I fully agree with Mark that both technology and policy matter and they matter very much; one without the other isn’t the most ideal state nor is it particularly useful in isolation – a symbiotic relationship exists.  I also agree with Mark that BYOD is incredibly complicated and implicative, so this is not a service area to be trifled with.  But is one more important than the other to the question, I think so, and people will have differing opinions on the matter and that is fine. 

In the end state, users need to know what the rules and boundaries are in the form of a written, authoritative policy; they should not care what the technology is to support and enforce the policy.  Focusing on the policy early in the service development lifecycle enables good decision-making; it helps lead the technology choices (I believe policy significantly defines the business, functional, technology and implementation principles of what is necessary in the solution and technology architecture and design (see template below and you may get what I mean – especially the implications)). 

Each organization will draft their policy based on a multitude of factors.  The policy or policies may lean toward the extreme (as below) or be very liberal and there is no such thing as one policy that fits all enterprises.  Mark smartly mentions outbound risk (aka - outbound trade secret risk) when an employee leaves – that is a big one, and he mentions regulatory complications and there are so many others to consider it can be overwhelming.  Bottom line, we must examine the full spectrum of elements which will guide the service development and for me, technology does not lead, it follows.

PRIVACY POLICY template CSL1:

ALL information on ALL corporate-owned and personally owned devices (computers, tablets, smartphones, dumbphones, datacards and all other communications and data devices known and yet to be discovered) - that is, any device under Corporate Sponsored or the Personal Bring Your Own program is subject to seizure (electronic and physical), review, audit, necessary business dissemination and archiving by CLIENT, including and without limitation to documents, emails, photographs, voice mails, messaging records such as MMS, IM and SMS, social networking and ALL phone records (known as “Personal Data”). CLIENT may and likely will, for the purposes of such legal need, perform audits and use software and other means to reroute transmissions through other systems including both incoming and outgoing calls to and from such devices used to access all data and information.

Employees will have NO expectation of privacy whatsoever with respect to CLIENT information or personal data (as defined below) on any corporate-sponsored or personally owned / managed devices accessing the CLIENT system, and NO expectation of privacy regarding any documents or communications or content that originated on or were sent to a corporate-sponsored or personal device accessing the CLIENT system.  CLIENT does not guarantee the privacy of any electronic communications within or outside of CLIENT.

To be clear, both corporate-sponsored and personal devices will be seized and audited and when necessary, “wiped” of any and all data, operating system software and applications by CLIENT or by a third party resulting in setting device back to factory defaults or rendering it in a forever unusable state. CLIENT shall not be liable for any personal expenses related to such data, software or applications loss.  CLIENT makes no promise that information wiped will be retrievable.  By your signature below you are agreeing in full to giving up all rights, privileges and control over an authorized device or devices and the information contained or transmitted by said device, be it corporate or personally owned is the property of CLIENT.

Both matter, however in the BYOD space it gets really complicated really quickly - what about the employee who leaves for a new job with sensitive LOB applications on their personal device.  Of course you want to wipe them, but you also need to be sure you don't wipe the employees mobile banking application - audit review and logging tools can become even more problematic in this space since the device is effectively serving multiple masters with equally legitimate but different policies -  imagine the policies about company email interacting with implicit policies via HIPPA on the employees emails to their Dr on the mobile device. (there are good tools out there for giving the devices schitzoid characteristics, i.e. isolated business and personal aspects (policy :-) )

I look at technology as the enabling mechanism - it defines what is possible.  Policy is externally defined and it's realization is the conversion of 'what is possible' to 'what will happen' -  I agree with a previous poster on technologies ability to automate policy, I think the deeper issue is that technology simply does things, policy decides what will be done, and when policy and technology are well meshed, things are automated because policy and technology are merged and the decision points are gone - for instance, there are many technologies for cryptography - policy should say which one is there - and then that's what gets used and there isn't an issue

They both are and pretty equally I'd say. Technology doesn't mean all that much if the policies aren't both in place and in force to allow the technology to do its job. And all the strident, unified security policies in the world are ineffective if, for example, stolen or lost mobile devices cannot be rendered useless in real time. I think actually it is dangerous to think of these as anything but true partners in meeting the unique challenges of mobile security.

Technology matters most--because it automates enforcement. People do not have to follow policy--a soft control--and they often don't. Unfortunately, that technology and administration also bring new costs--but not as much as a breach!  It's the only way to control mobility especially BYOD--but really a host of mobile devices. -- Debbie Christofferson

Key to discussion is asking the question, "Is the policy reflective of existing company culture?" All to often priorities relating to management and security dictate decision making. But one thing that the Consumerization of IT era has shown us, is the importance of using technology is a lever/fulcrum for productivity. This means that policies need to be thoughful and technologies used flexible.

One model of a thoughtful approach to mobile policy and technology is Martha Stewart Omnimedia. (see http://bit.ly/OwBdL1)

Yes, my position on the importance of culture was challenged in the 8/14 Twitter chat http://bit.ly/NMFwUx, but I feel strongly that IT policy and implementation (i.e. tech) need to reflect, not change the uniqueness of the organization.