Two years ago I took some hard hits from my peers for calling the iPhone "a security nightmare". Two years later, I can't find a single person who doesn't agree that the iPhone is the number one mobile target of security researchers. Fast forward to today -- is the iPhone still a security nightmare or have those problems been relegated to annoyance status?

Last night at one of the BlackHat evening events, I went out of my way to personally thank Charlie Miller for his creative and diligent work finding new and ever more alarming bugs in the iPhone. Charlie needs very few introductions these days due to the notoriety driven by his iPhone security hole discoveries and his history at the Pwn2Own contest. But Charlie is not alone when it comes to iPhone security research. Apple security updates for the iPhone OS now recognize a rapidly expanding list of bug reporters.

The iPhone is now on its' third full OS version and Apple has added many new enterprise and security related features. In spite of Apple's attempts to keep the iPhone a closed system, more known about its inner workings than any other mobile platform (except possibly the open source development of Android). iPhone popularity isn't limited to consumers, it is a favorite with security researchers.

One security maxim says that risk increases in proportion to the target landscape. If this is true then, the iPhone represents a significant security risks simply because of its market penetration. The same thing can be leveled at Microsoft Windows. It's easy to say that because the iPhone is getting the high level of security attention it represents the greater threat than other popular mobile platforms such as Windows Mobile or Blackberry. This kind of thinking is short sighted.

The reason why the iPhone continues to represent a significant threat to the enterprise is not because of its operating system design or the dozens of security bugs it contains. The iPhone risk continues to escalate because of the way Apple prioritizes and operationalizes security. Apple continues to prioritize usability and features ahead of security. Apple just recently added on board data encryption to the new 3GS model. Only days later after its release iPhone encryption was shown to be easily subverted. And enterprise security teams operating with limited resources still don't have a centralized management console for pushing out updates, and the updates themselves are released on Apple's timing with no advance clues as to timing or content. Enterprises that allow iPhones on their networks must live without vendor-supplied intelligence routinely provided by other vendors.

Today'the iPhone might not qualify as a security nightmare but it's still a pain in the side both IT security and operational teams. We would like very much to support and deliver the best tools to our users, and that includes the iPhone. The problem is that Apple's enterprise management tools just don't measure up to what is available from Microsoft and Blackberry. And even when we get in a bind with security issues from other vendors, at least they communicate and lend us a hand with detailed information and risk mitigation steps. It's time for Apple to get serious about security if they want to grow in the enterprise.

An old boss told me once, "You play in the big leagues, and you will eventually fall like a big leaguer." The fact is many people have their computer security compromised daily, and this is also true for many corporations. But how are we supposed to react when the "big leaguers" in our industry fall victim too?

Over the last week some of the security industry's heavy hitters were victims of widely publicized security breaches. Dan Kaminksy, Matasano Security and Kevin Mitnick all had their websites breached. Some events were little more than defacements; in Dan's case some of his personal information was publicized. We, the BlackHat attendees, are the ones entrusted by individuals, large corporations and government entities to protect networks against precisely these types of attacks. What do high profiles breaches like these mean for our reputations and for our industry?

The truth is that data breaches are so common that most of us aren't even alarmed anymore. Privacyrights.org tracks the millions of private records that are compromised each year. The Conficker worm was said to have compromised millions of computers. We have become so used to reading about these stories and shrugging our mental shoulders that some people say our industry has become laize faire. We work towards compliance; we fight for budget and reducing our risk metrics. But are we really living and breathing what we preach?

This is not to say that Kaminksy, Matasano or Mitnick aren't intelligent, creative thought leaders who honestly work hard each and every day. It does mean that even the best of us are vulnerable to the same threats as everyone else. It also means that every company, even the ones we work so diligently to protect, is susceptible to some sort of data breach. No one is beyond the law of statistics.

So what does it really mean when even the security gurus at Blackhat get breached? It means there is always room to improve, and it means that there is no such thing as complete security, no matter how much money you spend or how smart you are.

This sobering reality is a reminder to us all about the value of vigilance. It's also a reminder that every breach offers a lesson. Dan Kaminksy handled this very public data breach by congratulating his attackers and offering them two of his grandma's famous cookies.

Dan will definitely step us his security, will you?

On this momentous occasion of a twitter outage apparently caused by a big DDoS attack, let us celebrate by naming 5 things we used to do before twitter.

1. Work more
2. Email the person directly
3. Pick up the phone
4. Make a decision by yourself
5. Watch the evening news and not find it old news