On the IT side, most companies are familiar with the model of employees introducing productivity and communication tools into the environment. PDAs exploded using this model. The burden of understanding the technology, securing it, supporting it and making it economically feasible then falls squarely into the realm of the CIO. Depending on the timing, technology and impact on the network, this can be an overwhelming burden. If the efficiency gains are significant enough, however, you can count on deployment. There is also the technology gap to consider, and this can have significant contractual, expenditure and relationship impact with service providers. A good example would be end users downloading and utilizing mobile VoIP products on converged handsets -- a direction most service providers are not readily embracing.
For compliance and legal groups, the rogue introduction of technology presents a much steeper hill to climb, and perhaps a more significant risk. Publicly traded companies attempting to comply with Sarbanes-Oxley and other regulatory initiatives are presented with new material exposures, in terms of the proper auditing and archiving of messaging and conversational threads outside of email. Available on the Internet are newer chat technologies that leave no fingerprint -- presenting a nightmare scenario on the legal front. These scenarios are a few clicks away from being present in the enterprise, most at little or no cost and completely accessible by end users via the Internet. If the network isn't rock solid from a security and application standpoint, now would be a good time to pursue a strategy.
From a human resources and corporate culture perspective, the issue becomes less clear from a risk and benefit point of view. Companies want employees to be creative and introduce ideas and concepts to drive results quickly and efficiently. It's healthy for the business, and employees often appreciate the responsibility. At the same time, organizations do not want to jeopardize security, compliance or their infrastructure to enable that creativity. The odds of disaster may be slim, but it's not fiction -- it can happen, making it a tangible and measurable exposure.
My advice to organizations hasn't changed much over the last few years in terms of approach to this issue, since the issue itself is, in essence, technology agnostic. In order to stay competitive, organizations need to embrace employee creativity and experimentation, so set up the right environment to do so -- culturally, politically and philosophically. This starts with leadership messaging and is supported by a healthy dose of end-user training, common sense policies, the right tools, and a rock solid network. People who introduce rogue applications often do so after being told "NO" by their internal IT staff, with little direction or understanding of the reasons. This is the main cause of the problem. Very often, employees don't realize the jeopardy they are exposing the organization to. With a few malicious exceptions, most employees want their company to succeed, and that notion can be capitalized on. If you can change the approach on the new application and say, "YES, and here's how we'll test it," the outcomes may be radically different. More importantly, behavior will change in the future, and that's where the real return is waiting.
About the author: Michael Voellinger is widely respected as one of the nation's top technology strategists and is considered to be a thought leader in telecommunications. With more than 10 years of experience, Michael's analysis of security risk mitigation, compliance and the convergence of telecommunications has been continually sought out by leading corporations, government and financial institutions. Michael's commentary has appeared in The Wall Street Journal, New York Times, Investors Business Daily, Smartmoney.com, and CNN Money, as well as numerous industry publications.