These CIOs also make it clear that if an employee wants to purchase a non-IT-approved device, they’re on their own if it breaks or fails to work the way they want it to. That’s part of the enforcement function. But that’s not to say that, once a CIO makes a decision on a standard, nothing can change. “If there’s a new need for a product set, we’ll jump on it,” TI’s Bonner says. “Being a high-technology company, we have a lot of savvy users, and we try to run faster than them.”

Running faster also means keeping pace with the security functions that should be on the devices. One of the most critical functions is being able to wipe a device remotely if it’s lost or stolen. According to the Burton Group report, all data can be removed from a handheld device, such as a BlackBerry, by doing a hard reset. For a remote wipe, an administrator sends a command to the device to perform a hard reset, or the administrator can set a policy that a hard reset will occur after a specified number of failed attempts at logging on.

Other risk considerations for CIOs include making sure that basic power-on passwords are on the devices, encrypting wireless transmissions that contain sensitive corporate information, and ensuring that employee devices don’t have cameras on them that they can bring into the office. The camera phone is the CIO’s latest bane. Do you want customer service people taking photos of customer information? Bonner doesn’t want employees taking snapshots of new design work. His policy is simple: “You can’t have that,” so phones need to be shut off when an employee enters the office.

Security and Enforcement

How much training CIOs should do is dependent on how technically proficient their workforce is. For TI’s Bonner, making his users sit through two hours of how to operate their new cell phone or smart phone would be a waste of time, not to mention insulting. Novak’s lawyers simply won’t make the time.

In organizations where users may not be quite so sophisticated (or difficult), CIOs should offer as much training as the user base needs. “Training costs time on the front end, but it really saves a lot of time on the back end because you don’t have 25 people asking questions later, one by one,” Ovum’s Entner says.

CIOs have to ensure that users know how important it is that they follow security guidelines—regardless of their computer proficiency. “You don’t raise your children by yelling at them constantly,” says Accenture’s LeVine. “You explain to them, If you use this device in a compromised way, you may sink the firm and lose your job and your retirement.” That’s not hyperbole, LeVine says, just reality.