IT Risk and the Millennials
I know, it sounds like the name of an old school rock band, but it’s not. It’s actually going to be one of the most pressing issues for IT in 2008. With millions beginning to enter the workforce from Generation Y, CIOs are scrambling to understand and address perhaps their greatest risk ever.
In 2007 IT is just beginning to get its hands around the concept of IT risk management and figuring out how to translate that for executives and the board. Now they’re confronted by the millennial worker, which is almost cause to rethink IT risk management all over again. Trying to implement IT risk management policies with a "Millennial" workforce—one with members who have been labeled as "risk takers"—is very problematic. In general most "Millennials" tend to believe in a "no-walls" approach when it comes to sharing information. Why shouldn’t all information be shared? Their strength is digital sophistication; some would even claim that the true concept of information technology is their birthright.
FORTUNE’S May 15, 2007 cover story refers to Millennials as the most high-maintenance, but on the other hand the most high-performing workforce in the history of the world. Why? Because they have more information in their heads and more information at their fingertips.
Some have referred to the trend that Millennials are driving as the “consumerization of IT.” Remember the days when IT would provide you with software and equipment far better than you had ever purchased? Those days are all but gone. Now, Millennials are used to freely downloading software from the Internet, such as Skype; using applications like Facebook; and bringing their iPods and laptops into the office—all of it blurring the lines between personal and work life. Faced with this dilemma, some IT organizations have reverted to asking employees to sign a code of ethics and others have gone as far as banning all unauthorized use of software and electronics in the workplace.
Granted, consumer technologies can definitely pose a threat to network security, but their increased use in enterprises is a trend that it is hard to stop let alone detect. Gartner predicts that by 2012—just five years from now—the majority of new information technologies that enterprises adopt will have their roots in the consumer market. How is this possible? Well, Millennials are demonstrating that the consumerization of IT can actually increase productivity and reduce costs.
Think about the huge business benefit of knowledge management that has been afforded through the emergence of social networking applications. The tagging technology that is often found in services such as Flickr and Del.icio.us has spurred new ideas and options in organizations to help share and find data more easily. Or consider how the new generation of smartphones is exponentially increasing accessibility and productivity. And you can’t deny the cost savings being recognized with free and low-cost VoIP technology, such as Skype.
But the Millennial craving for the latest and shiniest new technology—often under the radar of IT—is not without risks. For instance, the potential for confidential information leakage is very real through the use of social networking software. How often have we read about leakage through portable devices? Now you can imagine we’re only at the tip of the iceberg as handhelds and laptops are obliterating the boundaries between work and personal life. And with the myriad of new Web apps out there, from desktop search to in-the-cloud storage and Millennial use running the gamut, the implications are huge and cover the full range of IT risks—availability, compliance, performance, and security.
So what are CIOs to do? Should they build up the Great Wall of IT by blocking all consumer technology use or promote the spirit of free work expression? Ultimately the issue boils down to choice vs. control. Never have the ramifications of this age-old balancing act been as acute as what IT will face going forward.
Fortunately, the same five steps for executing an effective IT risk management program will prove essential in addressing the IT dilemma posed by the surging millennial workforce. Here they are again:
• Quantification (of business impacts)
• Implementation (upon alignment of business and IT value)
Think about it in a simplified manner. First and foremost, IT needs to be educated. CIOs need to understand what’s going on when it comes to the network and technology usage. A thorough assessment will reveal what technologies and practices employees are using and why, and this will better equip IT to figure out next steps with regards to either adaptation or constraint.
Naturally, IT will recognize the potential risks posed by certain practices and will be able to quantify their impact to the business whether positive or negative and then design remediation solutions based on the organization’s risk profile and ease of mitigation. For instance, IT may discover widespread usage of social networks and be convinced of the tremendous value such practice provides from a collective intelligence perspective. But depending on the nature of the business, IT may have to restrict such usage because it may pose too much of a threat to operational success. Or, IT may be able to compromise and implement an internal system for information sharing.
Finally, as part of the implementation process IT has to ensure that the proper controls are in place (i.e. identity management or data loss prevention). IT will also need to ensure that employees are fully informed of and educated on the policies that will help to govern their consumerized IT activities.
Now, by no means is this meant to belittle the challenge that Millennials are beginning to introduce. The risks are real. And they’re quietly emerging in cubicles, home offices, hotel rooms, WiFi hotspots, and sidewalks all around the world. We’re hearing this straight from the CIOs who didn’t plan this into their agenda and yet it’s risen to the top as a priority. They’re trying to figure out how to keep up with this crazy Web 2.0 world. Some are old school and just don’t get it. Some are asking a lot of questions and feeling the pain of being constrained by limited resources or legal and compliance issues. Others are recognizing the potential for competitive advantage if they’re able to adapt and embrace change.
Either way, 2008 should prove to be really interesting when it comes to IT transformation. And we’ll all have a front seat. Coming to an organization near you, IT Risk and the Millennials.