As personal devices, cloud computing and user-space applications have become steadily more mainstream, your organization may have noticed a need for measures of control over employee devices entering your workspace and network. But the consumerization of IT should be viewed as a trend that provides you boundless business opportunities, rather than one that's going to limit your productivity or undermine your security efforts.

How can you capitalize on this ongoing trend while still minimizing your risk?

Consumerization of IT and Your Organization's Success

As described by Daniel Burrus for CIO, "consumerization is driven by the end user who is taking technology innovation into their own hands, outside of the influence of the IT organization, and buying their own devices, procuring their own service subscriptions, installing their own applications, and finding creative ways to connect to the corporate network — all without your approval or knowledge."

Where are the opportunities here?

Writes Burrus, "You just have to take the time to see the business case. The fact is that smartphones, tablets, cloud computing, and social media are powerful tools that have a business use."

Consider the benefits, for example, of creating a BYOD policy based on the fact that your employees already own devices and want the flexibility that using those devices for work can provide.

If you have limited time to manage hardware devices, and want to reduce the amount you spend on assets that depreciate, allowing your employees to provide their own laptops, phones and tablets is a reasonable consideration. You'll benefit from reduced cost and time spent managing the hardware, and they'll benefit from gained flexibility and mobility. You might also see an increase in productivity from workers who choose to work off-hours.

Of course, you'll need to put policies in place in order for your organization to realize those benefits.

Minimizing Risk Using Policy

When you're attempting to mitigate risk, your first order of business is understanding the risk.

Says Jennifer Allen, Red Team manager at Twinstate, "If you can’t predictably determine the environment created by introducing these devices, you'll have a difficult time identifying the resource needs, throughput, productivity requirements, and security concerns of the combined environment."

Because you can't possibly determine how all of that will pan out unless you institute policies, that's where you'll need to start.

"It comes down to solid planning," Allen says. "It has to be planned with the executive team; the people making the decisions on what kind of budget will be allowed to address this; those employees in compliance and finance departments who help identify organizational requirements; and teams doing operational tasks, who are asking about things like what would happen if an employee were locked out of your tools on their device when that employee is on a field call."

Crafting Your Policy for Security

In order to create a measure of control, consider just how rigid you want to be with your policy and whether or not employees will somehow be incentivized to follow it. You have a multitude of options, says Allen.

"You could institute mechanisms within the IT environment to require technology the individual provides to be up to a certain standard in order to use the network. You could institute policies about reimbursement that mean an employee with a device not up to spec might not be reimbursed for its use."

You could also identify a probationary period. If a new employee or new device comes onto your network, you might create a milestone or gate they have to pass through before they can use the device in conjunction with the environment. It helps to have some fail safes that are institutional (access, device functionality, job requirements, etc.) rather than just best practices.

However you craft the policy, its success goes back to organizational planning. You'll need to identify the layout of your network, the intended organizational structure (who is responsible for which components) and your communication plan — and make sure the measures you'll take to support productivity and provide the right resources for success are considered, decided upon and well documented.

Getting Employees on Board

Your employees probably already have their own devices, but if you're ready to implement BYOD, you've got to get them on board with minimizing security risks, too, through education.

"Education makes a difference," says Allen. "Well-educated employees get it. They tend to be far more compliant and understand why they need to work within certain constraints. Providing good education makes a difference in an employee's own compliance and in their willingness to act as an evangelist, helping others comply, too."