For information technology (IT) security managers, bring your own device (BYOD) is a four-letter acronym guaranteed to strike fear into their hearts by conjuring up visions of a data proliferation doomsday, but it doesn’t have to be that way. There is a way to create business benefits through the use of individuals’ devices while still maintaining control on data and reducing security and privacy risk.

The risks posed by employee devices with ever-increasing capabilities, such as tablet PCs and smartphones, are hardly new. Financial firms and other highly regulated industries, with a duty to protect sensitive customer data, have been concerned about this for years, and many firms have BYOD policies in place to control the risk of data proliferation. However, to be truly successful in this effort, organizations need to do more: They need to design and implement a BYOD strategy that aligns with the organization’s IT objectives and business operations–a next step that, to date, few organizations have embraced.

A new Protiviti point of view paper, Strategic Bring Your Own Device: Implementing an Effective Program to Create Business Benefits While Reducing Risk, sets out clearly what the challenges are and explains how a BYOD program and strategy can help firms solve those challenges and seize those all-important benefits of BYOD.

I want to highlight just a few important points here on the challenges of a BYOD program and how firms can seize those all-important benefits of BYOD:

There are major advantages and important risks of BYOD: The benefits include employee satisfaction and retention of talent, increased productivity and innovations, as well as cost savings for the firm. The risk of data loss and data exposure, however, is vastly increased with BYOD since basic security controls no longer apply.

BYOD programs can have hidden IT costs when they are not coupled with the right IT infrastructure: A BYOD environment can require additional IT resources to manage and accommodate the wide range of device types. Organizations need to choose the right governance and support models to control these hidden costs prior to implementation—streamlining the enrollment and deprovisioning processes is one way to do that.

BYOD strategies are highly specific to each firm: They all start with an assessment of the company’s unique business needs and IT infrastructures—there is no such thing as a one-size-fits-all BYOD plan.

There are several approaches firms can take to creating a BYOD strategy: Choose your own device (CYOD) is an alternative to BYOD that is gaining traction among businesses as a less risky alternative. In this option, the employer owns the device as well as the application licenses.

There is no doubt that BYOD risk to organizations is only going to increase in the future as more employees make use of more than one device and as devices continue to get smarter and more powerful. For this reason, forward-thinking IT departments must ensure they develop a robust and efficient BYOD program that fits with the risk profile of their organizations, if they are to save themselves a potential BYOD nightmare.

Does your organization have an aligned BYOD strategy? I would love to read about it in the comments.

This post was published originally on The Protiviti View by Protiviti Inc. Copyright 2015. Protiviti is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit (

Jeff Sanchez is a managing director in Protiviti’s Los Angeles office. He joined Protiviti in 2002 after spending 10 years with Arthur Andersen’s technology risk consulting practice. He has vast experience in industries like consumer products, retail and hospitality.