The rapid growth and adoption of cloud computing leads to sometimes confusing situations where security remains an afterthought.

At a time when everyone is expected to do more with less, the difference between success and failure hinges upon the ability to communicate effectively. In fact, many people now realize the ability to communicate the value of security, and of their efforts, is the difference between career success and failure.

I recently considered how to cut through the confusion surrounding “cloud security” to successfully communicate the value of our efforts and shared some insights during the BrightTalk cloud security summit. Special thanks to Trend Micro, Symantec, Dave Shackleford and Lori MacVittie for sharing time, research and experience with me.

Blending their insights and experiences with my studies and models of how to effectively communicate value resulted in some interesting findings, including the need to translate our security experiences into the cloud is as (maybe more) important than selecting the right examples. The result is a 45-minute briefing, shared below.

Check out the recording here:

I work to help harness the human side of security; without a doubt, the challenges we face in our journey to the cloud is less technical and more dependent on our ability to successfully communicate with each other, with decision makers and with our colleagues who use the solutions we design, deploy and maintain.

This presentation is only the beginning.

I continue to research, test and help industry, enterprise and individuals to improve how we distill and and effectively communicate the value of security.

How can I help you?

Reach out with comments, questions and suggestions or share your communication challenges with me and we can explore how to solve them together.

When papers like this are released, most of the announcements focus on some quotes, perhaps a general impression and link. After my briefing, I took something else away – and I wanted to share.

Below, I break down my notes in terms of security awareness, security leadership, effectively communicating the value of security and a few thoughts on how a paper like this advances a security career.

The basic concern is clear: smart phones are gaining market share; increased reliance means they are loaded with personal and corporate information. Considering the continued growth of mobile computing, attackers are going to “follow the money” by turning their attention to mobile malware in search of easier, more profitable targets.

The challenge is determining where mobile device security fits into an already crowded and ever-expanding threat landscape.

How big is the risk; how fast do we need to move?

To put it into context, consider the magnitude of the risk: according to the Symantec Internet Security Threat Report there were 163 documented vulnerabilities in mobile device operating systems in 2010, compared to 115 in 2009. The growth demonstrates the rising attention of attackers.

Overall however, Symantec documented 6,253 software vulnerabilities in 2010 (additional context can be found in the most recent ISTR starting on page 15).

The impact of mobile malware on the enterprise is rising; while immediate action may not be warranted, there are some actions to take today to prepare for the future with less friction.

[pullquote]The impact of mobile malware on the enterprise is rising; while immediate action may not be warranted, there are some actions to take today to prepare for the future with less friction.[/pullquote]

Security Awareness

At this point in the year, the security awareness programming plan should be in operation – and no immediate changes are required at this time. The topic, however, does present itself as a good secondary or opportunistic topic – especially if people are starting to ask about it.

To get started, redefine the concept of mobile telephones: they do more than dial numbers these days. Ask questions about the type of information people store. A simple question gets this dialogue started, “what’s on your device?” Follow up with, “what happens if your phone is lost or stolen?”

Asking, “What happens if a rogue application gets installed on your device?” prompts a more advance discussion. The challenge to this level of security awareness discussion is preparing to talk about how this happens without accusing the individual/audience of being stupid.

Start the dialogue this year, if it makes sense, as an opportunity to learn the challenges people are facing and the language they use. This becomes valuable input for next years programming plan (where it still might not be a prime topic).

Security leadership considerations

Like it or not, mobile devices are connected to the enterprise. The growth of mobile computing coupled with the growth of “the cloud” means personal and corporate information is necessarily stored on the smart phones — approved or not.

Reconsider how devices are treated and then review current security policies, standards and procedures to understand how information is protected. Ask questions and consider how the policies address lost or stolen phones and mobile devices. The user experience matters.

Aside: I’ve tested “remote wipe” with clients before. Despite their assurances it would work perfectly, in each case, I was able to turn off the radio transmitter before the wipe and enjoy full access to the information stored conveniently on the memory card inside the phone. Lesson learned: check the policy, and then test to see if it matches reality.

Making the time now — before this becomes a hurried rush that never leads to good decisions — means the opportunity to consider changing functional and technical requirements.

Given the current average time to change policies and procure new technology solutions, this little bit of a “head start” might make the difference between future success and continued on-going struggle.

In short: do the work now, reap the benefit later.

Effectively communicating the value of mobile device security

As security leadership reviews and makes decisions, consider how to effectively communicate and incorporate the changes to the various audiences in the best possible way (hint: email may not work for everyone).

The key to effective user experience is striking the blend between connecting people to the consequences of their actions — restoring their ability to take responsibility — while providing a technical and procedural backstop that helps make it easier for people to do their jobs.

How this helps advance a security career

We’re in a profession where we need to know something about everything (aside: I believe the path to success, however, requires finding a niche and getting good – in addition to knowing a bit about everything).

Mobile device security and cloud computing are both on the rise. Investing time now to amass and understand facts, figures and the ability to explain the importance of these details to different audiences is important.

Breaking down the salient concepts of mobile device security to be able to teach these basic concepts to others in meaningful and appropriate ways is a way to advance a security career.

Your Turn

What do you think? How are you handling the rise of mobile malware, and the continued integration between mobile and cloud computing?

Share your challenges, and if my perspectives on this paper benefit your efforts (or what you’d like to have seen more of).