Technology should not be the focus of access and information management. Yes, it can help monitor and steer employees to desired behaviors, but in no way can it replace the responsibility of individuals to do the right thing in the computing contexts they choose to be in -- in a consumerized world, it's not just devices and software that knowledge workers choose to use, but also the work processes. Policies are all about those work processes and how they are expressed no matter what technology is in use. (Previously, I've provided an in-depth look at the technology side of planning for, implementing, and secure BYOD.)
Rule 1: Security and management burdens must be justified by actual risks
In the broad range of concerns, those technical and HR policies will vary from company to company and even from user class to user class within an organization. That's to be expected, as the risk of data loss (the real concern in BYOD) has to be assessed against the gains to be had from BYOD, such as more productivity, more flexibility through the ability to do work in a wider variety of locations such a client sites, and greater employee satisfaction.
But the requirements and policies have to be reasonably aligned to the actual risks and compliance requirements in regulated environments. That's where many IT organizations dropped the ball, imposing onerous requirements not matched by the actual risks.
Rule 2: Security and management burdens should be consistent across all access technologies
Employees could see the imbalance simply by noting that many companies imposed tighter controls on mobile devices than on personal PCs, even though a personal PC has much more capacity to abuse data or infect a network than a mobile device does. For example, disk encryption is usually required on mobile devices but not on PCs, and companies seek to control mobile apps' information exchange but not that on PC apps.
That imbalance should have been a red flag to security managers that perhaps PCs are undersecured or that the mobile requirements were too strict, wasting corporate resources and risking driving employees to unsafe work-arounds.
If a certain level of security is required, it should apply to all devices: Windows PCs, Macs, iPads, iPhones, Androids, BlackBerrys, and whatever else may be out there. Of course, if the effort to enforce that level of security on a specific device or platform is unduly disproportionate to that of implementing it on other devices and platforms, it makes sense for a company to exclude that outlier or impose a tax on its users to pay for the extra cost. However, IT must first verify that the device or platform does in fact require the investment to support it, and IT is not just perpetuating outdated facts or even stereotypes. For example, both Android and OS X have come a long way in their security and management capabilities in the last couple of years.
Sign up for CIO Asia eNewsletters.