RSA, the security division of EMC, today published two reports on the so-called consumerization of IT -- one from a survey it commissioned from IDG and another from the Security for Business Innovation Council (SBIC), which provides recommendations for managing this changing technology landscape.
Sam Curry, CTO for global marketing at RSA, says he was surprised at the high percentage of enterprises in the IDG survey that are embracing consumer-driven tools, such as smartphones, social networking, and iPads. "The big numbers were the first thing that leapt out at me," Curry says. "I had expected more resistance."
Among the IDG survey of about 400 IT and security professionals, 76 percent say they believe end users are increasingly having more influence in device and application purchase decisions in their organizations, more than 60 percent say users have a say in the types of smartphones that are procured, and 20 percent say they let users make the call on the brand. More than half say users get input on netbook purchases, and half say they give them a say in tablet computing decisions.
More than one-fourth of the respondents say their users are allowed to use their own PCs or mobile devices for work, and more than 80 percent permit social networking -- 62 percent of whom use it for business communication.
The catch: Only 11 percent are "very confident" that they have the proper security in place to lock down these consumer devices and apps. And 23 percent admitted having a serious breach occur due to a personal or consumer device on their corporate network.
Curry says it was surprising that even with nearly one-fourth of the organizations suffering security breaches due to these devices, they still supported the technologies. "They are still saying, 'We have to embrace this,'" he says.
Just more than 20 percent of the organizations say they had "thoroughly" assessed the risk of bringing these technologies in-house, while 40 percent say they hadn't calculated their risks at all. Another 38 percent say they had assessed the risks in some cases, but not all.
The SBIC report, meanwhile, recommends that IT security teams shift their thinking from one of command and control to more oversight and business enablement, and leverage users as tech-savvy resources in a two-way dialogue. Other tips: calculate the risks associated with user-driven IT, get up to speed on consumer tools, stay ahead of the curve in new trends, and work more closely with vendors.
"You have to frame the discussion on risk and reward," RSA's Curry says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.