Todd Inskeep, Global Security Assessments VP- Global Security Services, Samsung
All too often, I see organizations that are looking to improve their mobile strategies fall into the same patterns and quicksand in these efforts. CIOs and their teams regularly get caught up in enabling BYOD and creating teams to build applications as they try to keep up with their peers, partners and customers, as well as address requests from internal management. These two seemingly obvious, and necessary activities, regularly consume resources with little measurable business benefit. Often, trying to make these investments produce results can tie an organization in knotted lines of responsibility and analysis as they try to find the “best” solutions to solve specific IT problems. These problems are caused because teams focus on solving problems and anticipating needs with mobile technology—instead of focusing on how to securely leverage mobility to improve the business of their organization.
Let me be specific. Talking with a large oil and gas company not long ago, I was told they were building out their mobile application development team. “Great,” I said. “What kinds of apps are you going to build?” Their mobile executive admitted they weren’t sure, but wanted to be ready when the business asked to build applications. This approach is common—thinking about mobile as a technology problem, versus as a business opportunity that can drive real value.
Business value comes from mobility in four overlapping levels, ranging from simple and incremental increases in efficiency to transformation of the business. In level one, a typical enterprise first enables smartphone access to email, contacts and calendars–providing employees with the same access they’ve long had from their computers on their mobile devices. Sure, there’s a value: I can be productive on the go without dealing with remote access activities. But the true business value of this enablement is on the order of 1-2 percent. People are in touch with the office a bit more frequently and expectations for reaction changes.
Next up, companies start connecting additional capabilities to mobile devices—maybe checking for conference rooms, enabling travel expenses or perhaps even access to file stores like SharePoint™. Again, this provides some incremental efficiency, but probably less than 3 percent improvement.
Financial services took the third step—which finally adds significant business value—just a few years ago when the most innovative among them started accepting check deposits by letting customers take photos of a check with their phone. While seemingly small, this innovation held significant business value for the bank and tremendous customer experience value as well. Trips to the bank branch to deposit checks were gone. Collecting paper checks from ATMs and branches were gone. T he t ime-consuming and costly processes of transporting, scanning, and destroying paper checks were gone. Almost overnight, these banks saw reductions in costs that only grow as people adopt this innovation. This represents the third level of using mobile strategies to create value—developing something that evolves the way your organization does business, the way customers interact with your organization, or both.
Our highest level of business value comes from transformation. There are few examples from inside companies, but Uber provides a transformational business example that’s very visible. Using key features of every smartphone—location, mapping, touch, and simple user interactions—Uber upended the taxi business, reducing the number of cabs cruising wastefully looking for fares and creating a mutual benefit by reducing the demand/ supply friction that existed in trying to find a cab when you actually want one. Further, it reduced the friction of paying for the ride, and built in customer and driver ratings to address satisfaction of both parties. The Uber transformation didn’t stop there. In major cities, Uber is picking up and delivering kids and packages, further improving the customer value for busy people. While there are questions around some specific practices, there’s a real transformation in value from the way things used to be done.
These four steps in increasing business value are shown in the attached diagram, along with some other key points for mobile security. As business value increases, the value of the information being accessed also increases, requiring more integration, more work and more security. CIOs need to look beyond training application developers and instead focus on finding tools and processes that will enable secure access to resources that will create greater business value. That drives the similarly increasing value and need for effective identity management, APIs and other services that will support secure mobile applications. The third and largest arrow highlights the potential business value increase through productivity and transformation.
So, what steps can businesses take be successful in this arena? There are three mobile security strategies critical for helping drive real increases in mobile business value. First, CIOs need to work with and engage their business partners in creativity and innovation exercises to create a portfolio of mobile application activities that include both small incremental bets and one or two big transformational ideas. “Design Thinking” methodologies have moved from art toward science as a way of engaging business teams to think creatively about a company’s current and future opportunities. These processes are used over and over by some of the most innovative companies to generate ideas and refine them into products, services and applications that can be quickly built, tested and refined. Great new ideas can come from many places, but deliberate approaches to generating and nurturing those ideas are necessary to ensure that applications will create value for the business.
“As business value increases, the value of the information being accessed also increases, requiring more integration, more work and more security”
Second, CIOs need to empower a mobile application development team to gain the skills and tools needed to quickly design, build and test mobile applications. These aren’t the applications we built in the 90’s and early 2000’s. Mobile applications need to be built based on use cases and customer experiences that are easy to adopt, quick to delight, and demonstrate value. A recent Gartner survey found that “users will try new apps, but they need to be convinced of an app's value before they adopt them and change use patterns over the long term.” Application development teams need the tools that let them build and manage code throughout the development lifecycle. They also need the skills to make sure use cases, interfaces and visuals make for easy adoption with great user experiences so that the applications provide demonstrable value to the employees, partners and customers.
Third, CIOs need to ensure security is an integral part of the application process. Your company’s reputation rides on the security and privacy addressed by each application you deliver. One insecure application can ruin a business reputation built over decades. Privacy concerns can reduce adoption or cause a mass exodus from one application to another. With all the headlines about security hacks and data breaches, a recent IBM/ Ponemon survey of 400 large companies showed “a full 50 percent were found to devote zero budget whatsoever—nada— towards mobile security.” Organizations should have security included as use cases, gating functions and release criteria, to ensure that mobile applications are protected from at least the most common mobile security problems before release.
Companies need to develop deeper mobility risk management strategies that enable the creation of measurable and significant business value. When developing mobile strategies, companies should shift more attention to how mobility can redefine their business and create new opportunities, as well as look for ways to re-engineer processes using mobile data and capabilities, all while keeping an eye on security as it relates to both the mobile solutions and organization overall.