The second initiative, from RSA’s Security for Business Innovation Council, examines this phenomenon more deeply, exploring why traditional models where IT controls the use of all enterprise technology are quickly crumbling. This report offers concrete recommendations for how security leaders can get out in front of user-driven IT and manage risks to create new business value.

“The trend toward leveraging non-corporate-controlled assets and using social media for accessing and distributing information is inevitable,” says Security for Business Innovation Council member David Kent, vice-president of global risk and business resources at Genzyme. “It would be a mistake for any company to put its head in the sand or to dig in its heels; because the tide will be working against you.  It would be much better to recognize it and then create the parameters to make it work for you.”

Commissioned by RSA, a June 2010 IDG Research Services survey of nearly 400 security and IT decision makers reveals a sharp rise in the enterprise adoption of consumer technologies and uncovers the growing role end users are playing in accelerating this trend.  The research also underscores how unprepared many organisations are to manage the risks associated with this new reality.

Key findings include the following:

• 76% of security and IT leaders believe user influence on device and application purchase decisions within the enterprise is on the rise.
• While the majority of decisions about older technologies such as desktops and laptops are still made by IT, this dynamic shifts when it comes to newer consumer technologies.
• More than 60% of respondents report that users have some input regarding the types of smartphones purchased, with 20% reporting that they let users decide.
• 52% of organisations allow users to provide input on or make decisions about netbooks while 50% involve users in tablet decisions.
• Even when it comes to desktops and laptops, users have input into purchasing decisions at 35% and 47% of companies, respectively.
• Just over one-quarter of the respondents report their companies currently allow employees to use their own personal computers or mobile devices for work purposes.
• Though most companies have policies aimed at preventing or limiting the connection of personal devices to the corporate network, nearly 60% of respondents said that unauthorised connections to the corporate network still occur and 23% of the largest organisations surveyed have experienced a serious breach or incident because of a personal device on the corporate network.
• More than 80% of companies now allow some form of access to social networking sites. Of those companies, 62% are already using it as a vehicle for external communication with customers and partners.
• The trend to enable users more access to consumer technologies is viewed in a positive light by most respondents.  As many as 63% believe that using devices such as netbooks, tablets, smart phones and social media would increase productivity.
• Many companies are not fully prepared to confront this trend from a security standpoint. Just 11% feel very confident that they have the right level of security in place to accommodate increased access to consumer devices and applications.
• Only 22% of companies surveyed thoroughly calculate the risks associated with consumer technologies and applications before users begin using them for business purposes, 38% assess the risks in some cases, but have gaps in their strategies and  up to 40% of those surveyed don’t calculate the risks at all.

RSA also released the results of its sixth Security for Business Innovation Council report, “The Rise of User-driven IT:  Re-calibrating Information Security for Choice Computing”.  In this report, security leaders from around the world explore how the rapid adoption of consumer technologies such as smartphones, tablet PCs and social media is transforming IT. The report highlights a significant shift in how technology is being adopted for enterprise use – in that it’s no longer just the IT department dictating which devices and technologies will be used; employees are taking the reins.

The report also highlights that users will not only continue to influence IT and make technology decisions, but that many enterprise computing assets will actually be user-owned. While the shift to user-driven IT is inevitable, it doesn’t have to be a threat to the enterprise – instead it can be an opportunity to bolster the company’s own value.

“Like it or not, personal and professional computing have collided and the fall out is being felt in enterprises worldwide,” says Karel Rode, principal consultant at RSA, the Security Division of EMC Southern Africa. “User-driven IT has the potential to deliver huge benefits to users and their organisations. The companies that figure out how to unleash user know-how and consumer technologies while managing the risks will win this high stakes game. This is the moment for information security teams to step up and be the most valuable players.”

Based on the collective insights of the Security for Business Innovation Council, which includes some of the world's top security officers, the report provides a roadmap to prepare information security teams to securely give their users more flexibility in computing.  Specific guidance includes:

• Shift minds to the times:  As users increasingly make decisions about how technology is used in the enterprise, security teams must shift their attitudes from command and control to oversight and business enablement.  The Council introduces a new way for security professionals to think about their roles and what’s actually important to protect.
• Reframe users as assets:  The average person has become a sophisticated technology user.  Instead of treating user education as one-way communication, security needs to re-invent it as a two-way conversation. The Council outlines how security teams can begin leveraging user populations as powerful tech-savvy armies that can be activated for business advantage.
• Support calculated risk-taking:User-driven IT introduces a whole new set of risks that are compounded by escalating compliance and legal obligations and an evolving threat landscape. To help keep the risks to an acceptable level, security professionals must know and understand the risks and be acutely attuned to their organisations’ risk appetites. Council members share guidance on how to approach issues of ownership and representation, e-discovery, the growth of mobile malware and phishing dangers on social networking sites.
• Get in front of technology trends: To gauge the risks and rewards of user-driven IT, the security team will have to get up to speed on consumer devices and applications as well as the technologies that enable enterprise deployments. Council members share advice for keeping pace with future-critical technologies including virtualisation, thin computing, cloud computing and advanced authentication and security technologies.
• Own the future: In the rapidly changing world of consumer technology, the ability to anticipate changes before they happen will be more important than ever. The Council provides advice on how to set up cross-functional teams, establish flexible budgets with built-in contingency funds and use pilot projects to limit exposure and gain enterprise experience.
• Collaborate with vendors: Council members explore the key role vendors can play in enabling user-driven IT and provide guidance on how to best partner with them to understand what’s on the horizon and shape future enterprise offerings.

Source: IT Online. View original here