Stop me if you've heard this before: A survey of IT managers shows that they don't think their systems are as secure as they should be, they don't have the money they want to add more security, and users keep favoring productivity over security.
Duh! IT is never happy with its security profile, it never has enough money, and users tend to focus on doing what they're paid to do: Make money for the company and serve customers.
The latest such "study" -- meaning a survey by a company seeking to confirm its own sales pitch -- comes from Raytheon and Ponemon Institute. Ponemon is well respected in the security industry, but it's also a major provider of security FUD meant to create business for its consultants.
As you'd expect, the survey of 618 IT staffers about their mobile security posture found that most IT pros (57 percent) want to look at implementing a very complex technology that is hard to deploy successfully on the desktop and has never worked well in mobile: virtualization. Of course the answer to mobile security is to make mobile devices unusable. Think about it: A device you can't or won't use is the most secure of all.
In defense of IT, the respondents agreed that virtualization technology should be considered, not necessarily used. IT in fact should look at all sorts of technology to assess what would work best, even those that have failed in the past. In this case, the vendor is trying to make mobile virtualization appear to be in high demand, when in fact it is not.
I found it extremely telling that a third of employees at the surveyed customers work mobile-only, a number expected to rise to almost 50 percent in a year -- thus, the focus on mobile security. But the most intriguing finding from the survey is this:
52 percent of organizations and employees frequently sacrifice security practices to realize the efficiency benefits of mobile connectivity.
We of course have no idea what security sacrifices these employees are allegedly making -- the surveys don't ever ask that question. Writing passwords on sticky notes? Reusing passwords? Forwarding company emails to personal accounts? Posting VPN credentials on sites for hackers to get back at their employers? Downloading all the trade secrets of their company onto Google Drive? Given that the companies are still in business, I'm confident it's the first few examples. Given how individual password theft is an overrated risk, that's no big deal.
Security measures have to be balanced and appropriate. Security costs not only money but time and effort. The higher the burden, the greater the chance of noncompliance, which is why security has to be commensurate in cost to the assessed risk.
That approach won't let security providers meet their growth targets, so they have to pretend all risks are huge and no salve but their own is enough. Well, companies have to meet growth targets, too, so their employees need to focus on getting the work done efficiently and effectively.
If you force employees to choose between productivity and security, you deserve the inevitable result: a security problem at some point or a productivity problem. And if you force employees to choose between productivity and security, you're the problem that needs to be fixed. You don't do that by buying a product.