Best Argument: Device
Audience Favored: Network (55%)
There's no other choice
Listen, I'm not going to sit here and argue that network security isn't crucial to a robust mobile risk management strategy. It is. But if you ignore security at the device layer, you're in for a rude awakening.
In this BYOD world, corporate data is flying through open WiFi networks in coffee shops and sitting in the back of taxi cabs when smartphones and tablets get lost. If you can't protect the device, you are ignoring significant entry points for attackers.
The best defense is multi-layered, but unless you have strict plans and policies around device security, identity management, provisioning, log-in credentials, you are ignoring significant risks. When mobile devices leave the traditional "perimeter," you really need to address that risk at the endpoint level. There's no other choice.
To keep everyone safe
Mobile devices, far more than desktop computers, are extensions of the personalities of the individuals using them. Here's the fundamental problem. If we rely on the device as the sole means of mobile security, we're relying on people.
Mobile device users range in knowledge from very technically skilled to barely able to answer a call. They also vary in willingness to take the time and extra effort to secure their devices. Some users will purposely violate device security, either by jailbreaking or downloading apps from questionable sources.
The simple fact is that the vast majority of mobile users just don't understand security, don't care, and aren't willing to take the time to learn. Since the device itself is under their direct control, we just can't rely on it alone.
Any good security strategy relies on tiers (or layers) of security. Certainly, having some security on the device is a start. But that's far from enough. The network is the common means by which all these devices communicate, and so it's up to the network to keep everyone safe.
Sometimes, that means relying on the internal corporate network or VPNs. Other times, that means relying on carriers, who also don't want malicious traffic on their network. But whether it's IT or the carriers, both have a far more vested interest and dedication to security than the device users themselves.