MOBILE IN BANKING
Ojas Rege, VP of Strategy at MobileIron shares with us some of the big trends that MobileIron has been seeing in financial services and answers our questions about BYOD and the year ahead for mobile in banking.
What are the big trends MobileIron is seeing in financial services in regards to mobile?
2014 does feel to us as a catalyst year for financial services in mobile. Clearly financial services in general has been mobile for a while, they were one of primary adopters of BlackBerry. So mobile email has been a much imbedded and deeply valued capability in most financial service organizations, certainly in banks both on the retail and investment banking side.
That being said, financial services has not been an early adopter over the last several years in the move to this new generation of modern operating systems, IOS, android etc. They have not been an early adopter of BYOD and they haven’t been the early adopter for mobile apps, except in certain retail banking situation.
That’s all changing now in 2014. The ways it is changing is the following there have been a couple of drivers of this. First what we see changing within banks is the CIO is realizing or has realized that mobile isn’t only an email platform, it’s not just a communications platform but it is a computing platform. Why that’s important is that for the first time really the banks are looking at what of their business processes they should be putting on mobile device which translates of course into apps.
The move from email to apps is now starting for mobile in banking. That is a really important transition. We’ve seen this transition already happen over the last two years in healthcare, in retail, in pharmaceutical. So in some sense this is actually not a bad time for financial services to do it because there has already been early adopter industries that have gone through it and so the best practices have started to emerge. So that’s number one, which is they’re moving now from email to application so thinking about mobile as a computing platform.
The second key thing that is affecting their strategy is the migration off BlackBerry. And what is interesting about this from the banking perspective even though the financial issues that BlackBerry has had over the last few years have been a big contributor to that the primary reason that’s driving that migration is not the finances of BlackBerry but the end user demand. The users are demanding the next generation of platforms and that combined of course with some of the instability around BlackBerry has really lit a fire under many financial organizations to move quickly. The big catalyst was in September of last year, Gartner released a global research note telling all of their clients that they needed to have either migration complete or alternatives in place over the next 6-9 months to move off BlackBerry for a variety of reasons. That note had a big impact in the financial services community because financial services and government were the two core verticals that were still heavily BlackBerry centric. The first big trend was the move from email to apps the second was an acceleration of migration off of BlackBerry.
The third one is actually related to the second which is the increasing demand in the user community to use their own devices. I mentioned earlier that financial services were not an early adopter of BYOD. In financial services the BYOD adoption has been slower for all of the reasons we would expect around security and around auditability. In the end the acceptance from of IT of BYOD in financial services is very much going to be based on the confidence IT has in their ability to prevent data loss and to do that across IOS, android and even windows phone. That is the lay of the land and what we are seeing at this time.
Is this going to be a primary area of focus for banks and are they going to be able to spend enough of their IT budget in this area? How does regulation come into play?
Mobile is not discretionary any more. It has become one of the top two or three initiatives, certainly from a strategic perspective across financial services. Mobile is no longer an island, it’s not a separate thing the bank does to mobilize their email onto BlackBerry’s. It is the fundamental way that their employees are accessing their business data. So any regulatory program that a bank puts in place will have to include mobile because so much of the data that the regulations deal with is being consumed on a mobile device.
The challenge of course then is if you have this new set of end points and these new set of user experiences that my employees and my customers want then how does all this regulation apply. What we have to do is move away from thinking of mobile as a set of technologies, being a set of devices, operating systems and more of thinking of mobile as a way in which their users are going to be consuming data. So whatever regulations they have regarding data is going to be the same whether the user is accessing it via laptops, mobile, paper. Then we can take those protections and make things work effectively in a mobile context without damaging the end user experience. That’s really the key thing in mobile. The moment you start damaging the end user experience in mobile the user starts going around IT and it creates all kinds of data lose. Locking down mobile ends up backfiring because the user continues to do things but through other services and out of ITs control. This all hits the BYOD question head on. In BYOD you have an example of the user bringing technology of their choice to the organization.
We did a study in June of last year on privacy. The study took 1000 employees in Germany, UK and US and the questions we were asking were. Are you using your own device for work? This was not financial services only but 80% said yes. Even in Germany 80% of employees said yes I’m using my own device for work and in Germany less than 20% have a BYOD policy in place. So the key finding in that was BYOD is here whether you like it or not. Every bank has a BYOD program but the question is do they know they have it because their users are using their own personal devices for work. That is why this becomes so relevant. To get ahead of the curve banks need to ask themselves am I purely reactive or do I have a program in place.
What new concerns have arisen recently to the banking sector concerning Bring Your Own Devices (BYOD)?
The umbrella around this is that banks have realized their end users are using their own personal device. The biggest concern is I have this shadow IT problem. If the IT department isn’t moving fast shadow IT springs up fast organically. What are the concerns then?
Top 3 concerns
- Data Concerns: Documents being lost, core bank documents that are covered by regulation being left out and ending up in the user personal cloud service. Document transfer into unauthorized cloud storage services is the number one data lose vector in financial service. The number one thing IT has to do is enable users to use documents on their mobile devices but protect those documents from being lost to unknown services.
- Number two concern is the unknown. These platforms are so new to banking IT they don’t know where the other risks. The mobile market is moving so quickly there could be unknown vectors of data lose. There is a lack of education around these new services
- Third is privacy. What they realize is the old world where everything was controlled by IT doesn’t work in a BYOD context because now the user has personal information on the device also. Now you have to be able to keep the professional information secure while keeping the privacy of the user.
How to address these issues
- How to prevent the loss of documents into unsecured cloud application: The way to manage this is to protect the data flow. That document exists somewhere in the organization and generally it comes to the device through email. When that document comes into the device you need to ensure that it can only be opened in a secure environment. The document needs to be encrypted when it comes to the device and should only be allowed to be unencrypted by an authorized device. The only applications on the device that should be able to see them are secure applications the company has provided. The gateway is the key. No accidental security breaches. This allows the user to be happy because they access the documents they want on their device and it provides IT with peace of mind because if somehow the document is get into an unauthorized application it will be useless because the document will be encrypted.
- The uncertainty around mobile: How does the organization address this? There are technical solutions for the other issues. This is more of an organizational issue. To become an expert in mobile requires the IT organization to invest deeply in education. Many banks have teams in place now that their job is to stay on top of the latest changes occurring in mobile. The pace of mobile is completely different than that of traditional enterprise technology and reason for that is mobile moves at the speed of the consumer. IT organizations are going to have to become much more agile, have training and dedicated expertise on staff who keep up to date on all these new mobile technologies and can put in place the appropriate policies.
- BYOD and privacy: Requires the organization to have full control over the enterprise persona of the device. The employee wants to have access to their business email, business apps, web access to the corporate intranet and business documents and IT needs you to have access to business policies, the configuration setting, the concatenative settings so you can get on to the internet and the certificate which are used for identity. All of that together is what we think of as the enterprise persona. You as the bank need to be able to provision that enterprise persona to the user, you need to be able to secure the data on the device, and you need to be able to secure the data in motion and the fourth thing need to be able to delete all of the data when the employee leaves. All four of those things you need to be able to without interfering with any of the personal data that’s on that phone. Why that’s challenging of course is there is a lot of technology that needs to be involved. You need an enterprise mobility management platform to do this effectively. The other thing you have to do is ensure that the user has seamless experience.
Does IT currently have a preferred device?
The two systems in the lead post Blackberry by financial service organizations are IOS and Samsung Knox because they’ve been through the most testing and they are the most secure. There are regional variances. The main drive behind that is cost. Android has taken all the low price devices so the more price sensitive the market the more Android adoption you’ll see. We did some research recently that showed how quickly the user preference for BlackBerry has dropped. There are still those prefer it. There is no one size fits all. You have to be able to support the broadest set of mobile operating systems out there because if you don’t you cannot serve the needs of your customer. In a consumer market things shift pretty fast.
What role is privacy regulation playing?
The bank has to put in place a user agreement that allows them and gives them the authority in specialized circumstances that allows them to confiscate a device and wipe data if needed, however then what they have to communicate clearly what is done on a daily basis. 99% of the time this is what we are doing and having that process in place is there is another piece to this as well. Having this in place is important not just from a legal standpoint but from an end user perspective.
Users will also need to be educated. There will always be a clause in the user agreement that allows for the employer to wipe a device. Knowing that the potential is there it is important for the user to be educated on how to back up their personal data so that they don’t lose personal data in the event that they have to wipe a device.
If you do this you will have a combination of a technology platform that supports BYOD. A really clear communication plan with the user so they know what you are and are not doing and third educating the user on how they can protect their personal data allows a bank to deploy a BYOD program without taking on the risk of data lose or privacy breach.
In a BYOD world communication is just as important as your technology. Transparency drives trust. If you are transparent with your users on what you are doing it will drive trust. Without transparency you cannot have a successful BYOD program because users won’t use it.
So perhaps you have to have the HR department working with the IT department to ensure it is being communicated effectively?
HR is core to mobile. Mobile is as much an HR program as it is an IT program for two reasons, one it is a benefit to for your users and secondly for the relationship with the employer. It’s a triad of functions that need to work together to provide mobile in a way that users are going to want to adopt. That triad is IT who that is responsible for the technology, HR who is responsible for employees and legal who is responsible for protection of data. If one of these is not involved it won’t work. This can be challenging and involve a lot of meetings.
Is there a huge benefit to the financial organizations by implementing a good BYOD policy? Security is not the driver it is the inhibitor. They are looking at it now because they are migrating off of BlackBerry. By putting in place a BYOD program that they feel secure about it will save them money because they will not have to purchase new devices. It is potentially a way to migrate off of BlackBerry that is cost effective. User demand is the other reason.