Second, it suggests the risk is in personally owned user devices. If you really believe that, you should disallow use of home PCs as well, and perhaps of remote access. After all, anything you don't own and tightly control could be compromised. Per the news reports, the ISACA "study" recommendations boil down to "because the device connects to corporate networks and accesses data at times, its use for personal online transactions can post a significant hacker risk to companies unless precautions are taken." Let's get real: Whether you own a device or not, it's at risk if it accesses the Internet, which means every computing device is at risk, including the ones you own and provision.
There are still some IT and security pros who want to stop the BYOD phenomenon, and surveys like this cynically play into that outdated thinking by reinforcing the fake notion that the issue is who owns or selects the device. Deep down, any CSO or CIO knows that ownership is not really the problem, because if it were an issue of who bought or chose the device, you wouldn't need to spend all that money on antimalware and intrusion-detection technology for your corporate PCs and networks, would you? But of course you do. The risk is not related to ownership but to management.
If your IT security people are looking to kill BYOD, they deserve the gift of a severance. After all, the paranoid approach to BYOD costs more and is less secure than a rational, policy-management-based approach.
Third, it suggests that employees should not do personal things. This fear is related to the BYOD fear and comes from a fundamental distrust of people -- those annoying cogs without which the business could not exist. We heard this when people first got phones at their desks, then when the PC came into corporations, then when printers got connected via the network, then when email came in, then when the Internet came in, and now we're hearing it again with mobile devices.
Sorry, but employees are not slaves or robots you can force to do only what you will. And in a world where professionals are expected to work during personal hours, the long-accepted trade-off is that employers have to return the favor and be flexible during work hours. The 9-to-5 job doesn't exist for many people any longer.
Given the realities of employees doing personal things at work and work things at home, the only real solution to this risk is to protect your networks and your information where it resides, because any device anywhere could be used for personal transactions. Business transactions can't be guaranteed to be safe, either. This risk has existed for the last 15 years of our Internet-connected world, so it does not justify panic today.
If your IT security people want to restrict employees to only business resources during work hours at the office, they deserve the gift of severance. That line of thinking assumes a perimeter world that's long gone, and anyone clinging to it is building protections for a Soviet fantasyland.
CSOs, IT security staff, and other risk managers by nature are supposed to be paranoid, to see risks everywhere. Not only are their glasses half empty, but they're likely hiding a tasteless, slow-acting poison. You want some of that in your organization to identify risks. But that paranoid thinking is inappropriate to decide the risks you act on. The ones you put in charge of risk management -- whether in IT, a security office, a legal function, independent risk officer, or some risk group -- need to leave the paranoia at the door and do rational risk assessment. No company can afford to secure everything: The spend is infinite, the ability to get work done slows to a crawl, and your best people will leave to where they can actually do stuff. That's a much bigger risk than employees buying Christmas gifts on their iPhone, Galaxy Tab, home PC, or office laptop.
The next time you see one of these scaremongering studies, note who's behind it and take that organization off your list of trusted advisers and partners. Risk is real, but fearmongering is a sign of desperation and cynical calculation. There are plenty of security pros and vendors who don't resort to such tactics to help you address real risks realistically. Use them instead. Don't let the security succubi and risk vampires into your world -- at any time of the year.
This article, "Mobile security: Security Grinches' misleading scare tactics," was originally published at InfoWorld.com. Read more of Galen Gruman's Mobile Edge blog and follow the latest developments in mobile technology at InfoWorld.com. Follow Galen's mobile musings on Twitter at MobileGalen. For the latest business technology news, follow InfoWorld.com on Twitter.