Power to the people: Managing technology democracy in the workplace

Power to the people?Managing technology democracy in the workplace

A report from the Economist Intelligence Unit

Sponsored by


© The Economist Intelligence Unit Limited 2009�

P ower to the people? Managing technology democracy in the workplace is an Economist Intelligence Unit white paper, sponsored by Trend Micro. The Economist Intelligence Unit bears sole

responsibility for the content of the report. The Economist Intelligence Unit’s editorial team executed the survey, conducted the analysis and wrote the report. The findings and views expressed here do not necessarily reflect the views of the sponsor.

Our research drew on two main initiatives:

l We conducted an online survey in March and April 2009. In all, 390 executives from seven European countries took part.

l To supplement the survey results, we also conducted in-depth interviews with senior executives and independent experts on technology use in the workplace.

The author of this report was Svetlana Grant and the editor was Denis McCauley. Our sincere thanks go to the survey participants and interviewees for sharing their time and insights

on this topic.

September 2009

Preface


© The Economist Intelligence Unit Limited 20092

Technology changes are often accompanied by fanfare, but in recent years at least one quiet technology revolution has been developing in the workplace. Individuals are adopting for work use

the applications and devices they have learned to use in their personal lives. Applications previously accessed only on home computers, such as wikis and social networking sites, now appear on business PCs. Nearly every employee is now equipped with a personal mobile device and can become an online publisher with the help of blogs. As a result, employees are challenging the technology status quo in their organisation. Many are demanding “technology democracy”—greater freedom to use the information technology (IT) applications and devices of their choice in order to conduct their work more effectively.

Companies are not entirely ready for this development. In Europe, many firms resist the notion of according greater technology choice to employees and business units. Just under one-half—48%—of respondents to an Economist Intelligence Unit survey of European executives conducted for this study say that management of their firms is supportive of expanding technology freedom at the grassroots level, but virtually the same number, 47%, say the opposite. On a hopeful note, executives tend to see more opportunity than risk to their business from this development. Nonetheless, the use of new IT tools goes on at many firms without clear IT guidelines and proper training. In their absence, business risks are likely to increase for these firms.

This pressure from below on company management and the IT function will to continue to mount. Generation Y, also known as the “millennials”, is populating the workforce in increasing numbers, and it will not be long before they begin advancing to middle management positions. Increasingly reliant on social media, messaging and other personal networking technologies to conduct their work, this generation will challenge the established modes of IT management in organisations.

Other key findings from the research are highlighted below.

l Innovationandmoralestandmosttobenefitfromtechnologyfreedom.Over 40% of European executives are prepared to deal with the risks of technology democracy in order to reap its business benefits. The chief gains, they believe, will come in the form of better grassroots innovation, as well as higher morale on the part of employees who are trusted to make at least some technology decisions for themselves.

Executivesummary



l Therisksarerealbutcanbemanaged.The fears of executives who resist according greater technology freedom in their firms are not misplaced. No few employees have wasted valuable work time using Web 2.0 applications for personal purposes, and companies have been damaged by sensitive information appearing on blogs, for example. Survey respondents agree that the biggest risks from technology democracy are lower productivity, the loss of confidential information and an increased vulnerability to viruses.

l Keepingtechnologychaosincheckrequiresclearrules.Where any degree of democracy exists, technology freedom must be supported by clear rules and regulations to prevent a descent into chaos. The most important means of minimising productivity loss and security risks include conducting regular and mandatory training courses for employees, developing formal guidelines and continuing the work of upgrading network defences.

l Firmsmustprovidebettertrainingonusingnewtechnologies.Most executives in the survey claim that their firms have drafted IT policies to govern employees’ use of devices, applications and websites in the workplace. But few have begun to instil these guidelines in the minds of employees: no more than 21% of surveyed firms provide training on the use of personal communications devices, and only 17% do this in regard to social networking applications. More worryingly, no more than one-fifth have plans to do so in the future.

l SomeITdecentralisationmaybeneededtomanagethesecurityrisks.When asked their view on the implications of greater technology freedom for the IT function, survey respondents’ reply that

Sixstepstokeeptechnologydemocracyfromdescendingintochaos

Whether or not management is supportive of expanding technology freedom, grassroots pressure to use new technologies will not go away. The research suggests a few measures that all organisations can implement to ensure that this pressure remains creative and not destructive.l Publishclearguidelinesfortechnologyuseandupdatethemregularly.Clarifying the rules of technology engagement for employees is imperative in order to minimise the threat of security breaches (and productivity loss). They must also be updated frequently, as technologies change at breathtaking speed. l Maketheguidelinesspecific.Some firms which encourage the workplace use of blogs and social networks, for example, require employees, among other things, to identify themselves clearly and to use disclaimers when discussing the firm, and to avoid citing clients, partners or suppliers without their approval.l Educateandtrain.It is not enough to develop guidelines; they must be communicated to employees. Courses on the use of social

media and personal communication devices should also become part of regular employee training. l Bereadytodevolvesomesecurityoversight.Securing the ever-expanding universe of applications and devices that employees use could overwhelm the centralised IT function. Trained IT specialists in the business units may be better placed to manage this aspect of information security.l Developin-housesocialnetworkingtools.Large companies should consider building internal social networking applications, which can deliver the benefits of information sharing—especially improved innovation—without the security risks. Such tools may not be right for all firms, however, as they can require significant resources to build and maintain.l MakethebusinessunitsapartnerofIT.Current mantra holds that the IT function must become a “true partner” of the business units. This should also work the other way round. Employees often have a keener sense than IT of the business utility of a new application, and line managers may have a better knowledge of employees’ technology needs and practices. Involving business units in technology decision-making will ensure that this knowledge is tapped, and will also expand awareness of new risks.



the delegation of responsibility for information security to individual business units is the most likely outcome. This would allow the IT function to focus on other tasks, such as the management of firewalls and other aspects of physical network security and tracking new external threats.

The technology democracysurvey

The analysis in this study is based in part on an online survey, conducted by the Economist Intelligence Unit in March and April 2009, of 390 executives based in the UK, Germany, France, Italy, the Netherlands, Sweden and Russia. The sample was senior: 49% of all respondents were C-level executives, with CEOs and board members

alone accounting for 30% of the group. A range of functions was represented in the survey, with general management, strategy and business development, sales and marketing, finance and IT the most prominent. Respondents hailed from �8 different industries, as well as a range of company sizes, with one-half of respondents coming from large firms—those with over US$500m in annual revenue. More details on the survey sample and results can be found in the appendix.



The traditional model of information technology (IT) management in organisations may be likened to a benevolent dictatorship. The IT function, led by the chief information officer (CIO), chief

technology officer (CTO) or IT director—having the best interests of the business at heart—makes all decisions about which technology tools should be used by staff, procures them centrally, and sets the rules by which these tools are used for daily tasks. This model, which has predominated for half a century around the world, in public- and private-sector organisations alike, allows some limited freedom for experimentation to individual business units, but almost none to individual employees. “Technology democracy”—which we define as freedom to choose the IT applications and devices with which to conduct one’s work—spells chaos and risk for IT’s “benevolent dictators”.

As the Internet and advanced (particularly mobile) telecommunications have become a thorn in the side of political dictatorships, however, so the use of these technologies in organisations threatens to erode the traditional model of IT management. By increasingly bringing the technologies they use in their personal lives into the workplace and using them for work purposes, employees are, consciously or not, making a case to be involved in the IT decision-making process. The change is gradual: some use blogs to solicit product or marketing ideas from peers; others use personal mobile devices to read work e-mail or make business calls. In many organisations, the result is a quiet workplace revolution as employees assume the power to choose their own applications and devices.

Driving the change is the rising use of Web 2.0 applications and personal communications devices by individuals. The workplace use of these technologies may not yet be as widespread as is popularly assumed, according to Alexandra Jones, associate director of the Work Foundation, a UK not-for-profit institute which conducts research on work practices. Ms Jones points to the results of a recent study by her organisation which suggests that less than one-fifth of UK employees at large companies use blogs or social networks while at work.�

There is little doubt, however, that the workplace use of these technologies is on the rise. More than two-thirds of European executives in our survey believe that the use of personal mobile phones and notebook computers by their employees for work (as opposed to personal) purposes is increasing; nearly one-half think the same about social networking and similar applications.

Several changes in the working environment will ensure that this trend continues. One is the arrival

Introduction:Challengingtheestablishedorder

� The Work Foundation, Changing Relationships at Work, 2008.


© The Economist Intelligence Unit Limited 2009�

of a young generation of employees to the low and middle ranks of the workforce. This Generation Y, or “millennials”, born between the early �980s and the mid-�990s, grew up using mobile phones and the Internet; most of them are IT-savvy and accustomed to using social media online. During the next five years, they will progress to middle management positions, and some will even start bringing the use of new technologies into executive suites and boardrooms.

Another change is the rise of teleworking. The UK’s Institute for Employment Studies predicts that telecommuters in the original 15 EU member countries will top 27m by 2010, or 14% of all employees, up from approximately 4m in 2000. In the US, already as many as 22% of the entire workforce work remotely at least one day a week, according to WorldatWork, a professional association focusing on human resources management. Geographically dispersed employees need new technologies to communicate and manage teams.

Michael Nelson, visiting professor of Internet studies at Georgetown University in the US, describes the resulting change as “the blurring of boundaries between personal and professional, between the use of technology for personal and business purposes”. He believes that its consequences are significant: “The biggest problem corporations face is a cultural issue. CEOs and CIOs need to get used to the idea that their companies are now more open and accept it when employees give away more information. They also need to rethink their information and technology management.”

Far from all the executives in our survey appear ready for this. Just under one-half of respondents say that senior management is supportive of according employees greater freedom to use applications and devices of their choice, or “technology democracy”. Employees in 40% of Russian firms and 38% of Dutch firms in the survey are likely to face disciplinary actions for using social networking applications. (German and French firms are considerably less likely to impose sanctions than the European average.) Technology use in these companies continues to follow the traditional rules, but for how much longer?

“CEOs and CIOs need to get usedto the idea that their companies are now more open and accept it when employees give away moreinformation. They also need to rethink their information and technology management.”Michael Nelson, visiting professor of Internet studies, Georgetown University



European companies are divided in their views on technology democracy, and for good reason. Expanding employees’ freedom of choice introduces many unknowns into the established system

of IT functions and responsibilities. It opens new and exciting business opportunities, but it also exposes organisations to risks which they have spent many years trying to manage and minimise. The arrival of many new technologies to the workplace, moreover, is so recent that executives have not had time to give them much consideration.

The above are likely to be reasons why nearly one-third of survey respondents (and over 40% of IT executives) believe there is more risk than opportunity in according employees greater freedom to use technologies of their choice at work, and that 23% see as much risk as opportunity. A larger share of European executives see a brighter side, however: 42% are prepared to deal with the risks in order to capitalise on its business benefits. UK executives are the survey’s most optimistic national group

Democracyinaction

128

13

3027

30

2318

25

1819

18

1324

11

45

4

Significantly more opportunity than risk

Somewhat more opportunity than risk

Equal balance of opportunity and risk

Somewhat more risk than opportunity

Significantly more risk than opportunity

Don't know/Not applicable

How would you say that senior management of your company views the balance of opportunity versus risk in allowing employees greater freedom to use the technologies of their choice in the workplace?(% respondents)

Total IT Non-IT

Source: Economist Intelligence Unit survey, April 2009.

Keypoints

n SomeEuropeanexecutivesfocusontherisksofaccordinggreatertechnologyfreedom,butalargershareseegreateropportunitythanriskinthisdevelopment.

n AgrowingnumberofcompaniesacrossdifferentindustriesareleveraginginteractiveWeb2.0technologiestoenhancetheirinnovationpractices.

n Freedomtousenewtechnologiesandinnovatecanalsobecomeanimportantmoraleboosterforemployees.



on this count, with half seeing more opportunity than risk. (Russian executives, by contrast, emerge as the most wary, with 4�% seeing a greater amount of risk.) John Linwood, CTO of the BBC, the UK’s public broadcasting company, sums up this sentiment: “There are clearly risks involved, but we think those are far outweighed by the opportunities.”

Mr Nelson articulates the benefit for businesses: “Every time a new technology appears, it gives people more power. Organisations that find the way to build on this power and take advantage of the new tools are the ones that will come out ahead.” The chief rewards for accepting the risks, according to the survey group, include better innovation, improved employee morale and enhanced collaboration with external partners.

Freedom to innovateA growing number of companies across different industries are leveraging interactive Web 2.0 technologies to enhance their innovation practices. One of them is IBM, an IT services firm. Says Ed Bevan, IBM’s vice-president for innovation and market insight: “We think that innovation today is a much more complex process than in a lone-inventor era. Successful innovation requires a combination of many technologies, business processes and even business models. For that you need more expertise, and using social media and online tools are very useful.”

IBM uses online collaboration to develop ideas for new business investment. The company has been organising an online brainstorming session called Innovation Jam™ since 200�, using a combination of technology platforms it built for the purpose; these have led the company to create ten new businesses with seed financing totalling US$100m, according to Mr Bevan. The 2008 session brought together 90,000 participants from �,000 companies in 20 industries.

Mr Bevan explains the philosophy behind IBM’s approach: “Technology is obviously very important [to innovation], but it is much more important to have alignment between business approach, strategy and the culture created within a company or a group of companies, which includes partners. We have

3127

25

3532

27

3846

23

3727

20

2913

40

Total

UK

Germany

Italy

Russia

Which of the following, if any, are likely to be the main benefits to your organisation resulting from employees’ greater freedom to use applications and devices? Select up to two. (Top responses from selected countries; % responses)

Enhanced innovation (eg, from employees' involvement in online forums, etc) Enhanced employee morale More effective collaboration with external partners


Brainstorming with social networking technologies requires clear thinking beforehand about what to do with the resulting flow of ideas.



a very similar approach to Innovation Jams, blogs, social media or any other new technologies. It is all about democratisation and listening to many voices and ideas, allowing people to collaborate in business ventures, and creating a flat playing field with non-hierarchical approach.” Such brainstorming, however, requires clear thinking beforehand about what to do with the resulting flow of ideas, warns Mr Bevan, otherwise “you have a big party where everybody constantly contributes and then nothing happens.”

Many organisations are also proactively utilising social media to leverage what Mr Nelson calls the “power and wisdom of crowds”. Such organisations as the BBC, for example, use social networking sites to solicit feedback from their viewers. Lego, a Danish toymaker, consults an online panel of young toy users called “Kid’s Inner Circle” on specific innovations they would like to see in new products.2

Happieremployees,moreeffectiveteamsFreedom to use new technologies and innovate can also become an important morale booster for employees. Ms Jones from the Work Foundation believes that improved loyalty and higher employee retention are important benefits of a more open working environment: “We found that new technologies are associated with a more flexible culture and could play a role in supporting closer working relationships. Where the choice and use of new technologies is allowed, employees are more likely to describe their organisation as having a culture based on loyalty and mutual trust, and this is what people like in the workplace.” The survey results support this assertion, at least in some European countries: as many as 4�% of German respondents and 3�% of those from the UK believe enhanced workplace morale is among the main benefits they expect to gain from greater employee freedom to use technology.

In addition to talent retention, new technologies are also seen as an effective tool for collaborating with external partners and creating greater team cohesion. Longer and more complicated supply

2 The Lego and Procter & Gamble examples are described in The digital company 2013: How technology will empower the customer, a 2008 white paper from the Economist Intelligence Unit.

FortheBBC,socialmediaopportunitiesoutweighthe risks

BBC, the British public service broadcaster, has adopted a liberal view on the use of new technologies. Its journalists and reporters use social media sites, such as Twitter, on a daily basis as one of many sources of information and public opinion, and leverage Facebook in their research of news stories and people. BBC employees also use Facebook for internal networking and communication with colleagues. The IT department is also mulling over the policies that would permit the use of personal laptops.

John Linwood, the BBC’s CTO, who joined the corporation in early 2009 from Yahoo, an online media portal, is receptive to many other uses of social media in the workplace. “We are the largest media company in the UK, with 28,000 employees, and interaction with our audiences is very important to us. Social networking is an additional tool we can use to achieve greater interactivity. Whenever we release

a new version of iPlayer [an online play-back portal for the earlier broadcast programmes], for example, we use the Twitter community to get feedback on different features.”

Mr Linwood admits that using social media has increased the risks for the company: “Social networks are another vehicle that malicious people can use; we are aware of that and are making sure that our IT policies and procedures can deal with it.” The corporation has rules for the use of social media and blogging, and it sends its employees on mandatory training courses to make sure they have sufficient knowledge and skills to use information effectively and wisely.

Information security is a shared responsibility at the BBC, according to Mr Linwood. “Responsibility for developing information policy and understanding the IT threats lies with the CIO. But in terms of implementation, it is up to each individual employee. Once they receive the training, they need to step up and take responsibility for their own actions and for data security within their area. Our role is to equip and educate staff across the organisation and then have them take responsibility for the areas in which they are involved.”


© The Economist Intelligence Unit Limited 2009�0

chains increase companies’ reliance on their partners and suppliers, and require more extensive channels for communication. Social networking by no means replaces more traditional forms of communication such as phone, e-mail and face-to-face meetings, but rather complements and augments them. Even in companies that are wary of the idea of “technology freedom”, the use of new tools is on the rise: Achmea, an insurance provider based in the Netherlands, for example, uses instant messaging to link its 13,500 employees spread across 12 locations.


© The Economist Intelligence Unit Limited 2009��

Newtechnologies,familiarrisks

3532

24

3029

27

3641

23

4733

20

4236

31

3831

21

Total

Sweden

Germany

Italy

Russia

France

Which of the following, if any, are likely to be the main negative consequences for your organisation resulting from employees' greater freedom to use applications and devices? Select up to two. (Top responses from selected countries; % responses)

Loss of productivity Leakage of confidential company information Increased network vulnerability to viruses


For every organisation like the BBC which is comfortable with according employees freedom to use technologies of their choice, there is at least one, if not more, which is not. Kellogg

Company, a food producer, is one of the latter. Says Mike Nagle, Kellogg’s director of regional IT in Europe and Asia-Pacific: “We currently do not allow employees to choose and use their own devices or applications in the workplace. We also disallow the use of social networking sites selectively and personal e-mail completely. We apply these rules on the basis of threats to security and productivity.”

The aforementioned Achmea is another firm wary of allowing technology choice. Bob Jutte, Achmea’s CIO, explains his management’s view: “We do not think it is appropriate for our employees to choose and use their own devices. There is too much risk of losing confidential company information and customer data.” This is not, however, an immutable position. “We are reviewing our policy on social

Keypoints

n Productivitylossisviewedasthechiefriskofaccordingemployeesgreatertechnologyfreedom.

n Intheworldofsocialnetworking,firmshaveverylittlecontrolovertheoutwardstreamofinformation,increasingtheriskoflosingIPandcustomerdata.

n File-sharingsitesandapplicationstopEuropeanexecutives’listofthemostriskytechnologies.



networking sites all the time,” affirms Mr Jutte. “When we have a clear picture of the risks and know that we can manage them, then we make changes.”

Even executives supportive of technology democracy in the business acknowledge that it comes with many strings attached in the form of risks. The biggest of these, according to survey respondents, is the potential loss of employee productivity; this is especially worrying for firms in Italy and Russia. Others are security-related: the loss of confidential company information and a firm’s increased vulnerability to viruses. As many as 4�% of Germany’s executives, for example, view the loss of sensitive information as a major risk of greater technology freedom for employees.

EfficiencydrainSocial networking sites, blogs and wikis (websites that allows visitors to contribute or modify content) were created for the purpose of socialising with friends, family and peers. These sites are all too often used in the office for just this purpose, wasting hours of productive time. Facebook is the best-known distraction, but there is a site just like it in all markets, be it Bebo in the UK or Odnoklassniki.ru (translated as “classmates”) in Russia. In many cases, employers draw the line between personal social sites and those that aid professional and business networking. Achmea in the Netherlands, for example, allows its employees to use LinkedIn, but prohibits the use of Facebook. The line between the two is often very thin: reading pages of news and information from such sites as Twitter can distract employees from more important work, even if they read it for professional purposes.

The easiest way to minimise this source of productivity loss is to ban the use of certain social networking sites. In the survey, 24% of European executives state that access to Facebook should be disallowed in their organisations, and 22% would ban blogging sites and services. This is the practice at some of the firms whose executives were interviewed for this study.

Mr Linwood of the BBC takes a different view, namely that the abuse of social networking sites is more of a managerial or human resources issue than a technology one. “Social networking is just one of many things people do to waste their time,” he says. “If employees are not doing their job, the management should deal with it through other processes.” Such an approach may be better suited to the BBC and other companies that measure their employees’ performance against specific deliverable targets and deadlines. For those where the number of productive hours is of greater importance, shifting the emphasis to the quality of work could be a better way to fight against procrastination.

A restrictive approach of banning sites may also have negative productivity implications for the IT function itself. Prohibition requires the tracking of sites and policing of employees’ computer use. When it comes to the Internet, tracking and policing is becoming more complex by the day, and IT departments must often task staff to do this on a regular basis.

Freedom to lose information?Accidental or deliberate leakage of sensitive information is a significant threat to a company’s security. Firms have ploughed enormous investments over the past decade into beefing up network defences against security breaches, and in training employees to use information, networks and the devices attached to them with care. The executives in our survey appear sanguine about the level of information security threats they face today, even in these extraordinary times: most say the risk of breaches from

The abuse of social networking sites is more of a managerial or human resources issue than a technology one.



22

20

19

13

22

4

Loss of intellectual property

Reputation or brand damage

Loss of customer data

Financial loss (eg, through fraud)

All of the above equally

Other, please specify

Which type of potential loss or damage from information security breaches should your organisation be most concerned about over the next two years? (% respondents)


external or internal sources is unchanged (or even smaller) since the onset of the economic crisis. However, as mentioned above, leakage of information and increased vulnerability to viruses and hackers are among the primary fears that European executives harbour when it comes to extending greater technology freedom to employees. Intellectual property—the company’s competitive secrets—and customer data are the types of information that firms will most fear losing over the next two years, and they are also concerned about reputation or brand damage resulting from such breaches.

Companies discover—sometimes too late—that in the world of social networking and blogging they have very little control over the outward stream of information: postings from hundreds of employees can reveal too much about the firm’s operations or intellectual property, even if the information itself is not confidential. Mary Sheppard, financial controller at 4X Currency Corporation, a financial services firm, portrays the risk: “Business perception is very important to us. Many of our clients blog and we need to be aware what information is being released. The main risk here is the damage to the company’s reputation. You don’t have a business if a client doesn’t feel secure about what you do.”

Some large organisations such as KPMG, a professional services firm, address the problem of information security by developing internal social networking applications. According to Bryan Clarke, KPMG’s head of ICT, these deliver the benefits of information sharing without the security risks. “Facebook is clearly very popular,” Mr Clarke explains, “but it is not an appropriate place to discuss work; it is simply not secure. We are working to provide a similar capability internally, so that the information could be securely exchanged in a similar fashion.” He warns, however, that “it is not easy to get it right”.

High-risktechnologiesWhen it comes to specific technologies, social media are only one of many potential sources of threat. For survey respondents, file-sharing sites and applications top the list of the most risky technologies; nearly one-half of respondents believe that these should be banned in the workplace altogether. Potential breaches of security and viruses are not the only problems with peer-to-peer technologies; file sharing can lead to copyright violations—and thus exposure to legal risks—and it also affects the performance of companies’ networks. According to the OECD, in 2007 as many as �7% of west European Internet users regularly accessed peer-to-peer file sharing sites, but even a small number of people downloading music and videos can slow a company’s Internet traffic to a trickle. In markets where



companies are required to pay for their Internet traffic—in Russia, for example—file sharing can be very costly. Executives in Italy and the UK express a particularly high degree of concern with the risks posed by file-sharing sites.

The use of personal laptops and notebook computers is another category of high-risk devices mentioned by European executives. Some firms are beginning to encourage employees to use these in order to reduce infrastructure costs and also to boost personal productivity, particularly while travelling. However, laptops and notebooks equipped with WiFi or a mobile broadband connection and unprotected by virtual private network (VPN) software can create holes in network security and be easily exploited by hackers. The potential loss of large amounts of sensitive data stored on laptops is likely to preclude a majority of organisations from going down this road. Mr Jutte of Achmea, for example, says that he would not consider allowing the use of personal portables. “Laptops are high risk because they are used by senior management, who have access to the most sensitive information. We are, however, very familiar with the potential risks around using laptops; there is plenty of hardware and software to deal with them.”

The issue is not as clear-cut for netbooks—low-cost mini-notebooks used to browse the Internet and access the most basic personal productivity applications. With a price tag of US$300-400, they are affordable for many employees, while their small size makes them easy to carry around. The risks around the use of netbooks, however, are very similar to laptops; 7% of executives in the survey believe that the use of personal netbooks should be banned in the workplace.

28

27

25

22

21

12

9

7

6

3

File-sharing sites/applications

Laptop and notebook computers

E-mail

Social networking sites (eg, Facebook, LinkedIn)

Smartphones

Blogging sites or services

Instant messaging

Netbook computers

Mobile phones

Wikis and similar collaborative sites

The use of which of the following technologies/applications will pose the greatest information security risks in your workplace over the next two years? Select up to two. (Top responses; % responses)




V irtually all companies will need to allow a greater degree of technology freedom than exists at present, as completely controlling employees’ use of a burgeoning number of devices, websites

and applications is simply not feasible. More freedom to choose their own IT tools might be good news for tech-savvy employees, but for CIOs and IT teams it presents the headache of having to find new ways of providing a secure working environment. For business unit managers, it means increasing watchfulness over employees’ daily work practices to discourage productivity-sapping activities. Organisations such as IBM and the BBC have made headway in introducing rules for more technology freedom, but most others have barely made a start.

What can management do to prepare their organisations for the transition to a more open technology environment? When it comes to guarding against information security breaches, executives in our survey believe that the most useful steps would be to conduct regular and mandatory training courses for employees, upgrade network security defences and develop formal guidelines

Keepingchaosatbay

3835

28

2147

21

3848

27

5025

39

4933

27

Total

Netherlands

UK

Germany

Russia

Which of the following would be the most practical and effective measures the organisation can take to ensure that greater employee freedom in the use of technology does not result in the loss of company information? Select up to two. (% respondents)

Conduct regular and mandatory training courses for employeeson guarding against information loss

Upgrade network security systems Draft and distribute formal guidelines for employees' use ofsocial networking and similar applications


Keypoints

n NomorethanahandfulofEuropeanfirmsprovidetrainingontheworkplaceuseofsocialnetworksandpersonalcommunicationsdevices,orhaveplanstodoso.

nAllowingemployeesorbusinessunitsthepowertomakedecisionsaboutnewapplicationsandsitesshould,intheory,easesomeoftheburdenonITdepartments.

n MoreITstaffmaybeneededtoensureapplicationanddevicesecurity,butthesearemorelikelytoworkinbusinessunitsthanintheITdepartment.


© The Economist Intelligence Unit Limited 2009��

governing the use of social networking and similar applications. German and Russian respondents put particular stress on the importance of employee training and education, whereas those from the UK and Netherlands emphasize the need to upgrade network security.

TraininggoesmissingMost executives claim that their firms have already developed the IT policies that govern the use of hardware devices, applications and websites which employees can use in the workplace. “We learn some of these tools by doing,” says Mr Bevan of IBM. “If you let your employees loose with new technologies, almost anything can happen.” IBM created a set of non-compulsory guidelines for its Innovation Jams and for blogs. In its online guide for bloggers, IBM admonishes its employees: “Don’t cite or reference clients, partners or suppliers without their approval”; and it proceeds to offer other guidelines on the use of content, proprietary information and copyright issues. The BBC, according to Mr Linwood, requires that employees clearly identify themselves when discussing company-related matters and use disclaimers.

If the survey is any judge, however, very few European companies have begun to instil these principles in the minds of their employees. More than one-half of survey respondents say their firms provide training on safe computing practices, but no more than 21% provide training to employees on the use of personal communications devices (including laptops) at work, and only 17% do this for using social networking applications. What’s worse, no more than one-fifth of these companies have plans to provide such training in the future. Education and training normally do not require heavy investment and should be straightforward first steps to ensure that technology democracy does not descend into chaos. But who in the organisation should be responsible for this?

Norestforthevigilant

Achmea, the Netherlands’ largest insurance company with 13,500 employees, added PDAs (personal digital assistants) and smartphones to its portfolio of business communications devices about two years ago, but Bob Jutte, the firm’s CIO, continues to review the potential risks of using them. “Smartphones,” he says, “now have connections to the mobile Internet and have effectively become small notebooks. Originally it was a mobile contact book, now it is a mobile office. So we need to continue looking for a good security solution for PDAs. Once we find it, we will be able to use PDAs more widely in the company.”

Similarly, Achmea is constantly reviewing the use of social media and Internet sites. It blacklists and blocks the sites it considers too risky, but the list is reviewed and modified on a continuous basis, allowing access to sites if they are considered secure.

Both Achmea’s business units and external partners advise the

IT team on what should be allowed or banned. Mr Jutte, however, sees a problem with this approach. “The challenge is that when you find a solution for one PDA or smartphone model, a new generation is coming out a month later with new technology and means completely new risks. This adds considerably to the workload of the IT team.”

This dilemma is familiar to most companies grappling with “technology democracy” even in industries less conservative than insurance. If personal mobile devices and social media are to be used in the workplace, the IT division will need to feel that their security is ensured. However, the explosion in the number of sites and devices make their use increasingly difficult to control. One possible answer is to create a single security management interface that would safeguard different devices and applications. For now, however, something will have to give: the security of workplace devices is likely to come at the expense of their variety and choice, but some control over the use of social media sites and applications will need to be delegated to business units.



Should IT ease up on the reins?Finding the right balance between according greater technology freedom to employees and safeguarding against technology misuse and security breaches will be extremely difficult for companies. On the one hand, the younger workforce has more knowledge about new technologies and—in theory at least—requires less hand-holding from IT. Allowing employees or their business units the power to make decisions about new applications and sites should also—in theory—ease the burden on IT departments that themselves are being given many new challenges to help the business grow. On the other hand, as the technology demands of different business units start to diverge, the range of potential security breaches is likely to expand, and the IT team may need to spend more time securing new devices and software. More, not fewer, IT staff may be required to ensure adequate network and device security in this environment (although recession will mitigate against hiring new staff in the short term). These are more likely to end up working in business units than in the central IT department.

Faced with these new requirements, a centralised IT approach may run counter to the objective of ensuring that “technology freedom” does not lead to damaging security breaches or other problems. Devolving some responsibility for security appears to be the next best option. When asked their view on the implications of greater technology freedom for the IT function, survey respondents reply that the delegation of responsibility for information security to individual business units is the most likely outcome. (IT executives are even more emphatic that this will be the case than other categories of respondent.) This would allow the IT function to focus on other tasks, such as the management of firewalls and other aspects of physical network security and tracking new external threats.

Even firms that are unlikely to go in for a decentralised approach to security (and managing technology use) see the value in consulting with the business units on security policy. According to Mr Nagle of Kellogg, “IT regards itself as the guardian of access to the Internet, but we set the rules in consultation with business units. We also liaise with the HR, communications and marketing divisions as to who should have access to various social networking sites, to make sure that IT is aware of their relevance to different functions.”

Rules governing how employees use personal devices and applications should be specific to each business unit and not uniform — technology autonomyis appropriate for some types of employees more than others

The IT department should focus on other, more critical issues than controlling how employees use devices and applications

Do you agree or disagree with the following statements about the role of the IT function in governing employee's use oftechnology? (% respondents)

65205315

66324214

Strongly agree Agree Disagree Strongly disagree Don't know/Not applicable


Devolving some responsibility for information security to individual business units is one likely response to greater technology freedom.



Conclusion

Democracy, in the view of the Economist Intelligence Unit, is the most efficient and equitable form of political organisation that countries can hope to achieve. But it is far from perfect, and its

imperfections keep us from arguing that it is a viable form of organisation for businesses, which often require executive diktat to achieve the objectives set for them by shareholders.

In business as well as politics, however, information is a powerful tool, and modern technology is putting more information into the hands of more people at all levels than ever before. For this reason, companies may not be able to resist the encroachment of some principles of democracy into some parts of their operations. To the extent that expanded freedom boosts morale and energises the forces of innovation, this development will be good for businesses.

So, we believe, will be the case when it comes to the use of technology itself. As Generation Y establishes itself in the workforce, employees will increasingly seek to use the devices and applications they are most familiar with to do their jobs. Companies will not be able to control this entirely, and this may be no bad thing. The most innovative solutions to business challenges tend to be conceived at the grassroots level; increasingly tech-savvy employees make it likely that information and communications technology will be part of most new business innovations. Much education, training and organisational experimentation is needed to ensure that greater technology freedom does not sap productivity or cause damage to the company. The sooner that firms begin to tackle this, the sooner the benefits of technology democracy will start to flow.


�9 © The Economist Intelligence Unit Limited 2009

AppendixSurvey results


Appendix:SurveyresultsIn March-April 2009 the Economist Intelligence Unit conducted a survey of 390 executives of companies from seven countries in Europe. Our sincere thanks go to all those who took part in the survey.

Please note that not all answers add up to �00%, either because of rounding or because respondents were able to provide multiple answers to some questions.

Social networking and similar applications

Personal communications devices (employees' own mobile phones, own notebook computers, etc)

Are your employees making increasing use of the following types of technologies to conduct their work (as opposed to usingthem for personal reasons during work hours)? (% respondents)

4242349

3111868

Yes No Not sure, but sense they are Don't know/Not applicable

Do you agree or disagree with the following statements about employees' use of digital technology in the workplace? (% respondents)

85215215

51037426

7527538

115284412

111842264


Our employees frequently use social networking and similar applications for personal rather than work purposes

Senior management is supportive of according employees greater freedom to use applications and devices of their choice (not necessarily thoseprovided by the company) in order to perform their work

We can trust our employees to use the applications and devices of their choice appropriately for work purposes

Employees' increased use of social networking and similar applications has increased our organisation's security risk

Employees in our organisation who use social networking or similar applications while at work are likely to face disciplinary action

Significantly more opportunity than risk

Somewhat more opportunity than risk

Equal balance of opportunity and risk

Somewhat more risk than opportunity

Significantly more risk than opportunity


12

30

23

18

13

4

How would you say that senior management of your company views the balance of opportunity versus risk in allowing employees greater freedom to use the technologies of their choice in the workplace? (% respondents)

20 © The Economist Intelligence Unit Limited 2009



31

5

27

25

22

16

15

15

8

5

3

1

6

Enhanced innovation (eg, from employees' involvement in online forums, etc)

Enhanced employee morale

More effective collaboration with external partners

Improved productivity

Faster decision-making

Greater team cohesion

More effective marketing and advertising

Improved brand visibility

Improved customer loyalty (eg, from employee use of multiple channels in customer communications)

IT staff are freed up to focus on other responsibilities


None of the above


Which of the following, if any, are likely to be the main benefits to your organisation resulting from employees’ greater freedom to use applications and devices? Select up to two. (% respondents)

Loss of productivity

Leakage of confidential company information

Increased network vulnerability to viruses

Loss of IT department's control over technology use in the company

Increased network vulnerability to external hackers

Damage to the firm's reputation and brand

Leakage of customer data

Managers' reduced control over information flow within their teams

Increased liability to legal claims against the company


None of the above


35

32

24

19

18

12

12

11

6

1

5

3

Which of the following, if any, are likely to be the main negative consequences for your organisation resulting from employees' greater freedom to use applications and devices? Select up to two. (% respondents)

2� © The Economist Intelligence Unit Limited 2009



Do you agree or disagree with the following statements about the use of social media in the workplace? (% respondents)

95254911

8534

11635

467

435


The business benefits of employee use of social networks, blogs and other online communities are underrated

The benefits of allowing employees to utilise applications (such as social networks and blogs) of their choice in the workplace outweigh the risk ofproductivity loss resulting from their use

The benefits of allowing employees to utilise these applications outweigh the risk of information security breaches resulting from their use

From internal threats (employee malfeasance or negligence)

From external threats (viruses, hacking and other cybercrime)

How has the overall level of risk of information security breaches — from both internal and external threats — changed foryour organisation since economic and market conditions began to deteriorate? (% respondents)

8

8

458

656

264

219

Significantly increased Slightly increased Remained unchanged Slightly decreased Significantly decreased Don't know/Not applicable

34

28

20

19

17

17

17

14

2

2

Lack of employee understanding of security policies

Increasing sophistication of hackers and other external sources of threat

Sabotage or threat of sabotage from disgruntled employees

Employees' increasing use of social networking and similar applications while at work

Falling employee morale

Employees' increasing use of their own communications devices while at work

Failure of the organisation's network defences to keep pace with the existing threats

Increase in remote working (employees working from home)



If you responded "increased" to any part of question 7, what are the main reasons for the change? Select up to two. (% respondents)







23

21

18

14

21

3

Which type of potential loss or damage from information security breaches has your organisation been most concerned about over the past two years? (% respondents)







22

20

19

13

22

4

Which type of potential loss or damage from information security breaches should your organisation be most concerned about over the next two years? (% respondents)




46

23

20

20

18

16

11

2

9

Employee negligence (eg, losing a work device, forgetting to sign off of the network)

Employee use of devices not authorised or approved by the IT department

Employee sabotage or theft

Data loss from third parties (eg, outsourcing partners, suppliers)

Network defences are breached by external attackers

Employee misuse of blogs, social networks or similar applications

Data loss in transit (eg, by couriers)



When important company information is lost or compromised, what are the most likely factors? Select up to two. (% respondents)


Laptop and notebook computers

E-mail

Social networking sites (eg, Facebook, LinkedIn)

Smartphones (eg, Blackberry devices, personal digital assistants)


Instant messaging

Netbook computers

Mobile phones

Wikis and similar collaborative sites (eg, Wikipedia)



28

27

25

22

21

12

9

7

6

3

4

8

The use of which of the following technologies/applications will pose the greatest information security risks in your workplace over the next two years? Select up to two.(% respondents)


Personal email accounts (eg, Hotmail, Google mail)

Personal social networking sites such as Facebook


Instant messaging

Music players such as the iPod

Professional social networking sites such as LinkedIn

Netbook computers

Personal mobile phones


None of these


47

29

24

22

17

12

10

8

6

2

17

5

Which, if any, of the following technologies or applications should employees be banned from using in the workplace for information security reasons? Select all that apply. (% respondents)




Personal social networking sites such as Facebook


Music players such as the iPod

Personal email accounts (eg, Hotmail, Google mail)

Instant messaging


Professional social networking sites such as LinkedIn

Personal mobile phones

Netbook computers


None of these


47

32

30

28

25

23

13

13

6

1

14

4

Which, if any, of the following technologies or applications should employees be banned from using in the workplace for productivity reasons? Select all that apply. (% respondents)

Very familiar

Somewhat familiar

Only partially familiar

Not at all familiar


26

47

21

4

3

How familiar are your employees with the information security policies and procedures in place in your organisation? (% respondents)

Which hardware devices (eg, laptops, storage devices, personal digital assistants) can or cannot be used in the workplace for work purposes?

Which websites (eg, social networking sites) can or cannot be accessed using the work computer?

Which applications (eg, media players, Web 2.0 toolbars) may be installed on the work computer?

The use of computers and applications by home-based workers

Does your organisation currently have IT policies which outline the following? (% respondents)

62469

83656

72865

132859

Yes No Don’t know

38

35

28

25

21

16

7

1

8

Conduct regular and mandatory training courses for employees on guarding against information loss

Upgrade network security systems

Draft and distribute formal guidelines for employees' use of social networking and similar applications

Prohibit employees' use of anything but company-authorised applications and devices

Extend network protection systems to employees' personal communications devices

Establish internal websites (eg, social networks) where employees can communicate with each other

Increase the monitoring of social networks and blogs



Which of the following would be the most practical and effective measures the organisation can take to ensure that greater employee freedom in the use of technology does not result in the loss of company information? Select up to two. (% respondents)




The use of social networking and similar applications at work

The use of personal communications devices (their own mobile phones, own notebook computers, etc) at work

General safe computing practices

Does your organisation provide formal training (eg, seminars) to employees on the following? (% respondents)

7

7

7

7717

7221

4152

Yes No Don’t know

The use of social networking and similar applications at work

The use of personal communications devices (their own mobile phones, own notebook computers, etc) at work

General safe computing practices

If you responded "no" to any part of question 16, does your organisation intend to provide formal training (eg, seminars) toemployees in that area? (% respondents)

266113

225820

163549

Yes No Don’t know

Do you agree or disagree with the following statements about the role of the IT function in governing employees’ use of technology? (% respondents)

6

6

520

632

5315

4214


Rules governing how employees use personal devices and applications should be specific to each business unit and not uniform — technology autonomyis appropriate for some types of employees more than others

The IT department should focus on other, more critical issues than controlling how employees use devices and applications

36

33

29

21

20

16

If employees in your organisation are likely to gain greater freedom to use applications and devices of their choice, what are the main implications for the IT function? Select all that apply. (% respondents)

Responsibility for information security (excluding the management of network firewalls, perimeter protection, etc) will increasingly be devolved to theindividual business units

More IT staff will be needed to ensure adequate network and device security in this more open environment

IT staffing will remain the same but they will be able to focus on activities of more direct relevance to the business objectives

Responsibility for delivery of IT services is likely to become increasingly de-centralised to individual business units

Responsibility for delivery of IT services is likely to become more centralised than it is now

Don't know




Financial services

Professional services

IT and technology

Manufacturing

Government/Public sector

Consumer goods

Healthcare, pharmaceuticals and biotechnology

Telecoms

Education

Entertainment, media and publishing

Energy and natural resources

Construction and real estate

Transportation, travel and tourism

Retailing

Automotive

Chemicals

Agriculture and agribusiness

Logistics and distribution

17

16

9

8

6

6

3

3

2

2

1

1

6

6

4

4

4

3

What is your primary industry? (% respondents)

Sweden

Netherlands

United Kingdom

Germany

Italy

Russia

France

18

17

15

14

13

12

11

In which country are you personally based? (% respondents)

50

12

13

7

18

$500m or less

$500m to $1bn

$1bn to $5bn

$5bn to $10bn

$10bn or more

What are your organisation's global annual revenues in US dollars? (% respondents)

Board member

CEO/President/Managing director

CFO/Treasurer/Comptroller

CIO/Technology director

Other C-level executive

SVP/VP/Director

Head of Business Unit

Head of Department

Manager

Other

7

23

9

4

5

16

4

10

15

7

Which of the following best describes your title? (% respondents)

2� © The Economist Intelligence Unit Limited 2009



General management

Strategy and business development

Marketing and sales

Finance

IT

Operations and production

Customer service

Risk

R&D

Human resources

Information and research

Legal

Supply-chain management

Procurement

Other

36

29

24

3

3

7

22

16

12

9

8

8

8

7

4

What are your main functional roles? Please choose no more than three functions. (% respondents)

Less than 100

100 to 299

300 to 499

500 to 699

700 to 999

1,000 or more

Don't know

55

11

3

4

3

16

9

Approximately how many full-time IT staff does your organisation have worldwide? (% respondents)

Whilst every effort has been taken to verify the accuracy of this information, neither The Economist Intelligence Unit Ltd. nor the sponsor of this report can accept any responsibility or liability for reliance by any person on this white paper or any of the information, opinions or conclusions set out in the white paper.

Cover image - © Stephan Zirwes/Getty Images

LONDON26 Red Lion SquareLondon WC1R 4HQUnited KingdomTel: (44.20) 7576 8000Fax: (44.20) 7576 8476E-mail: [email protected]

NEW YORK111 West 57th StreetNew York NY 10019United StatesTel: (1.212) 554 0600Fax: (1.212) 586 1181/2E-mail: [email protected]

HONG KONG6001, Central Plaza18 Harbour RoadWanchai Hong KongTel: (852) 2585 3888Fax: (852) 2802 7638E-mail: [email protected]

Power to the people: Managing technology democracy in the workplace

Business

Transcript of Power to the people: Managing technology democracy in the workplace