Emphasize the endpoint
David scored major points in this debate by reinforcing the point that we can't let users run the asylum. It's true that we can't rely on the users to make proper security decisions, whether on mobile platforms or traditional computing systems.
I spent a few hours on a panel discussion here at Mobile World Congress talking about the challenges of security data in motion and heard first-hand the nightmares faced by IT security departments with an active mobile workforce. Users will always opt for convenience over safety, regardless of the consequences. Corporate security policies are circumvented in the name of getting work done, and smartphones are 'jailbroken' to make life easier with no regard for the security posture of the device. These are truths that aren't going away.
We all agree that this exciting mobile world introduces gaping holes for attackers to penetrate the network. Then why is mobile device security such an afterthought? Network security and device security must co-exist but, with users as the weakest link, we need to place the emphasis on the endpoint.
Secure your network
Ryan and I essentially agree on most of this debate. Neither of us would recommend you entrust your organization's protection solely to devices in unpredictable users' hands. And neither of us would tell you to avoid any good security facilities available at the handset level.
Interestingly, device manufacturers are finally beginning to recognize the need for better security. BlackBerry now offers the Balance system and Samsung announced Knox at MWC this week. But both security kernels are optional purchases, so most device users won't have them.
What's particularly relevant for my side of the argument is that even the very existence of these device-level security features showcases the expectation of a network defense. After all, if a company mandates that only devices with Balance or Knox features are allowed on the network, then -- almost by definition -- there is central management of security and an organization-level set of policies.
Ultimately, that's what network security is. It's using the full resources of the organization (as well as the physical set of networks) and providing security services at a professional level.
The bottom-line is really simple. The best-best-best defense is a mix of device and network security. But you must never rely solely upon your devices to provide security. Employees, customers, consumers, and partners can't, universally and without any deviation, be counted on to follow all your security recommendations.
After all, a discount, malware-infested copy of Angry Birds Star Wars is going to be far too appealing to at least one user on your network. All it takes is one user. Unless, of course, you secure your network. But that would make the network the best defense, wouldn't it?
Heck, you know I'm right.