In the realm of risk, unmanaged possibilities become probabilities.

Consider today’s enterprise environment:  More and more employees access the enterprise via mobile device:  Whether home laptop, tablet, smart phone… portals into the enterprise are on the increase, and are increasingly outside the domain of IT’s direct control.  There exists a security question.

Yet, there is attraction in allowing employees access to enterprise data and functionality from personally-owned mobile devices:

1. They already exist, in most cases.  For any specific employee with a mobile device:  The organization does not have to procure something, and immediate returns can be gained.  Whether employees work from home, the road, or after hours, the devices serve; there is immediate return with little to no investment (high ROI).
2. The devices are maintained by the employees:  The enterprise does not have to contract for service and associated plans.
3. Employees procure new devices when they sense a need; the device is slow, or no longer supports an upgrade path, lacks features in match to evolving requirements, etc.  Therefore, the enterprise is largely saved this concern, and Time-to-Value (TtV) is short; and Total Cost of Ownership (TCO) is low or nonexistent.

Who manages security on these devices?  The answer – the only answer that counts from the enterprise’s perspective is – Someone other than the enterprise.

Do you trust any outside entity’s measure of security?  You’d better not – in the case of retail mobile devices, you don’t truly know most of these entities, much less have the knowledge and measures for assessing their security on a plethora of devices and device types.

Virtually everywhere I go, and from everyone with whom I consult, I hear:  How do I know, really know, that my environment is secure?

Security does not begin nor end with apps back at the server(s), with enterprise firewalls, nor with internal malware or virus protection.  Security starts at the ends of the fingertips tapping innumerable keyboards and pads… “out there” – and security has no end.  It is a constant evolution in match to evolving threats and subsequent requirements.  Survey for risk.  Survey for risk on a regularized schedule.

In assessing true security, first recognize that a true measure of security is not a mere absence of harm:  Something harmful can be transpiring that hasn’t evidenced itself yet, or won’t for a period of time.  Further, unmanaged risk represents an unsecured state.  No one can afford to find that security “protections” were inadequate only upon delivery of harm, such as breach of systems and data, loss, business down-time, and negative impacts to reputation.  Consider:  Even the most sophisticated environments are breached.  Just this month, Sony has suffered two major breaches in two weeks’ time.

This relatively recent security wrinkle – the act of balancing unsecured mobile device access against advantages in ready access – is of particular concern for small and medium business (SMB), as well as large enterprise environments and organizations.  Employees will continue to access internal networks from home through a variety of devices, transports, and allied measures of security – or insecurity.

Therefore, solutions must be universal in any enterprise, and targeted with accuracy.  Solutions must solve, serve and secure:  First time… Every time.

IT leaders and staff should survey and approve every class of device that accesses the enterprise.  Further, the smart IT staff will know the status of devices.  As negotiated with IT governance (business), any leader in an enterprise environment, responsible for security, should know something about these outside mobile devices.  Start with these fundamental questions for any device (home desktops too):

1. What operating system is being used?
2. What is its status?  (Is it up-to-date?  Current service packs, etc.)
3. What protections are needed?  (Verify or institute appropriate malware, virus, etc., protections in accordance with policy, best accommodations for proper integration to the enterprise, etc.)

Ideally, IT would block all mobile access until conducting a survey of personal devices.  This may not be practical.  What IT can do is to schedule evaluations of devices.  This can get sticky – after all, these are retail mobile devices, owned and operated by private citizens.  The enterprise has to negotiate its own posture with all levels of staff, business stakeholders, and governance.  It starts with discussion and draft plans.

But – get it started:  Stay safe out there.

By: David Scott is a CIO/Fortune 100 IT professional and author of  I.T. Wars: Managing the Business-Technology Weave in the New Millennium which was selected as an MBA text at the University of Wisconsin.  David is the sole-proprietor of BTW Consulting: Business writing, policies and plans. His comments have appeared in InfoWeek, Capitol Weekly (CA), and on the DC television show Communicating Today.  You can connect with David on LinkedIn or on Twitter by following @davidscott999.