Businesses welcome bring your own device (BYOD) policies for the operational cost savings and user experience, according to the (ISC)2 2013 Global Information Security Workforce Study.
At the same time, the study – conducted on behalf of the (ISC)2 Foundation by the analyst firm Frost & Sullivan – shows that information security managers admit companies must do more to understand the security of the technologies behind the trend, particularly cloud-based systems and applications.
BYOD is a prevalent practice, according to selected results released at a press conference previewing the Infosecurity Europe 2013 conference at Earls Court in London from 23 to 25 April.
Some 53% of more than 12,000 respondents from 145 countries said their companies actively allow employees, business partners or both to connect their devices to their networks.
A similar proportion, 54% identified BYOD as a growth area for training and education in the information security profession.
Increased BYOD concern
But security professionals are concerned organisations remain unprepared for the risks of the trend, with 78% considering BYOD to present a “somewhat” or “very significant” risk.
This reflects increased levels of concern compared to the 2011 study, when mobile devices were identified as a significant risk by 68% of respondents.
Nearly three-quarters of respondents highlighted that new security skills are going to be required to manage the security risks associated with BYOD.
The biggest concerns are over the state of application security (72%) and the cloud (70%). Another 66% said companies need to get more of a grip on how compliance requirements are being affected with the prevalence of BYOD.
The study shows companies are open to allowing user-owned smartphones (87%) and tablets (79%) onto corporate networks than laptops (72%), while they are supporting a multitude of platforms, with iOS leading the pack (84%), closely followed by Android (75%); RIM Blackberry/QNS (62%); and Windows Mobile (51%).
“Whether approved or not, user-owned tablets and smartphones are connecting to corporate networks and cloud environments,” said Michael Suby, Stratecast vice-president of research at Frost & Sullivan.
The escalating capabilities of these devices – such as those that use dual-core processors and multi-gigabytes of storage – add to the level of risk the devices pose to corporate assets and sensitive information, Suby said.
“The positive news is that information security professionals are using a growing array of security technologies to stem this risk,” said Suby.
The business drivers given for turning to BYOD put the user at the centre of IT strategy. The desire to improve end-user experience at 60% was almost equal to the business requirement of supporting a mobile workforce (64%).
A significant number of respondents (44%) also noted the goal of reducing operating and user support costs; while the desire to lower IT inventory costs was noted by a much lower 21%.
“From a security perspective, BYOD is gaining attention, but current efforts are focused on the end–point, rather than on protecting business data and assets,” said Wim Remes, member of the (ISC)2 board of directors.
“There needs to be more effort put into protecting assets at the same time as liberating users through a greater focus on access to data,” Remes said.
The top technologies identified to mitigate risks include: encryption, virtual private networks and remote lock-and-wipe functionality. Only 42% are working with applications access control and authentication (40%), basic controls that exist on traditional IT infrastructures.
Remes said this could be an opportunity for IT operations to fully seize the role of a business-enabler. “If approached correctly, with a focus on the data, BYOD can actually improve security and enable the business to compete at a pace that was but a remote dream half a decade ago,” he said.
According the Remes, the latest study shows that security professionals need to be a blend of business and security professionals. “At present they tend to technical and not in sync with business,” he said.
The (ISC)2 Foundation will release the full report of the 2013 (ISC)2 Global Information Security Workforce Study in February as a resource for industry.