Not only would IT learn what tools work best for users -- and often there'll be no single best tool, given the personal workstyles involved -- but it would be able to better assess risks around information flow and where support needs are. Such partnering also lets IT bring in the "mobile elite" as IT proxies, so other business users can get support from their business colleagues rather than always call IT. Other studies I've seen show that users prefer to learn from their colleagues anyhow.
As to the risk issue, Morris notes that many organizations are poorly defended already. For example, 80 percent use perimeter security to block outsider access but have no controls inside their firewalls or buildings. Worrying about whether an employee is using Apple Keynote or Google Quickoffice or Bytesquared Office2 to edit PowerPoints is, frankly, not the best use of IT's time when the entire internal network is wide open.
Morris recommends that IT first understand what it is trying to protect, then create policies regardless of device or app that target those information security needs. The chances are that many such existing policies have gotten too specific in terms of the implementation, leading to a narrow protection approach that doesn't evolve with new technologies.
For example, an information access policy that requires domain joining cuts out most mobile devices. An information policy that requires user validation to gain access is a better approach, as that would allow the use of domain join for devices that support it as well as alternative approaches, such as certificates for devices that support them, to accomplish the same goal.
Morris also notes that by focusing on the device level, IT security efforts can get fragmented, creating an inconsistent, piecemeal approach that increases risk through the gaps between methods and through annoying users to the point where they do more workarounds. He recommends that organizations start with their laptop security policies, given how much critical information they store and have access to, then see if they have or can get tools to apply the same policy goals on other devices.
In other words, policies should be about security goals based on a risk/cost assessment for what you're trying to protect, and the low-level requirements should be derived only after the policies, and not confused with the policies themselves. "You need to separate the detailed execution instructions from the functions they execute," Morris says. You want to protect information, not blindly apply technology.
It sounds simple, doesn't it? IT should partner with the business it supports. We've heard that "IT/business alignment" mantra in IT publications and consultant recommendations for more than a decade. But the reality is that many IT organizations have done the opposite: They've set them apart from the users, stereotyping them as drooling idiots. In their minds, these IT pros have divorced users from the organizations, and set themselves up as the high priesthood of how to do business.
Sign up for CIO Asia eNewsletters.