IDG Research Services and RSA have found that nearly 80% of security executives are seeing user influence on IT decisions growing as smartphones, netbooks and tablet PCs enter the workplace.

RSA, the Security Division of EMC, has released two new research initiatives that reveal a surge in the use of consumer technologies within the enterprise and examine the rising impact users are having on IT strategies worldwide.

The first research initiative – a survey conducted by IDG Research Services – reveals the rapid use and adoption of consumer technologies within the enterprise and the pivotal role users are playing in driving this trend. 

The second research initiative, from RSA’s Security for Business Innovation Council, examines this phenomenon more deeply – exploring why traditional models where IT controls the use of all enterprise technology are quickly crumbling.  This report offers concrete recommendations for how security leaders can get out in front of user-driven IT and manage risks to create new business value.

“The trend toward leveraging non-corporate-controlled assets and using social media for accessing and distributing information is inevitable,” said Security for Business Innovation Council member David Kent, Vice President, Global Risk and Business Resources, Genzyme.  “It would be a mistake for any company to put its head in the sand or to dig in its heels; because the tide will be working against you.  It would be much better to recognize it and then create the parameters to make it work for you.”

Embracing consumer technologies can be risky

A June 2010 survey of nearly 400 security and IT decision makers revealed a sharp rise in the enterprise adoption of consumer technologies and uncovered the growing role end users are playing in accelerating this trend.  The research also underscored how unprepared many organizations are to manage the risks associated with this new reality.

Key findings include the following:

-       76% of security and IT leaders believe user influence on device and application purchase decisions within the enterprise is on the rise.

-       While the majority of decisions about older technologies such as desktops and laptops are still made by IT, this dynamic shifts when it comes to newer consumer technologies:

-       More than 60% of respondents report that users have some input regarding the types of smartphones purchased, with 20% reporting that they let users decide.

-       52% of organizations allow users to provide input on or make decisions about netbooks while 50% involve users in tablet decisions.

-       Even when it comes to desktops and laptops, users have input into purchasing decisions at 35% and 47% of companies, respectively.

-       Just over one-quarter of the respondents report their companies currently allow employees to use their own personal computers or mobile devices for work purposes.

-       Though most companies have policies aimed at preventing or limiting the connection of personal devices to the corporate network, nearly 60% of respondents said that unauthorized connections to the corporate network still occur and 23% of the largest organizations surveyed have experienced a serious breach or incident because of a personal device on the corporate network.

-       More than 80% of companies now allow some form of access to social networking sites.  Of those companies, 62% are already using it as a vehicle for external communication with customers and partners.

-       The trend to enable more access to consumer technologies is viewed in a positive light by most respondents.  As many as 63% believe that using devices such as netbooks, tablets, smartphones and social media would increase productivity.

-       Many companies are not fully prepared to confront this trend from a security standpoint.  Just 11% feel very confident that they have the right level of security in place to accommodate increased access to consumer devices and applications.

-       Only 22% of companies surveyed thoroughly calculate the risks associated with consumer technologies and applications before users begin using them for business purposes; 38% assess the risks in some cases, but have gaps in their strategies; and up to 40% of those surveyed don’t calculate the risks at all.

Council report: user-driven IT reshaping information security

RSA also released the results of its sixth Security for Business Innovation Council report, “The Rise of User-driven IT: Re-calibrating Information Security for Choice Computing.” 

In this report security leaders from around the world explored how the rapid adoption of consumer technologies such as smartphones, tablet PCs and social media is transforming IT. 

The report highlights a significant shift in how technology is being adopted for enterprise use, in that it is no longer just the IT department dictating which devices and technologies will be used: employees are taking the reins.

The report further highlights that users will not only continue to influence IT and make technology decisions, but that many enterprise computing assets will actually be user-owned.  While the shift to user-driven IT is inevitable, it doesn’t have to be a threat to the enterprise – instead it can be an opportunity to bolster the company’s own value.

The report provides a roadmap to prepare information security teams to securely give their users more flexibility in computing.

Specific guidance includes:

Shift minds to the times:  As users increasingly make decisions about how technology is used in the enterprise, security teams must shift their attitudes from command and control to oversight and business enablement.  The Council introduces a new way for security professionals to think about their roles and what’s actually important to protect.

Reframe users as assets:  The average person has become a sophisticated technology user.  Instead of treating user education as one-way communication, security needs to re-invent it as a two-way conversation.  The Council outlines how security teams can begin leveraging user populations as powerful tech-savvy armies that can be activated for business advantage.

Support calculated risk-taking:  User-driven IT introduces a whole new set of risks that are compounded by escalating compliance and legal obligations and an evolving threat landscape.  To help keep the risks to an acceptable level, security professionals must know and understand the risks and be acutely attuned to their organizations’ risk appetites. Council members share guidance on how to approach issues of ownership and representation, e-discovery, the growth of mobile malware and phishing dangers on social networking sites.

Get in front of technology trends:  To gauge the risks and rewards of user-driven IT, the security team will have to get up to speed on consumer devices and applications as well as the technologies that enable enterprise deployments.  Council members share advice for keeping pace with future-critical technologies including virtualization, thin computing, cloud computing and advanced authentication and security technologies.

Own the future:  In the rapidly changing world of consumer technology, the ability to anticipate changes before they happen will be more important than ever.  The Council provides advice on how to set up cross-functional teams, establish flexible budgets with built-in contingency funds and use pilot projects to limit exposure and gain enterprise experience.

Collaborate with vendors: Council members explore the key role vendors can play in enabling user-driven IT and provide guidance on how to best partner with them to understand what’s on the horizon and shape future enterprise offerings.