Both models introduce new IT and information security challenges for the delivery of information services across new networks, new protocols and new endpoint devices. While years of analysis and planning have gone into the decisions behind the purchase of the traditional IT systems, these mobile devices and the vendors that deliver mobile solutions are merely a few years old. Few of these systems have matured through the versioning necessary to achieve the functionality and robustness demanded of financial systems.

Yet, mobility presents such a compelling opportunity that many industries including the financial services industry are overlooking some of the short-term weaknesses, much to the chagrin of IT departments, in order to take part in the mobile bonanza and to avoid being left behind while customers, and even employees, shift their loyalties.

IT departments no longer have the degree of decision-making control that they once had. When it comes to mobile devices, the employee has far greater decision-making influence than ever before. Major device OEMs now understand that the consumer is their channel to the enterprise IT department and are marketing their solutions directly to this segment. IT is now in the position of responding rapidly to the demands of the employee and maintaining the level of service and security of the traditional system.

IT departments must now integrate these disparate mobile systems into their existing infrastructure and processes as well as understand and maintain logical partitions between corporate data and personal data. Additionally, IT must deploy client-side software to defend against whatever employees choose to download onto their devices, and track these devices in order to recover them if lost or lock them and potentially wipe the devices of any corporate data.

Affecting the management practicality of these devices is the fact they these devices were not designed to deliver multi-persona, logically partitioned information. Most devices share storage and memory amongst all of the apps and data on them. What is needed is a means:

• to isolate the employee apps and data from those of the corporation,
• to specify and manage the corporate apps and data to the level of restriction and control demanded of all the other corporate IT systems,
• to permit the device owner to enjoy all the benefits of their device without restriction or oversight over their personal data,
• to allow the corporation to remove corporate data from a device if it is lost, stolen or leaves the company,
• to allow the device owners to do more than just work and play with the device:
• to allow them to isolate their banking apps from their children's games;
• to allow them to create a guest on their device for sharing;
• to create a quarantine area on their device for downloads that they are unsure of;
• to restrict nosy apps from snooping or swiping their contact list or taking advantage of the ridiculous permissions that most apps require by eliminating any potential security holes,
• to make BYOD the viable model that it promises by providing devices and systems that support the requirements of both the corporation and the employee.

It will take several more highly publicized security or privacy incidents to force mobile solutions to achieve the level of trust demanded by the financial services industry before any significant information-access services are made available to employees.

Until that time a lot of faith will be placed in VPN and anti-malware products, as well as the constraints in the right-to-use policies that most employees must now sign up for, to protect apps and data on mobile devices while in the hands of employees.

Alec Main is CEO of Graphite Software in Ottawa, Ontario, Canada.