"We have to quickly evaluate, assess and prioritize where we want to make our investments," adds Spicer. "We're not going to chase every shiny new toy that comes along. We make decisions about where we want to spend our time and energy. Making sure that we're not chasing every rabbit is one of the ways we approach [the mobility] space."
To do this, Spicer's team leverages capabilities across the enterprise, including competency centers in information security and networking. Wells Fargo also has a product management group that, Spicer says, is responsible for "keeping their eyes on the horizon and evaluating opportunities as they come down the pike."
In addition, says Spicer: "We have groups focused on enabling mobility for end customers, and they have a different set of dynamics in which they operate. From an internal perspective, there's always some crossover between the two.
"We also have an information security organization we partner with that provides policies and governance guidelines that center on how we deploy devices. The main question is always: 'Does it provide business value?'"
Policies are key, notes Chubb's Garvey, who emphasizes that critical ground rules need to be set. "As smartphones become more pervasive, it's important that companies get out in front and establish guidelines in terms of what kind of information is going to be put on those devices and how you'll protect it," he advises. "For example, information needs to be encrypted. We're not going to push information to the device unless we're sure that encryption can be done."
Garvey notes that while the mobile devices themselves don't meet the company's encryption needs in all cases, "There are third-party products that can encrypt our information to [meet] encryption standards we find acceptable."
He notes that even as third parties are stepping in to offer that level of enterprise functionality, "We're also putting pressure on hardware manufacturers, such as Apple, to provide enterprise functionality and security that is more robust."
Garvey says that for an employee-liable model to work, it's essential that end users agree to the company's rules. For example, he says, employees need to be aware that, "if your device is lost or stolen, you need to report it to the help desk. We may choose to wipe company information or wipe the entire device."
KLA-Tencor's Ballal says making the employee-liable model work successfully is all about striking the right balance. "You can lock down everything and scare everyone and say it's security-related, or you can make your people more productive and competitive and win in business," he says. "Which one would you choose?"