The Pareto principle argues (in simplistic terms) that 80 per cent of effects derive from just 20 per cent of causes. The 80:20 rule can be a useful approach to adopt when you're trying to devise mobile security strategies, especially as bring-your-own-device (BYOD) creates an ever-diversifying stream of devices that need to be controlled.
Security picture from Shutterstock
In a paper late last year, Gartner analysts John Girard and Dionisio Zumerle argued that adopting an 80:20 view made it much more viable to develop effective enterprise mobile security strategies without having to spend excessive amounts of money. In particular, by dividing your end users into different groups, you can choose appropriate strategies for those groups, rather than adopting a "one-size-fits-all" approach, they suggest:
Separate mobile users into risk categories based on high-level use cases that pertain to their access behaviours. Avoid getting lost in the details of their application needs.
The principle applies in other ways too. It's important not to be excessively paranoid when planning these strategies, the paper notes: "It is a reasonable starting assumption to expect that the majority of employees in an organisation will comply with the company's mobile security goals and that a majority of employees are not handling highly sensitive data on a continuous basis." Assuming you need to lock everything down at all times is both expensive and unlikely to succeed. Focus on users who are either likely to resist policy or who have access to such critical data that extra precautions are needed.
You can also apply the principle iteratively. For instance, if you assume that 80 per cent of employees will be willing to have mobile device management (MDM) tools installed on their devices, you should also assume that 80 per cent of that group (64 per cent of the total user base) won't want much more than access to email. It's the remaining 16 per cent, who may require other apps, that require an additional level of attention.
That level of segmentation may not work for every company:
Some organisations may find it simpler to apply the same profile and protection solutions to all users; this will depend on whether an enterprise mobility program has enough budget to accommodate this action, the licensing arrangements that are in place, the duties and needs that different subsets of the workforce have, and other factors. Organisations that have low-to-medium security requirements may have a negligible pocket of users who need strict protection and may either choose not to provide a solution for that category or postpone the use of mobile devices for that type of work style.
In many scenarios, however, using 80:20 ratios as a guide can be helpful.