'Millennials' buck IT security policies

By Linda Tucci, Senior News Writer 26 Mar 2008 | SearchCIO.com

IT news and analysis for CIOs Digg This!     StumbleUpon     Del.icio.us

The survey shows that millennials -- defined as employees 28 years or younger -- access Web 2.0 applications much more frequently than their older counterparts. According to the survey, for example, 75% of millennials access Web-based personal email at work, compared with 54% of other workers; 66% regularly access Facebook or MySpace, compared with 13% of other workers; and 51 % of millennials access personal finance applications, compared with 27% of other workers.

That's just the tip of the culture shift.

More on IT workers, security Winning the IT labor battle in the 'age of the worker IT risk moves higher on security radar, report finds

When asked whether they feel entitled to use whatever application or device or technology they would like, regardless of source or corporate IT policies, 69% of millennials said yes, compared with 31% of other workers. Indeed, 75% of millennials have downloaded software on their work computer for personal use, vs. 25% of other workers -- even though 85% of the organizations surveyed indicate their policies restrict that practice. Millennials also regularly store their corporate data on personal devices: 39% on personal computers, 38% on personal USB devices, 20% on personal hard drives and 16% on personal smartphones.

The survey, conducted in March, is based on phone interviews with 600 employees, 20% of them millennials, 20% "others" and 20% identified as "IT decision makers."

What's security got to do with it?

The proliferation of technology devices and applications, combined with a generation's indiscriminate use of those IT assets, obviously exposes businesses to huge risks -- in data loss, compliance issues, legal implications and so on.

How should the IT establishment respond? Not by yelling and telling, said Samir Kapuria, managing director, Symantec Advisory Consulting Services.

"This is a large volume of people who use these personal technologies," Kapuria said. "Businesses need to ask themselves, 'How do I harness the capabilities of this tech-savvy group while also making sure of eliminating the risks associated with the use of this technology?'"

Businesses need to ask themselves, 'How do I harness the capabilities of this tech-savvy group while also making sure of eliminating the risks associated with the use of this technology?' Samir Kapuria managing director, Symantec Advisory Consulting Services

Kapuria, who has blogged about the survey, said the first step is to define the risk: how many people use social networks on a regular basis, how many access Web-based email, what applications are being download to your corporate assets, and so on. An information lifecycle strategy designed for data that lives in a corporate environment isn't very effective for data that is sitting on a USB drive, smartphone, home PC or external hard drive.

This is not an easy task. The blurring of the line between personal and corporate control of technology makes it hard to know where "the endpoints" are. "In some areas, the CIOs have no hands and eyes to manage the endpoint, so they need to really rely on their people to manage that risk on their behalf," Kapuria said.

But that brings up another worrisome finding from the survey: a majority of IT managers said they are doing an adequate job of educating the workforce about their companies' policies around technology usage. But only 57% of both groups believe they have been trained. (Eleven percent of millennials said they have been trained, but do not follow policies.)

Kapuria said there needs to be a council of people who understand the mind-set of the millennials and can measure the business's risk level through this lens, then identify the hard and soft skills required to remediate the risk. He suggested the council include the chief risk officer, if there is one, the CTO, CSO, general counsel and operations and human resources staff members.

His other piece of advice: Millennials don't like to be told what to do. They respond better to the boss who "coaches" than they do to the boss who bosses. Training and educational programs should show how the risk of ignoring company policies on technology usage is "everyone's risk, thereby making everyone feel they are part of the solution," Kapuria said.

Millennials under the microscope

The survey from Cupertino, Calif.-based Symantec is hardly the first to look at the work habits of the millennials. Psychoanalyzing the quirks and capabilities of these tech-savvy young workers, as well as their capacity for disrupting the workplace, has become something of a cottage industry of late.

Quick learners, adaptive, creative and tribal, millennials are not looking to employers for help, per se, according to Melanie Holmes, an executive at Milwaukee-based staffing firm Manpower Inc. -- just give them the tools to accelerate and they will manage their own careers. This young cohort feels no special loyalty to employers, being more likely to work at a place for a few years and leave. Some millennials will have four or five careers over their working lifetimes.

Jack Harrington, principal of Atlantic Associates Inc., a Boston-based staffing firm specializing in IT, said millennials are hard-working "but have different demands from other generations." They want flexible work schedules and flexible roles at their organizations, Harrington said. They are not only quick to adopt cutting-edge technology, but they are also turned off by companies that don't offer the latest technology.

And by the way, CIOs aren't the only executives wondering how to manage this collective sense of entitlement. In a recent Atlantic Associates survey of Massachusetts executives, more than half of the respondents said that managing young workers was a top challenge.

Tags: Enterprise information security management,  Enterprise risk management,  IT staff development and retention,  Leadership and strategic planning,  Strategy: Take stock of your risks,  Execution: Data protection case studies, compliance strategies,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Enterprise information security management Avoiding gotchas of security tools and global data privacy laws Security standards to help manage compliance for those federal funds Information security and IT governance guides for CIOs CIO turns to identity and access management to solve business problem Log management tool, SIM boxes combine to form security architecture Mobile data protection options for enterprise CIOs For network access control, this shop chose Microsoft NAP; here's why Network access control case studies show varied options Economic downturn hits IT budgets Desktop virtualization not all about cost savings Enterprise risk management Business continuity plan needs the right leader, metrics to succeed How CIOs are enabling business activity monitoring with existing tools Best practices for managing IT and the recession Disaster recovery strategy shift reduces data loss, recovery time Security standards to help manage compliance for those federal funds Information security and IT governance guides for CIOs Balanced Scorecard founder: In recession, think risk management IT governance, corporate governance must align in economic recession Network access control evaluation tips: NAC systems insights for CIOs Employee layoffs pose security risk if systems access not disabled IT staff development and retention Integrated business intelligence strategy spans app, BI developers 10 ways to keep your IT job in this recession How to organize and train your staff for BPM project success IT leadership and strategy guides for CIOs Employee layoffs pose security risk if systems access not disabled Survey: Economy puts nonessential IT projects on back burner Gartner: 25 ways to cut IT costs Salary and careers special report for enterprise CIOs SIM forum coaches CIOs on leadership IT pros find a place online to broker services

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary GRC (governance, risk management and compliance) software  (SearchCIO.com) sustainability risk management (SRM)  (SearchCIO.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary