This necessary change in security thinking doesn't mean allowing a free-for-all. What it does mean is focusing on what you are really trying to protect -- the data -- instead of the endpoint. The security policies relate to the data, which largely takes the endpoint out of the control equation, at least as far as IT is concerned.
I say "largely" because there are some features on mobile devices that can't be controlled via policies, or at least can't be guaranteed to be controlled. For example, most mobile devices come with cameras, which means they could photograph sensitive information and never be detected doing so. (Ironically, although IT can shut off cameras in iPhones and BlackBerrys, it applies to only the devices that have registered with IT on the network; IT could conceivably turn off employees' cameras but not visitors'.) In a case like that, telling people to leave their devices at the door while in sensitive areas remains a legitimate "endpoint control" strategy, though it also is a data control strategy. Part of the permissions to access that physical location includes not having devices with you, just as it usually requires being accompanied by a chaperone or having the appropriate keycard to enter.
For those who have trouble with this concept, let me ask: In the four years since the iPhone debuted and in the decade since the original iPod premiered and digital cameras became commonplace, how many security breaches have been attributed to their use? I can't think of any. Can you? Laptops, email, and CDs seem to be where most of the reported breaches occur, as well as through inside jobs and "advanced persistent threat" attacks -- not iPhones, iPads, and the like.
When you turn the fear into love
Those organizations that have given up on the endpoint control paradigm all tell me a similar story: IT is freed from a lot of busywork, employees are happier, and costs go down. Often, people are more creative because they're not focused on evading hurdles but taking advantage of capabilities.
When IT allows device heterogeneity, it enters into a different compact with employees. Usually it works like this: The company issues Windows PCs as standard equipment and, for certain positions, BlackBerrys, iPads, and/or iPhones. In government, Windows Mobile devices may still be in the mix as well. Employees can bring their own PCs, including Macs, and their own smartphones and tablets. They can run their own software, as well as get reimbursement for company-preferred or standard software. But they're responsible for their own tech support and for ensuring whatever they bring in supports the IT security policies.
As long as those policies aren't secretly designed to force the use of certain products but instead address legitimate security requirements (such as on-device encryption, certificate-based authentication, or expiring passwords), this works. Even with thousands of users, IT finds itself doing a lot less endpoint troubleshooting and worrying about standard images and the like. It also doesn't worry about the logistics of ordering and stocking the nondefault devices, which often end up comprising half or more of the devices in use.