It is no longer possible, let alone desirable, for most organizations to prevent employees from bringing their own devices to work.
According to a panel discussion at Infosecurity Europe 2013, the need to control IT budgets, ensure productivity, and support flexible working are forcing information security teams to move to a presumption in favor of allowing staff to bring in their own smartphones, tablets, or even PCs.
The bring your own device (BYOD) phenomenon is now a permanent feature of the IT landscape in all but the most restricted areas of business and government.
"You have to accept it. It is not viable to say we are not going to do it, and satisfy yourself on that security stance," said Martyn Croft, CIO for the UK operations of The Salvation Army. But, he admitted, some of the strongest objections to BYOD came from within the IT team itself.
At The Salvation Army, Croft has limited the scope of BYOD to devices based on Apple's iOS, coupled with a configuration and acceptable use policy. Extending employee choice to Android devices would, he said, lead to too much diversity. The personal devices are also assigned to their own section of the network, and are not able to connect to the charity's finance or fund raising systems.
According to Barry Coatesworth, information security officer at the retail chain New Look, BYOD is just one of the new ways of working which raise challenges for information security. "Sometimes you have to make the impossible possible," he said.
But, he added often, employees take more care of personal devices than work devices, including when it comes to security. This may, in time, prompt the retailer to extend BYOD to PCs. "The advantage is that people can have the device they want. I see it less as a disruption than a business enabler," he said.
IT directors and CISOs should, though, be cautious, warned Thom Langford, director of the global security office at Sapient. "By its definition, you don't own the device, so there are issues around what you can do with this," he said.
International companies, the panel warned, have to allow for regional or local regulations that might restrict companies' abilities to carry out simple security measures, such as wiping a lost device. They also need to ensure that any mobile device management system they deploy is flexible to cope with new types of devices as they emerge, he said.
And companies also need to be aware that their decisions around BYOD, and even the type of device they might support, will be influenced by clients' or customers' requirements.
According to Phil James, information security director at consulting firm Hyder, work for clients such as the UK's MoD (defence ministry) can preclude such policies; firms bidding for contracts will often have to follow the security policies set out by their clients.
"Clients will often define security," he said. "We can bid for that work, or not. If we win work with the MoD, we have to operate to MoD standards… it is not always up to companies to decide how to handle data."
But the trend for employees to want to bring their own gadgets to work is only set to grow, said Nigel Stanley, analyst at Bloor Research. "Almost all of us are wired up 24x7," he said. "The smartphone has become the most intimate computer ever."
And it is that very combination of power and intimacy that makes it vital for companies, not just to have a policy for BYOD, but to make sure that the policy is developed taking not just IT and risk management, but also HR and legal policies into account.
The best way to handle BYOD, the panel agreed, was to take a multi-disciplinary approach.