Why Mobile Security Strategies Are Shifting From Device Control to Information Governance

Everyone and their grandparents have a phone today. And while that seems “normal” now, it wasn’t so only a few years ago. In fact, the use of mobile phones, especially in a professional setting, only really became popular when society embraced a hybrid work setting. Back then, traditional mobile security models were built around controlling the device—assuming, of course, that the organization owned both the hardware and the risk. (We talk about this more in this article: Hybrid Work Expectations vs. IT Reality: New Report Shares Stark Findings). 

However, with BYOD policies continuously evolving, this assumption is no longer accurate or realistic in modern MSPs. IT experts are noting that as ownership and usage patterns change, locking down a device (for example) isn’t always the right answer. This has led to a subtle shift towards mobile information governance strategies instead, which prioritize protecting the data that actually matters, wherever it lives.

Why device-centric control breaks down

Full device control works best when an organization owns the hardware and dictates how it’s used. That makes sense: You can only control what you have.

And yet, we only need to look at modern companies to see where the cracks began. Personally owned devices introduced privacy concerns because users didn’t want their employers to manage their photos, messages, or personal apps. Mixed-use devices blurred these boundaries even further and made it extremely difficult, if not impossible, to enforce strict controls without affecting everyday usability. On top of that, regional laws and regulations can limit what organizations are allowed to monitor or manage on personal endpoints. (Check out this A Comprehensive Guide to Customer Data Protection for a more in-depth discussion.) 

In these scenarios, device-level enforcement often creates friction. Users resist it, adoption drops, and IT teams spend more time managing complaints than reducing real risk.

Information as the true risk surface

When mobile incidents occur, the damage is rarely caused by the device itself (although it does happen). Rather, it’s almost always tied to what happens to the data that was exploited—just check out our IT Horror Stories to see how many companies have experienced this.

Sensitive or personally identifiable information may be accessed by the wrong app, shared through unsecured channels and sold on the dark web, or lost when a device changes hands. These risks exist regardless of whether the device is locked down or lightly managed. Focusing on information rather than hardware addresses the root problem instead of the symptoms.

By protecting how data is accessed, stored, and shared, organizations can reduce exposure even when they don’t fully control the endpoint.

What information-centric governance emphasizes

Modern mobile information management involves more robust data governance. Rather than controlling the device itself, IT leaders are managing how they manage relevant (and professional) data. The goal is to reduce risk without taking over the entire device.

• Protecting work data instead of the whole device: Policies are applied to business information itself, such as corporate files, emails, or apps. This allows organizations to secure what matters without touching personal data.
• Controlling how data is accessed: Rules define who can open work data, under what conditions, and from which apps. This helps prevent unauthorized access even if the device itself isn’t tightly locked down.
• Limiting how data is shared or copied: Information-centric controls can restrict actions like copying data into personal apps or sharing it through unsecured channels. This reduces accidental leakage without blocking normal device use.
• Separating work and personal content: Business data stays inside defined boundaries, while personal content remains private. This separation is key for maintaining user trust, especially on personally owned devices.
• Applying policies consistently across devices: Because controls follow the data, the same rules can apply whether the user is on a phone, tablet, or another endpoint. This makes governance more predictable and easier to manage.
• Shifting responsibility to governance, not lockouts: Security becomes about clear rules, ownership, and data lifecycle management rather than hard technical restrictions. Teams focus more on defining what should happen than on forcing what users can’t do.

This approach doesn’t remove the need for device management, but it changes the balance. The device becomes the container, while the data becomes the priority.

Trust, privacy, and user experience considerations

Information-centric strategies only work when users understand them. An effective data-centric security model is one where all parties understand what is being protected and the specific data being monitored.

To achieve this, it’s crucial that your IT organization clearly communicates trust, privacy, and user experience considerations. Users need to know which data is governed, why it matters, and what the organization can and cannot see. When personal content is genuinely left alone, and policies behave consistently, users are far more likely to cooperate.

Poor communication, on the other hand, can undermine even the best technical controls and lead to shadow IT or policy avoidance.

When information-centric approaches are appropriate

To be clear: Information-centric approaches are not always appropriate, particularly for companies that have strict rules on the type of hardware their employees use—say, for example, in highly regulated industries where using personal devices for business-critical data is extremely discouraged. They are also ineffective when devices serve a single, fixed purpose, such as a POS system or a kiosk. In these scenarios, it is necessary that you have complete control over the device.

That said, these strategies are highly popular in environments where device ownership and usage are mixed. They are especially effective when:

• Employees use personal devices for work (BYOD): When users own their phones or tablets, full device control often isn’t acceptable. Protecting work data instead allows organizations to reduce risk without invading personal privacy.
• Contractors or temporary workers need access: External users often require limited access to specific information. Data-focused controls make it easier to grant access without handing over broad device permissions.
• Work and personal use are closely blended: Many users switch between personal and work apps throughout the day. Information-centric controls allow this flexibility while still protecting sensitive business data.
• Data sensitivity varies by role: Not every user needs access to the same level of information. Governance rules can adapt based on role, context, or risk instead of treating every device the same.

The key takeaway is that no single strategy fits every situation. The most effective mobile device security programs match the approach to the ownership model, user expectations, and real-world risk, rather than forcing one control model everywhere.

Common governance pitfalls

Knowing that these strategies are highly dependent on your use case, you may be confused about which ones to implement for your specific needs. After all, shifting strategies can introduce new challenges if not handled carefully.

Some common challenges organizations run into include:

• Assuming information controls eliminate all device risk: Protecting data is critical, but devices still matter. If teams ignore device health, access paths, or basic security hygiene, blind spots can form even with strong data controls in place.
• Unclear responsibility for data ownership and lifecycle: When it’s not clear who owns business data, who can approve access, or who is responsible for cleanup and revocation, enforcement becomes inconsistent. This often leads to gaps between policy and reality.
• Overpromising privacy protections: Telling users that personal data is untouched only works if policies behave exactly that way. If controls feel invasive or unpredictable, you run the risk of losing employee trust quite fast.
• Treating the shift as purely technical: Changing strategy requires updated policies, clear communication, and agreement between IT, security, and the business on how data should be handled.

In practice, information governance succeeds or fails based on people and process as much as technology. Clear expectations, shared responsibility, and honest communication matter just as much as the controls themselves.

Maintaining proper mobile information management

As mobile environments continue to evolve, many organizations are moving away from full device control and toward protecting information itself. This shift reflects changes in ownership, privacy expectations, and real-world risk. Understanding why this transition is happening helps teams choose security strategies that are practical, trusted, and aligned with how people actually work.

Related topics:

• MDM Strategy Guide 2026: How to Secure BYOD & Corporate Devices
• Find Out if Your Mobile Workforce Security is a Liability (and Fix It)
• Mobile Device Management: 6 Features You Need in Your MDM Solution