Citizen IT Aids Mobile Security

June 14, 2016

Contributor: Kasey Panetta

Stop fighting shadow IT and create an environment that holds employees accountable for their mobile use and app development.

When companies consider mobile security, they often look to technology as the problem or solution. However, people may pose the bigger problem.

“The majority of challenges are not technical, they are human factor challenges,” says John Girard, vice president and distinguished analyst at Gartner, in his session on the State of Mobile Security at Gartner Security & Risk Management Summit 2016.

With the advent of the bring your own IT (BYO IT) world, companies face an interesting challenge: How do you stop employees from creating their own applications when the company doesn’t own the hardware?

Everyone owns IT

“This is the state of mobile security. People will do what they want because they own the devices and they have their own ideas,” said Mr. Girard. “BYO will not stop — it’s going to continue to migrate. BYO IT doesn’t just mean device, it means apps and databases. IT is becoming a tool that every person owns.”

While this migration presents challenges, it also offers the opportunity to deputize your employees and enable everyone to become a responsible, creative and autonomous developer. Mr. Girard noted that it’s time to usher in the new age of citizen IT.

“ IT is becoming a tool that every person owns.”

According to Gartner, by 2020, at least 70% of large enterprises will have established successful citizen IT development policies, up from 20% in 2010.

By design, mobile devices may be easy to manage, but what isn’t easy to manage is how employees will use those devices. They may make mobile security mistakes that enable hackers inside the enterprise, particularly if the company fails to create a framework in which they can safely operate.

In environments where citizen development projects are not regulated, people will use small systems by companies that may fail or apps that aren’t supported. Or, they may use apps tested by people who don’t have the proper education to know whether the apps are safe or recommended, said Mr. Girard. Further complicating the issue is ownership. If an employee develops an app outside of work, but then uses that application during the day, who owns it?

“Employees will do as they please,” says Girard. If you declare citizen IT illegal, people will do it anyway, but if you declare the process legal, you can license and supervise the programs employees are creating and using.”

Stop fighting shadow IT

One obvious solution might be to ban individual development or require everyone to use company phones, but the solution that works is to encourage employees to take responsibility for the apps they create for their use. In other words, stop fighting shadow IT and create an environment that holds employees accountable while allowing them to use apps that make sense.

“ If you declare citizen IT illegal, people will do it anyway.”

IT policies can’t stop users from using their own apps, but they can provide an avenue for the creative and energetic expression by employees, said Mr. Girard. Businesses should pay attention to citizen IT and set rules and resources to encourage people to do a good job when creating apps.

  1. Create a toolbox Ensure that employees have access to professional tools. The company should supply tested, approved and maintained code libraries. This will prevent employees from downloading code with an unknown source from the internet.
  2. Set the standards Allowing employees to have control of business processes turns them into IT service bureaus. If they take on the autonomy and discretion in these developments, they must take on the obligations. Employees should sign HR agreements and mobile policies notifying them of their responsibility. Once people sign, they’ll start asking questions about practices, tools and more to create better apps.
  3. Create the boundaries In areas with sensitive data or mission-critical applications, citizen IT might not be an ideal solution. In a highly regulated industry, set boundaries for employees when it comes to creativity versus production.

Gartner Security & Risk Management Summit

Connect with the world’s leading security and risk management leaders with Gartner experts to establish an agile security program and deliver business value.