Keep your friends close ...

 Horia Varlan - orig image

In one of Luis Suarez recent blog post he asks a great question. My initial response to his question is in a comment on google+, but I thought it would be better to respond to his blog post with a blog post of my own. My hope is that this blog post will spark some more conversation. For Luis' full blog post, feel free to go read Luis' entire post. It really is a great post and worth the read. In Luis' blog he frames and then asks the following question:

"... Remember when perhaps 3 to 4 years ago we used to go to all of these social networking for business events and suit and ties were just missing from the equation? You could hardly see one or two in a large room. They were the outcasts, to a certain degree, and perhaps frown upon for no good, nor apparent, reason. But if felt good. It felt disruptive, provocative, heretic, even a bit rebellious of what you have been experiencing all along. Well, fast forward to today and it looks like in a good number of social business related events the suits and ties are back! Have we become a bit too formal and given up on our outrageous, heretic ways? We are no longer seeing ourselves, social business evangelists as disruptors? Have we, finally, been assimilated by the corporate world, before our job is done and completed? What do you think?"

What do I think? I have a couple of theories. I am sure others have theories. Let's hear from you. I am interested in what other people think on this topic.

My first theory is that the executives have actually decided that they like some of the ideas being proposed. But have they bought into the entire vision or just part of it? Could it be that the executives are following the old old adage, "keep you friends close, and your enemies closer". If this is true, then what executives have done is to fool the practitioner into a lull by bringing the practitioner close, keeping a close eye and providing support in some areas but squashing other initiatives. The outcome of such an activity is that the vision will never come to complete fruition and the revolution is squashed before it gets too far downstream.
My second theory is similar. The executives have bought into the plan. They believe the ideals that are set and are working with the practitioner. But in this scenario, the practitioner has become complacent, not pushing the limits because they have had success and have become more conservative in their approach. The successes have fed the practitioner into not wanting to risk losing the success by continuing to push hard. Basically, "why would I want to buck the trend? I am in line to move up in the company. I have made it,no need to continue to push."

My third theory is following a totally different path. Maybe we (the practitioners) lost track of the end goal. For me, my end goal changes every year. I am always looking for the next thing to improve collaboration, communication and mobility. Have "we" lost what the end goal is or have we just lost the collective end vision because everyone has taken the initial idea and gone in a different direction with different goals?

What reasons can you come up with on why we, as practitioners, have appeared to become complacent? Or maybe we are not complacent. What evidence do you see across the industry that proves the differing opinion?

Social Business, Mobility, and Security

Lock by xserve (Lok Leung) from Flickrhttp://www.flickr.com/photos/xserve/368758286/

Time for some viewer participation.  Raise your hand. If any of the following statements is not true, you can lower your hand.

• You work for an organization that strictly enforces security?  
• You work for an organization that is strictly regulated and require lots of compliance?  
• You work for an organization that does Social Business?  
• You work for an organization that allows you to mix mobility and social business and compliance together while doing it securely?

If you are still raising your hand, look around and count the number of people with their hands still raised. I would guess that you could count the number of people with their hands still raised on one hand.

The solution of building a secure social business solution with compliance buy-in is tough enough as it is, but once you decide to put it on a mobile device, all bets are off.  Why?  Instead of answering the question directly, let me ask you more questions ...  Is your organization willing to lose that valuable information that occurred when two or more employees collaborated on a solution?  How about if that collaboration occurred between an employee and a customer? Partner?  What happens if that collaboration between employees and customers included privacy data or confidential data?  So think of this scenario if you are not worried.

Joe, your star salesman is out and about, meeting with one of his best clients, Jill.  Jill asks a question about how the next version of software will work.  The information she is asking about is confidential at this time, as the company does not want its competitors to know about the new features in the next version of software. 

Unfortunately, Joe doesn't know the answer to the question and would like to get the answer quickly. He would rather not have to get back to Jill and prefers to provide a thorough but quick answer.  He knows the development team can answer the question and uses his mobile social business application to ask the question.   

Jan, one of the developers sees the question from Joe and quickly responds back to Joe, but warns him that if this information gets out, they could have some serious issues.  Joe trusts Jill to not spill the beans and since Jan responded quickly, Joe is able to respond to Jill with the latest information (since he was gabbing it up with Jill).

After Joe meets with Jill, he heads to the airport and while there, leaves his phone in the bathroom.    

What do you do?

The organization has the ability to remotely wipe the device. The organization manages the device and enforces the use of PIN/password on the device and the organization enforces the use of encryption on the device.  

But are those security mechanisms enough?  Managing the device is difficult.  If the device is taken off line, remote wiping the device is not possible.  While a pin/password is good, hacking a PIN (typically 4 digits) is not difficult (9999 combinations).   Passwords are harder but not that much harder.  The device can have a policy set to wipe the device if too many attempts to type in the PIN or password occur.  But in all honesty, who cares about the PIN when you are most interested in the data on the device. Cracking/rooting the device without the use of the password/pin is easier and safer to ensure the data on the device is not wiped.  And once you do that, the device's flash memory(think disk drive) is available to be read.  

So how secure is that confidential data on the device?

You can decide to wait until the device manufacturers and O/S developers play catch-up to make this type of  "security" more "secure".  That could take years.   What do you do?

There is another solution, build an application that is secure.  Have you ever heard of the term, managed application (as compared to managed device).   Managed devices dictate what the owner of the device can and can't do on their device.  It enforces the encryption of the device, forces passwords and other security mechanisms.  In contrast, a managed application allows the developer to dictate what is available for the application and enforces its own security, without relying on the device manufacturer.

How?  A managed application ensures that all of the application data is encrypted, separate and potentially in addition to the device encryption.  A managed application enforces a password for the application.  In the above example, the social business application and the messages sent are secured in transit and if they are stored locally to the device, they are encrypted by the social business application (managed application). If compliance is needed, build it into the system, either capture it at the server side, or provide some means to capture it from the device.