Rule 3: Place responsibility squarely on users and their managers
In many organizations, IT's role has been transformed from making the technology work to using technology as an enforcement mechanism to control employee actions. I know few people in IT who relish being the equivalent of baton-wielding riot police, but I find most IT people -- especially CIOs -- feel obligated to protect the company through technology implementations.
Stop that! If a person breaches data, he or she should be counseled or punished as appropriate by business-unit management. IT should provide the infrastructure to monitor information activity and to set the technical ground rules for access to corporate digital resources -- but not to police activities. I don't know when it became OK for business-unit managers to stop managing employees or automate away human responsibility, then wonder why people don't know what the right things is, much less if they're doing it.
We used to have a culture based on the notion of "loose lips sink ships." Everyone was responsible for keeping secrets, managing information flow to those who truly needed it, and understanding the relative sensitivity of whatever they were working on. Security was everyone's jobs, with experts providing the monitoring and the tools, but managers creating the expectations and holding employees accountable to them.
We need to start doing that again. It doesn't require new, expensive technologies, nor does it (or should it) fall solely to to IT. Do phishing expeditions within the company and counsel, warn, and punish (in that order) repeat offenders. Let employees who access corporate resources using devices not on the official list know that you're aware of their actions, and remind them of the standards of information management they are held accountable to.
Expect users to be responsible. If they want to use their own technology, demand they be smart users, too. BYOD works only when it is embraced by all, both the freedom it brings and the responsibility it engenders.
BYOD is not and should not be an IT problem. If it is in your organization, something is terribly wrong: Management isn't managing, and employees aren't treated as or expected to behave as adults.
Sign up for CIO Asia eNewsletters.