IT Risk and the Millennials
I know, it sounds like the name of an oldschool rock band, but it’s not. It’s actually going to be one of themost pressing issues for IT in 2008. With millions beginning to enterthe workforce from Generation Y, CIOs are scrambling to understand andaddress perhaps their greatest risk ever.
In 2007 IT is just beginning to get its hands around the concept ofIT risk management and figuring out how to translate that forexecutives and the board. Now they’re confronted by the millennialworker, which is almost cause to rethink IT risk management all overagain. Trying to implement IT risk management policies with a"Millennial" workforce—one with members who have been labeled as "risktakers"—is very problematic. In general most "Millennials" tend tobelieve in a "no-walls" approach when it comes to sharing information.Why shouldn’t all information be shared? Their strength is digitalsophistication; some would even claim that the true concept ofinformation technology is their birthright.
FORTUNE’S May 15, 2007 cover storyrefers to Millennials as the most high-maintenance, but on the otherhand the most high-performing workforce in the history of the world.Why? Because they have more information in their heads and moreinformation at their fingertips.
Some have referred to the trend that Millennials are driving as the“consumerization of IT.” Remember the days when IT would provide youwith software and equipment far better than you had ever purchased?Those days are all but gone. Now, Millennials are used to freelydownloading software from the Internet, such as Skype; usingapplications like Facebook; and bringing their iPods and laptops intothe office—all of it blurring the lines between personal and work life.Faced with this dilemma, some IT organizations have reverted to askingemployees to sign a code of ethics and others have gone as far asbanning all unauthorized use of software and electronics in theworkplace.
Granted, consumer technologies can definitely pose a threat tonetwork security, but their increased use in enterprises is a trendthat it is hard to stop let alone detect. Gartner predicts that by2012—just five years from now—the majority of new informationtechnologies that enterprises adopt will have their roots in theconsumer market. How is this possible? Well, Millennials aredemonstrating that the consumerization of IT can actually increaseproductivity and reduce costs.
Think about the huge business benefit of knowledge management thathas been afforded through the emergence of social networkingapplications. The tagging technology that is often found in servicessuch as Flickr and Del.icio.us has spurred new ideas and options inorganizations to help share and find data more easily. Or consider howthe new generation of smartphones is exponentially increasingaccessibility and productivity. And you can’t deny the cost savingsbeing recognized with free and low-cost VoIP technology, such as Skype.
But the Millennial craving for the latest and shiniest newtechnology—often under the radar of IT—is not without risks. Forinstance, the potential for confidential information leakage is veryreal through the use of social networking software. How often have weread about leakage through portable devices? Now you can imagine we’reonly at the tip of the iceberg as handhelds and laptops areobliterating the boundaries between work and personal life. And withthe myriad of new Web apps out there, from desktop search toin-the-cloud storage and Millennial use running the gamut, theimplications are huge and cover the full range of ITrisks—availability, compliance, performance, and security.
So what are CIOs to do? Should they build up the Great Wall of IT byblocking all consumer technology use or promote the spirit of free workexpression? Ultimately the issue boils down to choice vs. control.Never have the ramifications of this age-old balancing act been asacute as what IT will face going forward.
Fortunately, the same five stepsfor executing an effective IT risk management program will proveessential in addressing the IT dilemma posed by the surging millennialworkforce. Here they are again:
• Quantification (of business impacts)
• Implementation (upon alignment of business and IT value)
Think about it in a simplified manner. First and foremost, IT needs tobe educated. CIOs need to understand what’s going on when it comes tothe network and technology usage. A thorough assessment will revealwhat technologies and practices employees are using and why, and thiswill better equip IT to figure out next steps with regards to eitheradaptation or constraint.
Naturally, IT will recognize the potential risks posed by certainpractices and will be able to quantify their impact to the businesswhether positive or negative and then design remediation solutionsbased on the organization’s risk profile and ease of mitigation. Forinstance, IT may discover widespread usage of social networks and beconvinced of the tremendous value such practice provides from acollective intelligence perspective. But depending on the nature of thebusiness, IT may have to restrict such usage because it may pose toomuch of a threat to operational success. Or, IT may be able tocompromise and implement an internal system for information sharing.
Finally, as part of the implementation process IT has to ensure thatthe proper controls are in place (i.e. identity management or data lossprevention). IT will also need to ensure that employees are fullyinformed of and educated on the policies that will help to govern theirconsumerized IT activities.
Now, by no means is this meant to belittle the challenge thatMillennials are beginning to introduce. The risks are real. And they’requietly emerging in cubicles, home offices, hotel rooms, WiFi hotspots,and sidewalks all around the world. We’re hearing this straight fromthe CIOs who didn’t plan this into their agenda and yet it’s risen tothe top as a priority. They’re trying to figure out how to keep up withthis crazy Web 2.0 world. Some are old school and just don’t get it.Some are asking a lot of questions and feeling the pain of beingconstrained by limited resources or legal and compliance issues. Othersare recognizing the potential for competitive advantage if they’re ableto adapt and embrace change.
Either way, 2008 should prove to be really interesting when it comesto IT transformation. And we’ll all have a front seat. Coming to anorganization near you, IT Risk and the Millennials.