The Mac security lesson you may need: “Eat your own dog food”

Security has become a top priority for most people making large investments into technology deployments because the threats and measures continue to become more and more complex. In “Enterprise Security and macOS: A Dynamic Duo”, we were joined by five panelists including three people from Wipro — Andrew Myers, Waqas Khan and Steve Hultquist; a Jamf representative, Matt Woodruff, and Daniel Griggs from cmdSecurity to share tips, experiences and lessons-learned on keeping Mac devices secure in complex, security-focused enterprise environments.

They started off the session by asking the audience to think about “What keeps your security team up at night”? “What is your important data? The data that if stolen or corrupted is not an option.” They urged you to nail that down and make sure your security plans moving forward are crafted with this priority in mind. It was with this question in mind that the panel, led by Hultquist, shared where they had come from and a little bit about how it shaped their philosophies.

Experience shapes philosophy

Andrew Myers from Wipro started things off by discussing his experiences making a jump from higher education to the corporate atmosphere. He quickly learned that while there are many differences, obviously, he was surprised by the similarities. When working on a college campus, he was with a school moving from free management tools to real, paid for, robust device management platforms that had to focus on how to deal with integrated devices, POS systems in the campus store and BYOD versus institutional devices. Not far from corporate having many teams, all with different use cases. It was here he learned, “Approaching things not only from how it affects you in IT but how it effects your users when selecting tools, creating plans and approaching leadership.”

This approach was agreed upon by everyone on the panel, but Griggs discussed one additional point that he learned from his time in highly secure government settings. “Communicate to users exactly what is going to happen. Avoid letting the ‘rumor-mill’ create an idea of what is going to happen and build transparency into the plans.” To make his situation more difficult, he was managing around 13,000 very skilled users that weren’t used to having centralized management. He emphasized that security measures will always have an effect on your users. The more you can be transparent in how and why they will be affected, the easier becomes to have them understand.

Khan, while agreeing to all of these points, discussed his experiences coming from a world of Windows while trying to incorporate Mac. He said, “People have tried to claim to me Mac have ‘security through obscurity’. That it’s only secure because of low usage and a lack of poor intentioned people creating malware.” It’s a common attack on Mac security and one you may have to overcome. “Trying to promote Mac, especially in a Windows-centric atmosphere is quite the feat. But when you can see it bring delight to users it makes it worth the hard work to overcome people’s hesitancies, raised eyebrows, questions and doubts.”

Their final tip, which they urged everyone do immediately, may have been the simplest. “Live in the shoes of a normal user, not an admin.” Have your admin account, but make sure that you can test, understand and see how your work affects the users. He eloquently summed it up with, “Eat your own dog food.”

Questions for the panel:

• We saw announcements around security in the keynote, but as we continue to push the Mac, the security problems become more complex. What are your thoughts around data loss prevention/solutions?
  A: Some data loss prevention solutions currently on the market do not give a good user experience, hinders usability and productivity. Excited to see what Jamf Protect does to help solve some of the problems but really hoping that as these flaws are becoming more of a hot issue, we will get more solutions.
• What’s your advice on the change from device protection to data protection? What should be the focus?
  A: Both are always important. Focusing on one will always leave holes in your security and downplays the importance of each of them.
• How to pitch using Jamf Protect in a mixed environment which doesn’t cover all our devices and is a second product? Again, look to create a “give and take.” Show them what you can provide for them in addition to what it provides for you. Instead of “ask, ask, ask” make sure they know why it benefits everyone when proposing an ask like that.

Key takeaways

• Approach your plans with the mindset of how it effects IT as well as how it will affect the users
• Don’t stop work in the name of security
• Let past experiences shape your philosophies
• The reward of seeing users happy will make all the obstacles you have to overcome worth it.
• “Eat your own dog food”