(Creative commons licensed from Flickr user Stuck in Customs)

In an information technology executive’s ideal world, a company’s network environment would be as sterile as an operating room. Access to equipment would be tightly controlled and any person coming in to use it would be required to submit to the IT equivalent of a surgical scrub-down.

This would go a long way toward keeping systems secure and functioning. But in reality, it’s simply not feasible. Why? Because in the real world, a business network environment tends to look less like an operating room than a bus station. In addition to employees logging into the system on approved devices, IT managers have to expect those same employees to want to log in with their own smart phones, tablets and laptops. Add to that the need for guests — contractors, clients and others working temporarily onsite — and suddenly that dream of a sterile system seems far away indeed.

In my experience, IT systems managers typically face a choice. They can do their best to keep everything except company-owned devices off the network, or they can embrace the new Bring Your Own Device (BYOD) ethos that many companies increasingly accept as inevitable.

The first option may seem tempting, but it’s a losing game. Employees’ smart phones and iPads are an ever-more important tool for both personal and professional productivity. Barring them from the work environment is bad for morale and, frankly, bad for your IT system. The truth is people are going to bring these devices to work, and when they do, they will want them on the network. If you don’t give them a safe and secure way to connect, they will inevitably try to find their own way in — possibly through work-arounds that create new problems for the system.

The smart IT executive must lean to embrace the BYOD concept and create policies that allow workers the flexibility they need while maintaining a stable and secure network environment.

While not an exhaustive list, here are a few key issues that should be top of mind for anyone considering a BYOD system in the workplace:

●Welcome personal devices, but make sure you know what they are and how they will be supported.

Employees should be given clear guidelines on what sort of devices are allowed to have access to the enterprise network. In some cases, clients of mine have found it useful to give employees a personal technology budget.

They allow them to choose between a company-issued device and, say, $1,500 to spend on an alternative of their choice. Those alternative devices, of course, must meet certain standards, but they allow the employee some flexibility if they want to use something different from the company’s standard issue machine. It also means that the company might benefit from improved technology when employees opt for more sophisticated equipment, covering any additional cost out of their own pockets.

Such a system, however, must include a requirement that employees obtain hardware support for their device, as no corporate IT department can expect to be able to service a wide range of devices.

●Create a segmented network for personal devices.

Many companies already have dual networks in place — one for internal use and one for guests and contractors who need short-term or limited access. One way to make the introduction of a BYOD policy less stressful for the IT department is to create a separate virtual network for those devices.

This has several advantages. It restricts the ability of personal devices to access the most sensitive elements of a system, and it allows the company to decide how much of its bandwidth it wants to allocate to such devices.

●Consider virtualizing key programs.

Security-conscious enterprises are increasingly adopting the idea that the most sensitive data in the system should never be stored on an individual user’s machine at all — whether that device is personal or company-owned. Every device where sensitive data resides is a potential vulnerability, so removing that information from all but highly secure servers, and having approved users interact with it only remotely, both creates a safer system and makes the introduction of a BYOD program less troubling.

With virtualized software, users log in to a system from their own device through an interface that allows them to control the machine where the sensitive data is stored, but doesn’t allow that data to be transferred to, or saved on, the remote device.

For IT executives, the bottom line is that within any enterprise, you most likely have a user base that wants to use personal technology on the job — some of whom are probably your best employees. To maintain a productive and secure workplace, you need to find ways to support them.

Your alternative, frankly, is a bunch of annoyed employees who will try to get their personal devices onto the network anyway, and may wind up breaking windows in the effort.

Better to let them in the front door.

Chris Knotts is vice president of technology and innovations at Force 3. The Crofton, Md.-based company is a provider of data center, communication and collaboration, borderless networks and cyber security services for federal agencies, enterprise organizations and their key partners.