In January, Donald Trump became the 45th president of the United States. During the months leading up to the inauguration, security experts questioned what phone the president would use during his term in office — and reasonably so. Mobile devices are now fully integrated into our personal and business lives, making them a highly attractive target for attackers.
Imagine the information an attacker could gather if they could access the POTUS’ calendar and could remotely control the phone’s microphone during key briefings throughout the day.
Trump reportedly turned in his Android device on his first day of presidency for a unidentified locked-down phone, according to the Associated Press (however, the New York Times recently reported that the new president may still be using his unsecured Android device for tweeting). This is standard protocol required by the National Security Agency. When President Barack Obama took office, he was required to use a modified secure device (in recent years assumed to be a stripped down Boeing Blackphone) even though many of his aides still relied on their iPhones. The NSA was responsible for setting up Obama’s device when he was president-elect in 2008, and stripped most of the device’s functionality to make way for extra layers of encryption. Obama joked about his awful phone situation for years comparing it to a 3-year-old’s modified play phone.
Where White House security and enterprise security overlap
Moving outside the White House, there are some similarities IT teams face when implementing a mobile security solution in the enterprise. As a security expert, I understand it isn’t always easy to get employees to follow all your recommended security advice. If it was, phishing wouldn’t be nearly the problem that it is. This often becomes harder as you move up the organization — the busier and more overloaded the executive is, the less they are willing to change their way of operating to take on the paranoid mindset of the security team (especially when you don’t have the assistance of the NSA).
This presents a conundrum: The CEO has access to much of the company’s most sensitive data and yet they’re likely among the most resistant to changing their behavior in order to assist you to secure it. And beyond that, they have the organizational authority to refuse to implement your changes with impunity.
Driving Executive Security Behavior
Consider these things as you look to encourage secure behavior among the most senior parts of your organization:
- Be invisible: When you are attempting to add secure ways of doing things to the C-suite, it is vital that you find ways to do so that don’t require wholesale changes to their day-to-day workflow. While some senior execs may tolerate some amount of interruption or change to their workflow, the less friction you create, the better. While many see it as creating “security awareness” to provide their users with frequent notifications and interruptions, anytime you add friction to the process, you are increasing the likelihood of the boss requesting that the security technology be removed completely.
- Prioritize the things you think are essential: As security experts we want everything to be perfect and secure. Our ideal world is where we have total control and there are zero holes that attackers could get through. Step one when implementing a successful mobile strategy — especially when it comes to securing the CEO’s device — is knowing that you aren’t going to get every security protocol you want onto your CEO’s device without some pushback. In this situation, we need to take our cue from GE’s Chairman Jeff Immelt, who said: “We need to be risk managers, not control freaks.” Your goal is to reduce the risk of compromise for your C-suite, not implement perfect security, especially if that adds friction to their lives (see point No. 1). The CEO isn’t going to let you restrict her ability to access corporate data, hindering her ability to work on the go. Therefore, I would suggest prioritizing what you want to implement and what is most important before you implement your full mobile security plan.
- Understand that your CEO is a skilled risk manager: Security folks often forget that all executives get to their positions by managing risk. The CEO who is forcing you to modify your security priorities IS managing their risk; in many cases, it’s the risk of the business not being able to make the right decisions at the right time because of friction in the process of the highest cost employees. This is often hard to remember when it seems like the CEO is making the wrong decision from a security perspective. In that situation, it is your job to attempt to understand what risk they are managing rather than to get frustrated and think that the CEO is a moron (which is many security professionals’ normal reaction). Only by understanding will you be able to help educate (and will you be able to shape the risk management discussion in the long term).
Mike Murray is Vice President of Security Research and Response at Lookout.