You're going to have to get your HR department involved in your consumerization strategy discussions
It's easy to get caught up in the technical minutia brought about by the consumerization of IT.
It's easy to get caught up in the technical minutia brought about by the consumerization of IT. (After all, that's what this whole site is about!) But the growing consumerization trend also has a profound impact on the business side of things with many thorny legal, policy, and compliance issues to deal with. And as scary as it sounds, fully embracing the consumerization of IT means that you're going to have to get your HR department involved!
All this is based around the fact that today's company policies were written for a world before consumerization. There are several examples that come to mind immediately.
For example, what happens if an employee puts corporate data into a non-corporate-supported location (like Dropbox)? Then if there's a security breach, how should the company respond? A lot of companies take a position like "Our company policy is that sensitive corporate data cannot be stored on personal devices." So if an employee does that, they will be fired.
Okay fine, so you fire the employee. But that doesn't help the company's cause. Firing that employee doesn't "un-lose" the data for the company. It would have been better if the data loss had been prevented in the first place.
The other issue is that most employees probably don't even know that storing company data in non-company locations is against the rules. That "company policy" that HR departments always talk about... where is it? Is this something that the employee signed five years ago on their first day of work when they were excited about their new job and had fifty other papers to sign? Do you really think that any employee remembers that? And what exactly did they sign? Was it something generic that says the employee will "adhere to prudent data protection standards?" What the F does that mean, and how does a random end user know that means they shouldn't save the finance pivot table in Dropbox?
Maybe it’s time to simplify the employee policies around IT assets. Take a cue from the credit card industry in the US where new regulations require that they provide simpler "plain English" monthly statements to their cardholders. Perhaps HR can develop new policies that explain the importance of data protection in clear terms, like, "If you have data in Dropbox and you lose your laptop, anyone who finds it can access those files." (We should probably also let users know that if they lose their laptop, anyone who finds it can access anything. That logon password doesn't scramble the files.)
Unfortunately just based on my limited experience talking to HR, it seems that HR departments are just as clueless about consumerization as IT departments are. (A lot of this is probably because HR people are not as technical as IT people, and the HR people don't even know what's possible or what the risks are.)
So I guess we have a long way to go... Just something else to think about though.
I agree that this is a problem, but for the most part it's one that we've had for years. We're talking about it now because the potential for disaster grows with the consumerization trend.
I think the biggest problem is that many organizations have a policy just for the sake of having a policy. When I started my last "real job," it was just before SOX was about to kick in, and we had to come up with policies. They tasked me on day 1 to come up with SOX policies for everything Microsoft server-related. I asked what the existing corporate policies were, who makes the ultimate decision, etc... The answer was something along the lines of: "Just make a policy...any policy...we just have to have a policy."
I asked if my policy could be "that we have no policy." They said no. I guess "any policy" was a bit of a stretch.
I'd imagine that, even with tons of effort behind these policies, they're all just formalities that exist because they have to (although, it allows the company to go after the person that violated the policy beyond just firing them). Changing them won't amount to a hill of beans in the grand scheme.