I wanted to comment a little on the recent stir concerning the vulnerabilities on the iPhone (iPad, iTouch, I-Robot. No, wait, that's a movie.)
I think the level of interest in this vulnerability (and there's been a lot on security blogs in the past couple of days) speaks volumes about the growing unease felt by security professionals with the rapid changes in IT infrastructures. What's happening is that the range of devices interacting with corporate systems is growing fast, especially compared to previous decades, when mobile computing devices represented a minority of systems and adoption of new technologies was much slower.
The explosive growth of iPhones, Android-based systems, and, of course, the ubiquitous Blackberry, now means that far more users are carrying around devices capable of being used as an entry point by attackers, each of which is able to hold potentially millions of dollars worth of sensitive information. These systems represent unique challenges for security folks – they are often owned by the individual, they have considerable processing power, and they are proprietary in nature, so you can't just throw an agent on it and monitor as before.
I think what's happening to security process is the same kind of de-parameterization that happened to the network. Yes, there are general boundaries of control, but they become very fuzzy around the edges. The security organization is being asked to create and implement policies that protect information, even as that information flows onto systems over which they may have limited control.
New approaches are needed. One-size-fits-all security technology is becoming less and less of a reality as the type of device, the nature of the user, the breadth of regulatory landscape, and value of the stored information all change rapidly.
New security methodologies will have to be highly business-aligned and extraordinarily flexible to meet the demands of the equally rapidly changing workplace and business models in order to ensure productivity. There's going to be a lot of value placed on centralized management of disparate technologies, unifying compliance mandate reporting and automation of process.
Where security used to have a reputation for saying "no", it's clear that the expectation for the future will be "yeah, we have that covered".