Then there's that pesky detail that all the dire warnings about BYOD bringing down the enterprise simply haven't come to pass. I remember CIOs and CSOs saying, "When a CEO goes to jail because of the iPhone, then maybe people will get the message," to justify their paranoia. But the breaches we've seen have been the old-fashioned kind that IT allegedly has under control: lost (unencrypted) laptops, lost thumb drives (because cloud storage is blocked), and old-fashioned inside jobs, plus the phishing phenomenon for which there is no tech cure.
Clearly, business should practice basic security hygiene -- passwords, encryption, backup, remote lock and wipe -- on any endpoints, as should users. It'd be even better if companies did this with their PCs, before freaking out over mobile and cloud. Some industries may also have valid reasons to control specific aspects of a mobile device or regulate and audit the flow of some data as it moves through a business process or workflow. There are solid tools from capable vendors to do that.
But much of that information management can and should happen at the back end, limiting access to sensitive data in the first place, rather than let it out and worry about it once it's left the data center. Electronic medical records systems point the way: They use browsers on PCs and tablets to interact with patient data and medical systems' information, so the data is never retained on the device to be lost, stolen, or compromised. We've had such Web apps for a good decade, but seem to have forgotten that approach.
Instead, we've had a period of "buy, protect, buy some more" decisions by an IT community surprised and shaken up by the consumerization of IT. It started with Salesforce.com's "no software" campaign a decade ago but didn't really shake the foundations of the data center until the iPhone kicked the BlackBerry out of the enterprise. It's time for "assess, buy, protect" instead.
Throwing products at the problem -- assuming there is a problem -- won't solve it. Rather, it creates a new problem: a cacophony of tools that overlap and don't integrate, creating huge management costs and new risks due to the gaps.
We can see the effects of this security overload in the market. As far back as May 2010 -- just before Apple's iOS 4.2 made MDM possible on iPhones -- SAP bought Sybase, partly to create a fuller mobile strategy using Sybase's Afari MDM platform. In late 2011, thin client maker Wyse Technology bought MDM vendor Trellia, then Dell bought Wyse (and Trellia) a few months later, adding it to Dell's (so far) unintegrated stable of management technologies. In early 2012, Symantec bought up a variety of mobile content managers, such as Nukona and Odyssey Software. In October, Good Technology bought mobile app security firm AppCentral. Last week, Citrix Systems bought old-line MDM vendor Zenprise, hoping it could find a relevant toehold in the new consumerized mobile market that passed them both by.