The Sleeping Giant is Waking Up: the State of Mobile Security Today ft. Cile Montgomery/VMware
Sign-up for the latest Lookout news and threat research
Thank you!
With the rapid adoption of BYOD and the growing remote workforce, IT and security teams are just catching on to the need for mobile security to protect corporate data and assets. In this episode, host Hank Schless is joined by Cile Montgomery, Product Line Marketing Manager at VMware, to discuss the new risks mobile devices present to organizations and what trends to expect in the next year for mobile security.
Lookout Mobile Endpoint Security
Advanced mobile Endpoint Detection & Response powered by data from 185M+ apps and 200M+ devices on iOS, Android, ChromeOS.
Episode Transcription
Hank Schless 00:08
Hi everyone, and welcome to Security Soapbox. I'm your host, Hank Schluss. And today we're going to be talking about what my guest has been calling a sleeping giant within security. And that is mobile security. I'll introduce my guest here in just a second. But in the context of this sleeping giant that I mentioned before of mobile security, there really has been a pretty steep rise in the last few years of mobile-related incidents and breaches that really result from widespread and inevitable mobile adoption and hybrid work. The broader population of IT and security teams, I would argue, has finally started catching on that this is an issue that we all need to think about. And to discuss this topic with me, I'm super excited to welcome Cile Montgomery, who's a product line marketing manager at VMware, to the show. Cile brings with her over 25 years of experience working in the tech industry, where she's created and discussed technologies really with the goal of improving people's experiences, both at home and at work. And before joining VMware back in 2021, Cile worked in product strategy, product marketing, product planning, all across the board, including building a marketing firm that she founded, grew and sold. And she's also spent time at Dell, lives down in the lovely city of Austin, Texas with her son, and Cile, thank you so much for joining us today on Security Soapbox.
Cile Montgomery 01:30
Thanks for having me, Hank. So it's great to be here. Just a little bit about myself: So yes, I work in security. And I've worked in technology for over 25 years and exclusively in security, maybe the last seven years, and really focused on endpoint security as well as management because we know management is kind of the original security, right? Patching devices, managing devices. But now it's much bigger than that. So I'm here and I'm doing that. I love security. It's a new mystery to unravel every day, right? I think you might feel the same way about it. And that's why I'm here and committed to continuing to make sure people are more secure in everything they do.
Hank Schless 02:10
Absolutely. Well, I think you're right, it is easy to really get engrossed in the industry with how the challenges sort of evolve every day. And it seems like every day we wake up, and there's something new, for better or worse, that we have to help people understand how they can protect themselves against or maybe there's a new framework that's put out that people are kind of curious about how they align with it. Whatever it may be, it always keeps us on our toes. And you've been working in tech for enough time that you've really seen the rise in mobile working for some major players like VMware now and Dell in the past. How have you seen, aside from sort of the reliance on mobile devices, obviously, we all… My phone’s right next to me; it's everpresent, right? How have you seen the understanding of mobile risk, and really security awareness, evolve in your time?
Cile Montgomery 02:57
I mean, it's changed a lot. So I think first of all, people used to think when they thought about risks, they only thought about desktops, right? They thought, we've got to get this secure, we need antivirus, we need to make sure it’s secure. And then people realized antivirus wasn't enough. And they started looking at a JV. And then they realized that they needed to not only do that, but also be able to go and investigate threats and really dive into things that were suspicious but not quite understood. That applies to mobile as well, right? We talked about this at our panel at Explore with David Richardson. A lot of what people are buying when they buy a security solution is a faster way to prevent known threats and unknown threats, but then also reserved team time for the things that need further investigation by protecting against things, you know, automatically, which… You know, the reason we partner with Lookout is because we could do that across a really, really wide range of threats. Because you have so much data and your lockout security graph. So yeah, that's the thinking there. And yeah, mobile has evolved. How has it evolved? So you know, this shift to remote work in 2020, accelerated a long term change. So people went remote because they had to, but now people are choosing to work remotely. Companies know that it's good for people. People prefer hybrid work models where they either work remotely all the time, like I do, or they go to the office a few days a week, right? And so things have really changed there. And through that, you know, people also make decisions to allow employees to use more of their personal devices for work, whether it is computers or mobile phones. So mobile phones are definitely increasing as part of, like, the population of devices people use for work. And then how they're using it is changing as well. So it used to be that you would just use your mobile device for email access. Now you can use your mobile device to access everything that you use for your job, right? Whether it's important documents, data for Salesforce, customer information, you know, information that's considered vital to the company. And depending on your role, you may even be looking at Tableau, looking at financial information that is highly restricted, and you're looking at it on your mobile device. So there’s definitely more need to secure that information. And that's here. And that's happening right now. Now, why do I say that mobile security is the sleeping giant? I say it because I think that the lead of giving people that ability to work everywhere on their mobile phones, that was the lead horse in the race, right? Like that happened first. And people didn't really realize they were having issues with mobile security at the time they were giving all that access. And then now it's kind of catching up to us where companies are acknowledging that remote work has really adversely affected cybersecurity. If you look at the Verizon MSI report from this year, which was released in the August timeframe, 79% of orgs agreed that remote working adversely affected their cybersecurity and increased the burden on security teams. And 45% of organizations had recently experienced a mobile related compromise. And that was almost twice as much. So 45% of orgs, that's a big chunk of organizations surveyed, and almost twice as much as the number, which was 21% in the year 2021. So, people are seeing more impact of this shift to mobile work. It is something that companies need to address.
Hank Schless 06:30
I completely agree. And there's a lot within that report to… definitely a lot to unpack, you know –– the report itself, sort of as an annual benchmark of where we are in mobile security. And what I thought was interesting was this year was the first year that they really called out a section about how mobile and cloud are really intertwined. I think it's really interesting. One thing you said is that people didn't understand the risk that was being introduced. And that's one of the biggest things when people say, “Well, my mobile devices are secure, because, you know, whoever makes it says it's secure and whatever.” Honestly, it's one of those things that unless you kind of proactively say, “I'm going to secure my mobile devices,” you don't have that level of visibility, which makes things really difficult, obviously, to see if there's anything going on. So one thing I'd be curious about, you mentioned your panel at VMware Explorer earlier this year, and that was really talking about the need for unified endpoint security. Now in the context of the MSI stats that you just mentioned –– right? –– being that 45% of organizations recently experienced a mobile relay compromise and then the 79% number –– right? –– agreed that remote work has adversely affected their cybersecurity posture and increased that burden. How would you say VMware has sort of reacted to that? And, you know, seeing trends like that, you know, kind of broadly across the company? What's sort of the chatter around that and the way things are being strategized? Are people coming to you with different customer problems maybe than they were a couple of years ago?
Cile Montgomery 07:59
They're definitely coming with the advanced mobile security as a challenge and not only wanting a solution for it, but wanting to understand it a little bit better. Government organizations have updated their frameworks. Like some of the leading, you know, industry standards have been updated to say you probably should think about advanced mobile security. Those standards haven't been defined in detail. So when a customer is evaluating mobile security, we help them figure out what to evaluate. I think you might have the same thing happening on your end as well.
Hank Schless 08:30
Yeah, absolutely. It's definitely evolving. And this is why it's so great, that we're helping folks out together. One of the big things there is from the BYOD perspective, right? This is something that you and I in the past have talked about. Basically, I mean, what it really comes down to is people don't want to feel like they're being watched on a personal device. They don't want to feel like Big Brother is there. And how do you do that, right? How do you help people understand that if you want to use a device for work, then you've got to have something in place that makes sure that device is basically clean? Where does privacy work into the conversations with your team, Cile? Where are people most concerned in terms of how they're protecting, really, those personal devices and what that balance is with privacy?
Cile Montgomery 09:09
Yeah, I'd say that on the privacy front, people are concerned with making sure their employees feel comfortable with what's on their phone, and that they understand the benefits and the functionality of it. So knowing what is being tracked or not being tracked, knowing what is being collected. And one of the reasons Lookout is such a great partner is that they analyze the information that's collected and analyze it so that people can feel a little better about having protection on their phones, because we don't want to know about the apps that you don't want your employer to see. We just want to be sure that you don't have leaky apps or malicious apps on your phone. And there's kind of two things –– so there's that and then there's giving people the opportunity to remediate things on their own as well. So you can notify them, “I'm giving them a chance to remediate things” and message directly with them, which I think is helpful as well, instead of intervening all the time, because a lot of the issues with a BYOD device actually need to be resolved with the end user. And then we can get the aggregate reporting that says, “Okay, this is resolved or this needs to be resolved… which I think is extremely helpful as well.
Hank Schless 10:24
Yeah, absolutely. I agree. And another thing is that bring your device is here to stay. It's something that I think a lot of people were doing for a few years, especially as mobile technology has gotten better. And even if you're looking at a managed versus unmanaged device, because you can have managed personal devices, you can have unmanaged corporate devices; it's rare, but it can be the case. You know, one thing that I think is interesting is actually looking at some of our mobile encounter rate data. So you mentioned our dataset; we have the largest dataset of mobile threat telemetry in the world. And from that, we can pull a lot of really good stats that sort of show industry trends and look at mobile phishing rates. So this is basically… At least once a quarter, this is “What percentage of devices are basically sent a mobile phishing link across any SMS, email, social media, dating apps, gaming apps, all the places that we can message on a phone?” And what's interesting is the devices without management, which I would argue are more likely to be personal devices. With the unmanaged devices, it's actually been pretty high this year; it's been almost 25%, on average, through the end of Q3 2022. But what's interesting is that managed devices –– it's actually still just under 20%, for an average. So it's still a pretty significant issue. And, you know, you talk about this theme of the sleeping giant, and I think part of it is that there's so much less difference between the risk posed by either a managed or unmanaged device or personal or corporate issue device, it's becoming way blurrier. And because of that, you need a way to make sure that regardless of what device is being used, that security is in place. It shouldn't matter to the end user what device they're using. And they should just be able to see the difference between if they're using a managed or unmanaged device, personal or corporate issue device.
Cile Montgomery 12:09
You know, you hit on a really good point, Hank. You were talking about applications besides email and SMS. And that is a key use case –– advanced mobile security –– because you need to have that phishing and content protection that extends to messaging apps, to social apps. You can't just protect email and SMS anymore. Whether WhatsApp is approved for use or not, people use it for work, right? That's just one example. And so having protections in place are really critical. And I'm not gonna go into use cases or case studies on people using applications and having major challenges with compromise, but, you know, it's out there. You can go and read about it and learn the kinds of risks that are posed by those types of messaging apps.
Hank Schless 13:00
Yeah, totally. And one thing that I'll actually, that I'm going to add to that is the additional risks that we're seeing a lot more recently, which is people sending safe links to malicious destinations, or malicious files, where they're using things like Dropbox, or Google Drive, or Office 365, or whatever it may be, basically, to share on, let's just say, on LinkedIn –– share a job description, for example, and say, “Hey, you know, here. You should read this.” It goes to docs.google.com. It's not Google's fault at all. It's not their responsibility, really to be looking at that. But what it does is that it oftentimes can, for less advanced phishing protection solutions, can slip by because basically that obfuscates the true destination of what's behind that link. So… all sorts of use cases we could go into there, together, I'm sure. But as we look to sort of wrap things up, we are coming up on the last couple months of the year. And I'd love to know from you as someone who's really a professional in this space, what are you really excited about in 2023 and beyond for endpoint security?
Cile Montgomery 14:03
Well, I'm excited about people addressing mobile as a threat, because I'd love for people to not have so many liabilities out there. And I'm looking forward to everyone learning a little more about what that means, because I think that we're ready for more details. So we're here to provide them. And then on a personal and work level with VMware, I'm really excited about how VMware and Lookout are working together. We've integrated Mobile Threat Defense… Workspace ONE Mobile Threat Defense integrates Lookout technology, and we have it running through Intelligent Hub, which means that we can easily and effectively deploy mobile security to really large populations, which has been a challenge for some people in the past. And then also we've done integration so that you can automate threat remediation through Workspace One, so that these IT teams and security teams, which are overwhelmed with work because there is more complexity in their environments, can manage that complex. So excited about talking to more customers about that. And certainly, I hope to be back on and we will be continuing to work together this month, this year, and ongoing.
Hank Schless 15:13
For as long as we can see in the future, which I'm very excited about. But yeah, that's still very exciting stuff. I think that as I've kind of learned more about what we're doing together, I think that that activation piece is really cool, because like we talked about earlier –– right? –– getting someone to deploy that security solution on what feels like a very personal device, even if it's work-issued, can be a challenge. So that's something that we could, again, go down a whole ‘nother path with that. I think that's about all the time we have for today. So Cile, thank you so much for joining us. I would argue that most people know where they can go if they want to learn more about VMware, but in terms of you personally, you know, I love being connected with you on LinkedIn, seeing what you're posting about. It's super interesting to me. Is that the best way for people to be able to find you and be able to follow kind of what you're thinking about on a daily basis?
Cile Montgomery 16:00
Yeah, yeah, you can find me on LinkedIn and my name is spelled C-I-L-E Montgomery. You can go there. And then also I do write on the VMware UC blog as well. So if you go to vmware.com, you can find me there.
Hank Schless 16:15
Awesome. Alright, so, well, thank you so much, and to our listeners, rhank you so much for tuning in. To find more interesting security and technology topics, be sure to subscribe to Security Soapbox on Spotify or wherever you get your podcasts, visit lookout.com/blog for some more information. And then you can also actually learn more about Lookout’s partnership with VMware by checking out our dedicated VMware page on our website, lookout.com/partners/vmware Be sure to follow Lookout on LinkedIn and Twitter, @Lookout. And until next time, I'm your host Hank Schluss. Thank you so much for tuning in.