This is an issue I explored in a blog post several months ago, IT Risk and the Millennials, which really seemed to resonate with customers and industry peers. Feedback ranged from "great article," to "how are others addressing this choice vs. control dilemma?" to skepticism about this theory and the desire to see more quantifiable research validating my previous thoughts.
So, with all of this in mind, we did just that. We went out and commissioned a study with Applied Research-West to measure IT risk issues surrounding the emerging millennial workforce within companies. The study was conducted with 600 people, including three groups of 200 respondents each: IT decision makers, millennial workers (born after 1980), and older workforce (born before 1980). Our goal was to measure millennial workers' perceptions and expectations regarding their use of new devices and Web 2.0 applications in the workplace, and to compare those results with their older coworkers' responses as well in order to gauge the IT crowd’s perception of this issue.
And frankly, the results shed some light on the challenges businesses and their CIOs face as the line continues to blur between work and personal life. A thorough analysis of the data reveals three key takeaways:
1) Millennial workers have differing attitudes regarding the use and adoption of technology in the work environment, when compared to their older colleagues.
• Millennial workers access Web 2.0 applications much more frequently at work than other workers. For example, 66 percent of millennials regularly access Facebook/MySpace vs. 13 percent of other workers. Seventy-five percent of millennials access their Webmail accounts vs. 54 percent of others. Forty-six percent of millennials use IM on the corporate network vs. 22 percent of others. For streaming video, photo sharing, and iTunes, there is a 20 percent difference for each, with the millennials at 38, 37, and 33 percent, respectively.
• Less than half (45 percent) of millennials stick to company-issued devices or software as opposed to nearly 70 percent of other workers. And, 69 percent of millennials will use whatever application/device/technology they want, regardless of source or corporate IT policies (compared to 31 percent of others).
• Three times as many millennials have downloaded software at work for personal use (75 percent vs. 25 percent).
• Millennials regularly store corporate data on personal devices—far more than others. Common channels are personal PCs (39 percent vs. 24 percent), USB drives (38 percent vs. 14 percent), personal hard drives (20 percent vs. 13 percent), and smart phones (13 percent vs. 6 percent).
2) IT managers largely feel they are doing an adequate job educating the workforce, while many employees feel they are not adequately trained on their employer’s policies around technology usage.
• Only 57 percent of both groups think they have been trained on their company’s policy regarding technology usage at work.
• At least 50 percent of IT respondents have policies banning applications such as social networking, iTunes, streaming video, and gaming applications.
• Seventy-five percent of corporate IT respondents have policies restricting corporate data and information on personal devices. And 85 percent of corporate IT respondents indicate they have policies restricting download/installation of software on work PCs for personal use.
3) Corporate IT managers have identified an increase in their risk exposure largely because of the millennial workforce and the new wave of technologies, and are taking different approaches on the spectrum of choice vs. control.
• Eighty-nine percent of corporate IT managers have recognized at least some increase in risk in the past five years. 47 percent of IT respondents feel younger workers pose a moderate to significant new challenge; 12 percent say they are more risk savvy.
• Sixty-seven percent of corporate IT manager respondents have at least considered restricting the use of the latest wave of Web 2.0 applications and smart devices to increase manageability. On the other hand, 54 percent of IT respondents have recognized at least some benefit from the latest wave of Web 2.0 application and personal smart devices among employees.
• IT respondents have differing approaches for dealing with the new millennial workforce. Thirty-six percent have written new policies and enforce them regularly, 28 percent have relaxed guidelines and allow more access of applications/devices, and 36 percent have not revised their policies in the past five years.
• Sixty-three percent monitor employees’ online activity to determine if they are following policies and restrictions.
• When asked about technology usage that would be a "fireable" offense, 50 percent indicated gaming applications, 41 percent indicated streaming audio/video, 37 percent indicated iTunes/music sites, 33 percent indicated chat rooms/forums, and 27 percent indicated photo sharing applications.
Clearly, the study reveals there is potential for huge risk exposure—data loss, compliance issues, legal implications, etc. While the study doesn’t reveal all the answers to this dilemma—in fact it clearly highlights an almost even split with how organizations are approaching it— the same five steps we’ve discussed before for executing an effective IT risk management program will prove essential in addressing the challenges posed by the surging millennial workforce.
This study should serve as a call to action for CIOs. Do you know what devices are being used in your organization? Do you know what applications are being downloaded? Are you tracking the movement of data and information within and outside your organization? Policies are not being adhered to, and this could have serious ramifications.
Take the necessary measures to do a thorough assessment to understand how much the "consumerization" of IT has permeated your organization. Assess IT risks and identify methods of control to limit inappropriate technologies crossing personal and corporate boundaries. Recognize that the "control" of yester-year has largely shifted to the "choice" of today.
Quantification and remediation
Acknowledge the potential risks identified by your assessment, quantify the business impact for good or bad, and then design remediation solutions based on the organization’s risk profile and ease of mitigation. IT may decide to restrict usage for certain applications, or may learn more about the benefits of such technologies and allow usage under certain policies.
Implementation and governance
Implement policies based upon alignment of business and IT value. Establish education that is socially aligned with the audience. Use logic to communicate the risk, solution, and benefit to your employees. Recognize that coaching the millennial workforce is more effective than educating.
Finally, IT has to ensure that the proper controls are in place and employees are fully aware of, and educated on, the policies that will help to govern their activities. Create an IT risk management culture, rather than a policy that amounts to a repository of documents. Establish ‘ownership’ for the IT risk challenge and reward appropriately (e.g. corporate-enabled networking usage, such as one hour every Friday)
These aren’t dire circumstances and shouldn’t be conveyed as FUD (fear, uncertainty and doubt). According to the study, both the younger and older generations of workers are recognizing the benefits of increased productivity, accessibility, and time savings (five to six hours per work week) through the next wave of social technologies.
As I said last time, it will be an interesting year and years to come, for sure. But, at least we’ve been able to take a peek over those cubicles, to be a fly on the wall in those home offices and in hotel rooms, and to get a glimpse of what we’re up against. And it’s really an issue of balance—availing of the benefits, while controlling risks, and providing a governance structure that harnesses the capabilities and proficiency of millennial workers.