If CIOs can maintain a visible and enforceable policy, and involve users in the process from start to finish, then the security of the devices will almost take care of itself. “At least 70 to 80 percent of adherence to corporate security policies is self-enforced by the people,” says Roger Entner, vice president of wireless telecom company Ovum. “If they have a positive attitude, you will have much more cooperation [with security].”

What follow are lessons from CIOs in four industries that cover the entire lifecycle of mobile and wireless devices. Through some preplanning, risk management and training, they’ve gained a measure of control over mobile devices while still allowing their employees enough flexibility to get their jobs done. “Our challenge is to support multiple devices with multiple operating systems and capabilities so [that our users] are not constrained by the device,” says Steve Novak, CIO of law firm Kirkland & Ellis.

Which sounds like a goal to which every CIO can subscribe.

Do the Cost-Benefit Analysis

When CIOs begin evaluating a mobile and wireless device, they must first ask themselves, Is there a business need?

“You have to look at the benefit of what that person can get with the tool versus the added overhead cost of accommodating the tool,” says Brian Bonner, CIO of Texas Instruments (TI). Bonner and TI take a pretty hard line on adhering to their mobile device standards. TI’s users know that if a new toy doesn’t correlate to TI’s customer base or products, or if it creates an unnecessary risk, then Bonner isn’t going to go for it. “It has to relate to how we serve a customer better or get a product to market quicker,” he says.

So if the cost of the device, or the risk it generates, doesn’t equal the business benefit, CIOs should just say no.

“It’s no different than use of desktop PCs or laptops,” says Eric Maiwald, a senior analyst for Burton Group who published an extensive report in March on handheld device security. “CIOs should use those same requirements and analyses with handhelds.” In the Burton Group report, Maiwald points out that handheld devices are expensive for companies, both in terms of the direct cost of the devices as well as the added costs of protective mechanisms, such as encryption and authentication features, to secure them. “The use of handheld devices may increase employee productivity, but it may also increase the risk to the organization,” he says.