. Aligning efforts with mobile business strategy and value strategy helps CISOs regain influence and drive value and security for the business as more activity get driven by the mobile applications and opportunities business units explore every day.
Security Enabled
just some examples: from the 4 highlighted sectors
Banking / airline / retail / healthcare
Transport??!?
Each of these directly relates to: simplify / connect / innovate / transform
Building Mobile Application Security in to SDLC
Threat Analysis
Potentially harmful apps (PHA)
Google Play
Verify Apps
SafetyNet
Static/Dynamic application security testing
Comprehensive Security Assessment
Efficient and Consistent Methodology/Framework
Lower Security Control Cost
Implement security measures based on risk appetite
Sources:
Citrix White Paper on Mobile Security - http://www.structured.com/wp-content/uploads/2015/06/Enterprise-Mobility-Management.pdf
Citrix EMM – and XenMobile solutions - https://www.citrix.com/content/dam/citrix/en_us/documents/oth/how-four-citrix-customers-solved-the-enterprise-mobility-challenge.pdf?accessmode=direct
Complete copy/cut/paste from Citrix - http://www.builtinla.com/blog/8-key-elements-successful-enterprise-mobility-strategy
http://mlabs.boston-technology.com/blog/7-crucial-elements-of-a-successful-enterprise-mobile-strategy