3. Map information access to roles
Too many organizations have a willy-nilly sprawl of information resources, then wonder why data leaks. In the case of consumerization, that tends to drive IT to the endpoint as the security target, rather than the data source.
We should have learned a decade ago when all those lost tapes and CDs with Social Security numbers drove California and then most states to impose penalties on loss of personally identifiable information (PII): Don't give users access to sensitive information they don't need. Back then, it was routine to leave credit card numbers on receipts and Social Security numbers in patient records; a lost file or CD or thumb drive became a huge privacy breach. Fewer companies now make such data available to staff; they remove it for the reports that employees legitimately need to run.
The same principle should be used for all information access: Don't give people access to sensitive information they don't need. That way, they can't lose or abuse it from any endpoint. Educate, warn, then punish those who make repeated mistakes, to create a culture of accountability -- management is about people, not technology.
The real challenge is the level of trust you afford employees based on their roles; if you trust too little, they can do less good, not just less bad. For example, disabling access to email attachments protects documents but makes it impossible to work in the field. But if you architect information access around trust levels per role, you don't have to get caught in the hopeless exercise of trying to secure every bit of information that finds its way onto iPhones, Androids, home Macs, home PCs, iCloud, Dropbox, printouts, USB drives, or whatever, nor worry about what apps they're using or even if they have a Trojan. The horse is long out of the barn at that point.
Yes, there may be some information that should be accessed only in a secure location -- in the corporate office on a secured PC. Maybe it's not even digital data, so it can't be easily transmitted -- the secret Coca-Cola recipe, for example. There may be a bit more that should be read-only outside of known endpoints. But most information should be presumed to be handled properly by an educated workforce given access to it. At the end of the day, it's no different than the age-old approach of having unlocked file cabinets in the halls for most files, along with a few locked ones guarded by a secretary or librarian.
If you need to create "safe rooms" or locked file cabinets in the digital age, plenty of technologies are available to do so: S/MIME for email (supported by iOS and OS X, as well as Windows and BlackBerry), corporate-managed editions of mobile apps such as Quickoffice, and a variety of tools that create safe zones on mobile devices or within custom mobile apps. And don't forget encryption: It's on by default in iOS, and it's built in but disabled by default on Motorola Android devices, many Samsung Android devices, OS X Lion and Mountain Lion, and Windows Vista, 7, and 8. Windows Phone 8 is promised to support encryption later this year. Ironically, Exchange can't force encryption to be on for OS X or Windows to grant user access, as it can for iOS or Android, but Centrify, Symantec, Microsoft (for Windows only), and Apple (for OS X only) all have tools that can do so.
4. Encourage experimentation
The beauty of consumerization is that it turns users into part of IT, as technology explorers and evaluators. Users will find the tools that help them work better -- they know their jobs' realities better than IT does. IT should take advantage of that by partnering with users, not trying to tell then what they need or how they should work.
These users will also find the holes in your management and security strategies. An employee who bypasses a management tool is a great resource to understand not only the how but the why, which can lead to a rethink of the underlying assumptions and inform the go-forward strategy. Alternatively, it can lead simply to a gap being filled, if the underlying rationale for that control still holds true.
IT can also take advantage of tech-savvy users by turning them into support resource. After all, employees who choose to use specific technology did so for a reason and can teach both the benefits and the practical usage techniques to similarly minded colleagues.