A few days ago, I had the pleasure of being involved in an interesting security discussion on Twitter. If you tuned into the middle of the conversation, it appeared to be about VPNs and whether they were a valid way of connecting to the enterprise with a mobile app. The vagaries of the 140-character limit on Twitter, as well as having quite a few people in on the conversation, meant it took a lot of tweets to get the point across. What was interesting, though, was that on one side of the argument you had a few security guys who insisted a VPN was the only way to drive a secure network connection to the enterprise, while on the other side you had at least one security guy and a couple of mobile guys stating it wasn't the only way and certainly not always the best way.
Once you got past the "Are you crazy?" and "What have you been smoking?" comments, you could see an age-old conversation was going on. The crux of it is fought in enterprises every day, whether dealing with mobile apps or any type of apps or computing: Where does security belong in the conversation?
[ Subscribe to InfoWorld's Consumerization of IT newsletter today. | Get expert advice about planning and implementing your BYOD strategy with InfoWorld's in-depth "Mobile and BYOD Deep Dive" PDF special report. ]
Let's start out with my belief: Everyone has some responsibility for security, needs to have awareness, and needs to be part of the solution.
That said, I still need to be able to get my work done. I have dealt with security people in the past that have looked at me and said, "No means no," even after I explain what I am doing is a requirement of my work and needed for the company. More often than not, when those situations arose, business needs trumped security concerns and an exception was granted. The cost was a delay to me getting my work done and a security person unhappy for being overruled.
It's not that I necessarily disagreed with the security stance, but that the stance didn't take in all the business objectives. Instead, that stance said all data and computers must be wrapped in the same plastic blister-pack shells that electronics come in -- you know, the ones you can't get open unless you have a machete. The problem with this approach is that when you wrap the emergency supplies and the machete in these hardened cases, you can't get them out of the package when you need to.
The good news is you kept the data safe; the bad news is that no work got done. This is an experience that businesspeople relate all the time.
The opposite viewpoint is that of the security professionals who live through the malware and attempted intrusions every day and just wants to do their best to keep the company's assets safe and secure. They look at the users as the offenders. They know someone is going to click on the phishing attempt or open a malware-infested link. It's not even a probability to them but a certainty. When it comes to mobile, they see it as 10 times worse. People lose their phones or leave them on tables, use public Wi-Fi, and basically do everything they can to compromise the organization, albeit unwittingly.