It's easy to get caught up in the technical minutia brought about by the consumerization of IT. (After all, that's what this whole site is about!) But the growing consumerization trend also has a profound impact on the business side of things with many thorny legal, policy, and compliance issues to deal with. And as scary as it sounds, fully embracing the consumerization of IT means that you're going to have to get your HR department involved!
All this is based around the fact that today's company policies were written for a world before consumerization. There are several examples that come to mind immediately.
For example, what happens if an employee puts corporate data into a non-corporate-supported location (like Dropbox)? Then if there's a security breach, how should the company respond? A lot of companies take a position like "Our company policy is that sensitive corporate data cannot be stored on personal devices." So if an employee does that, they will be fired.
Okay fine, so you fire the employee. But that doesn't help the company's cause. Firing that employee doesn't "un-lose" the data for the company. It would have been better if the data loss had been prevented in the first place.
The other issue is that most employees probably don't even know that storing company data in non-company locations is against the rules. That "company policy" that HR departments always talk about... where is it? Is this something that the employee signed five years ago on their first day of work when they were excited about their new job and had fifty other papers to sign? Do you really think that any employee remembers that? And what exactly did they sign? Was it something generic that says the employee will "adhere to prudent data protection standards?" What the F does that mean, and how does a random end user know that means they shouldn't save the finance pivot table in Dropbox?
Maybe it’s time to simplify the employee policies around IT assets. Take a cue from the credit card industry in the US where new regulations require that they provide simpler "plain English" monthly statements to their cardholders. Perhaps HR can develop new policies that explain the importance of data protection in clear terms, like, "If you have data in Dropbox and you lose your laptop, anyone who finds it can access those files." (We should probably also let users know that if they lose their laptop, anyone who finds it can access anything. That logon password doesn't scramble the files.)
Unfortunately just based on my limited experience talking to HR, it seems that HR departments are just as clueless about consumerization as IT departments are. (A lot of this is probably because HR people are not as technical as IT people, and the HR people don't even know what's possible or what the risks are.)
So I guess we have a long way to go... Just something else to think about though.