Managing Technology Democracy in the Workplace

Power to the people? Managing technology democracy in the workplace

Sponsored by

A report from the Economist Intelligence Unit Power to the people? Managing technology democracy in the workplace

Preface

ower to the people? Managing technology democracy in the workplace is an Economist Intelligence P Unit white paper, sponsored by Trend Micro. The Economist Intelligence Unit bears sole responsibility for the content of the report. The Economist Intelligence Unit’s editorial team executed the survey, conducted the analysis and wrote the report. The findings and views expressed here do not necessarily reflect the views of the sponsor. Our research drew on two main initiatives: l We conducted an online survey in March and April 2009. In all, 390 executives from seven European countries took part. l To supplement the survey results, we also conducted in-depth interviews with senior executives and independent experts on technology use in the workplace. The author of this report was Svetlana Grant and the editor was Denis McCauley. Our sincere thanks go to the survey participants and interviewees for sharing their time and insights on this topic.

September 2009

Executive summary

echnology changes are often accompanied by fanfare, but in recent years at least one quiet Ttechnology revolution has been developing in the workplace. Individuals are adopting for work use the applications and devices they have learned to use in their personal lives. Applications previously accessed only on home computers, such as wikis and social networking sites, now appear on business PCs. Nearly every employee is now equipped with a personal mobile device and can become an online publisher with the help of blogs. As a result, employees are challenging the technology status quo in their organisation. Many are demanding “technology democracy”—greater freedom to use the information technology (IT) applications and devices of their choice in order to conduct their work more effectively. Companies are not entirely ready for this development. In Europe, many firms resist the notion of according greater technology choice to employees and business units. Just under one-half—48%—of respondents to an Economist Intelligence Unit survey of European executives conducted for this study say that management of their firms is supportive of expanding technology freedom at the grassroots level, but virtually the same number, 47%, say the opposite. On a hopeful note, executives tend to see more opportunity than risk to their business from this development. Nonetheless, the use of new IT tools goes on at many firms without clear IT guidelines and proper training. In their absence, business risks are likely to increase for these firms. This pressure from below on company management and the IT function will to continue to mount. Generation Y, also known as the “millennials”, is populating the workforce in increasing numbers, and it will not be long before they begin advancing to middle management positions. Increasingly reliant on social media, messaging and other personal networking technologies to conduct their work, this generation will challenge the established modes of IT management in organisations. Other key findings from the research are highlighted below.

l Innovation and morale stand most to benefit from technology freedom. Over 40% of European executives are prepared to deal with the risks of technology democracy in order to reap its business benefits. The chief gains, they believe, will come in the form of better grassroots innovation, as well as higher morale on the part of employees who are trusted to make at least some technology decisions for themselves.

l The risks are real but can be managed. The fears of executives who resist according greater technology freedom in their firms are not misplaced. No few employees have wasted valuable work time using Web 2.0 applications for personal purposes, and companies have been damaged by sensitive information appearing on blogs, for example. Survey respondents agree that the biggest risks from technology democracy are lower productivity, the loss of confidential information and an increased vulnerability to viruses.

l Keeping technology chaos in check requires clear rules. Where any degree of democracy exists, technology freedom must be supported by clear rules and regulations to prevent a descent into chaos. The most important means of minimising productivity loss and security risks include conducting regular and mandatory training courses for employees, developing formal guidelines and continuing the work of upgrading network defences.

l Firms must provide better training on using new technologies. Most executives in the survey claim that their firms have drafted IT policies to govern employees’ use of devices, applications and websites in the workplace. But few have begun to instil these guidelines in the minds of employees: no more than 21% of surveyed firms provide training on the use of personal communications devices, and only 17% do this in regard to social networking applications. More worryingly, no more than one-fifth have plans to do so in the future.

l Some IT decentralisation may be needed to manage the security risks. When asked their view on the implications of greater technology freedom for the IT function, survey respondents’ reply that

Six steps to keep technology democracy from media and personal communication devices should also become part descending into chaos of regular employee training. l Be ready to devolve some security oversight. Securing the ever- expanding universe of applications and devices that employees use Whether or not management is supportive of expanding technology could overwhelm the centralised IT function. Trained IT specialists freedom, grassroots pressure to use new technologies will not go in the business units may be better placed to manage this aspect of away. The research suggests a few measures that all organisations information security. can implement to ensure that this pressure remains creative and not l Develop in-house social networking tools. Large companies destructive. should consider building internal social networking applications, l Publish clear guidelines for technology use and update them which can deliver the benefits of information sharing—especially regularly. Clarifying the rules of technology engagement for improved innovation—without the security risks. Such tools may employees is imperative in order to minimise the threat of security not be right for all firms, however, as they can require significant breaches (and productivity loss). They must also be updated resources to build and maintain. frequently, as technologies change at breathtaking speed. l Make the business units a partner of IT. Current mantra holds l Make the guidelines specific. Some firms which encourage the that the IT function must become a “true partner” of the business workplace use of blogs and social networks, for example, require units. This should also work the other way round. Employees employees, among other things, to identify themselves clearly and often have a keener sense than IT of the business utility of a new to use disclaimers when discussing the firm, and to avoid citing application, and line managers may have a better knowledge of clients, partners or suppliers without their approval. employees’ technology needs and practices. Involving business l Educate and train. It is not enough to develop guidelines; they units in technology decision-making will ensure that this knowledge must be communicated to employees. Courses on the use of social is tapped, and will also expand awareness of new risks.

the delegation of responsibility for information security to individual business units is the most likely outcome. This would allow the IT function to focus on other tasks, such as the management of firewalls and other aspects of physical network security and tracking new external threats.

The technology democracy survey alone accounting for 30% of the group. A range of functions was represented in the survey, with general management, strategy and business The analysis in this study is based in part on development, sales and marketing, finance and IT an online survey, conducted by the Economist the most prominent. Respondents hailed from 18 Intelligence Unit in March and April 2009, of 390 different industries, as well as a range of company executives based in the UK, Germany, France, sizes, with one-half of respondents coming from Italy, the Netherlands, Sweden and Russia. The large firms—those with over US$500m in annual sample was senior: 49% of all respondents were revenue. More details on the survey sample and C-level executives, with CEOs and board members results can be found in the appendix.

Introduction: Challenging the established order

he traditional model of information technology (IT) management in organisations may be likened Tto a benevolent dictatorship. The IT function, led by the chief information officer (CIO), chief technology officer (CTO) or IT director—having the best interests of the business at heart—makes all decisions about which technology tools should be used by staff, procures them centrally, and sets the rules by which these tools are used for daily tasks. This model, which has predominated for half a century around the world, in public- and private-sector organisations alike, allows some limited freedom for experimentation to individual business units, but almost none to individual employees. “Technology democracy”—which we define as freedom to choose the IT applications and devices with which to conduct one’s work—spells chaos and risk for IT’s “benevolent dictators”. As the Internet and advanced (particularly mobile) telecommunications have become a thorn in the side of political dictatorships, however, so the use of these technologies in organisations threatens to erode the traditional model of IT management. By increasingly bringing the technologies they use in their personal lives into the workplace and using them for work purposes, employees are, consciously or not, making a case to be involved in the IT decision-making process. The change is gradual: some use blogs to solicit product or marketing ideas from peers; others use personal mobile devices to read work e-mail or make business calls. In many organisations, the result is a quiet workplace revolution as employees assume the power to choose their own applications and devices. Driving the change is the rising use of Web 2.0 applications and personal communications devices by individuals. The workplace use of these technologies may not yet be as widespread as is popularly assumed, according to Alexandra Jones, associate director of the Work Foundation, a UK not-for-profit institute which conducts research on work practices. Ms Jones points to the results of a recent study by her organisation which suggests that less than one-fifth of UK employees at large companies use blogs or social networks while at work.1 There is little doubt, however, that the workplace use of these technologies is on the rise. More than two-thirds of European executives in our survey believe that the use of personal mobile phones and notebook computers by their employees for work (as opposed to personal) purposes is increasing; 1 The Work Foundation, Changing Relationships at nearly one-half think the same about social networking and similar applications. Work, 2008. Several changes in the working environment will ensure that this trend continues. One is the arrival

of a young generation of employees to the low and middle ranks of the workforce. This Generation Y, or “millennials”, born between the early 1980s and the mid-1990s, grew up using mobile phones and the Internet; most of them are IT-savvy and accustomed to using social media online. During the next five years, they will progress to middle management positions, and some will even start bringing the use of “CEOs and CIOs new technologies into executive suites and boardrooms. need to get used Another change is the rise of teleworking. The UK’s Institute for Employment Studies predicts that to the idea that telecommuters in the original 15 EU member countries will top 27m by 2010, or 14% of all employees, their companies up from approximately 4m in 2000. In the US, already as many as 22% of the entire workforce work are now more open remotely at least one day a week, according to WorldatWork, a professional association focusing and accept it when on human resources management. Geographically dispersed employees need new technologies to employees give communicate and manage teams. away more Michael Nelson, visiting professor of Internet studies at Georgetown University in the US, describes information. They the resulting change as “the blurring of boundaries between personal and professional, between also need to rethink the use of technology for personal and business purposes”. He believes that its consequences are their information significant: “The biggest problem corporations face is a cultural issue. CEOs and CIOs need to get used and technology to the idea that their companies are now more open and accept it when employees give away more management.” information. They also need to rethink their information and technology management.” Michael Nelson, visiting Far from all the executives in our survey appear ready for this. Just under one-half of respondents professor of Internet studies, say that senior management is supportive of according employees greater freedom to use applications Georgetown University and devices of their choice, or “technology democracy”. Employees in 40% of Russian firms and 38% of Dutch firms in the survey are likely to face disciplinary actions for using social networking applications. (German and French firms are considerably less likely to impose sanctions than the European average.) Technology use in these companies continues to follow the traditional rules, but for how much longer?

Key points n Some European executives focus on the risks of according greater technology freedom, but a larger share see greater opportunity than risk in this development. n A growing number of companies across different industries are leveraging interactive Web 2.0 technologies to enhance their innovation practices. n Freedom to use new technologies and innovate can also become an important morale booster for employees.

Democracy in action

uropean companies are divided in their views on technology democracy, and for good reason. EExpanding employees’ freedom of choice introduces many unknowns into the established system of IT functions and responsibilities. It opens new and exciting business opportunities, but it also exposes organisations to risks which they have spent many years trying to manage and minimise. The arrival of many new technologies to the workplace, moreover, is so recent that executives have not had time to give them much consideration. The above are likely to be reasons why nearly one-third of survey respondents (and over 40% of IT executives) believe there is more risk than opportunity in according employees greater freedom to use technologies of their choice at work, and that 23% see as much risk as opportunity. A larger share of European executives see a brighter side, however: 42% are prepared to deal with the risks in order to capitalise on its business benefits. UK executives are the survey’s most optimistic national group

How would you say that senior management of your company views the balance of opportunity versus risk in allowing employees greater freedom to use the technologies of their choice in the workplace? (% respondents) Total IT Non-IT Significantly more opportunity than risk 12 8 13 Somewhat more opportunity than risk 30 27 30 Equal balance of opportunity and risk 23 18 25 Somewhat more risk than opportunity 18 19 18 Significantly more risk than opportunity 13 24 11 Don't know/Not applicable 4 5 4 Source: Economist Intelligence Unit survey, April 2009.

Which of the following, if any, are likely to be the main benefits to your organisation resulting from employees’ greater freedom to use applications and devices? Select up to two. (Top responses from selected countries; % responses) Enhanced innovation (eg, from employees' involvement in online forums, etc) Enhanced employee morale More effective collaboration with external partners Total 31 27 25 UK 35 32 27 Germany 38 46 23 Italy 37 27 20 Russia 29 13 40 Source: Economist Intelligence Unit survey, April 2009. on this count, with half seeing more opportunity than risk. (Russian executives, by contrast, emerge as the most wary, with 41% seeing a greater amount of risk.) John Linwood, CTO of the BBC, the UK’s public broadcasting company, sums up this sentiment: “There are clearly risks involved, but we think those are far outweighed by the opportunities.” Mr Nelson articulates the benefit for businesses: “Every time a new technology appears, it gives people more power. Organisations that find the way to build on this power and take advantage of the new tools are the ones that will come out ahead.” The chief rewards for accepting the risks, according to the survey group, include better innovation, improved employee morale and enhanced collaboration with external partners. Freedom to innovate A growing number of companies across different industries are leveraging interactive Web 2.0 technologies to enhance their innovation practices. One of them is IBM, an IT services firm. Says Ed Bevan, IBM’s vice-president for innovation and market insight: “We think that innovation today is a much more complex process than in a lone-inventor era. Successful innovation requires a combination of many technologies, business processes and even business models. For that you need more expertise, and using social media and online tools are very useful.” Brainstorming with IBM uses online collaboration to develop ideas for new business investment. The company has been social networking organising an online brainstorming session called Innovation Jam™ since 2006, using a combination of technologies technology platforms it built for the purpose; these have led the company to create ten new businesses requires clear with seed financing totalling US$100m, according to Mr Bevan. The 2008 session brought together thinking beforehand 90,000 participants from 1,000 companies in 20 industries. about what to do Mr Bevan explains the philosophy behind IBM’s approach: “Technology is obviously very important with the resulting [to innovation], but it is much more important to have alignment between business approach, strategy flow of ideas. and the culture created within a company or a group of companies, which includes partners. We have

a very similar approach to Innovation Jams, blogs, social media or any other new technologies. It is all about democratisation and listening to many voices and ideas, allowing people to collaborate in business ventures, and creating a flat playing field with non-hierarchical approach.” Such brainstorming, however, requires clear thinking beforehand about what to do with the resulting flow of ideas, warns Mr Bevan, otherwise “you have a big party where everybody constantly contributes and then nothing happens.” Many organisations are also proactively utilising social media to leverage what Mr Nelson calls the “power and wisdom of crowds”. Such organisations as the BBC, for example, use social networking sites to solicit feedback from their viewers. Lego, a Danish toymaker, consults an online panel of young toy users called “Kid’s Inner Circle” on specific innovations they would like to see in new products.2 Happier employees, more effective teams Freedom to use new technologies and innovate can also become an important morale booster for employees. Ms Jones from the Work Foundation believes that improved loyalty and higher employee retention are important benefits of a more open working environment: “We found that new technologies are associated with a more flexible culture and could play a role in supporting closer working relationships. Where the choice and use of new technologies is allowed, employees are more likely to 2 The Lego and Procter & Gamble examples are describe their organisation as having a culture based on loyalty and mutual trust, and this is what people described in The digital like in the workplace.” The survey results support this assertion, at least in some European countries: as company 2013: How many as 46% of German respondents and 31% of those from the UK believe enhanced workplace morale technology will empower is among the main benefits they expect to gain from greater employee freedom to use technology. the customer, a 2008 white paper from the Economist In addition to talent retention, new technologies are also seen as an effective tool for collaborating Intelligence Unit. with external partners and creating greater team cohesion. Longer and more complicated supply

For the BBC, social media opportunities outweigh a new version of iPlayer [an online play-back portal for the earlier the risks broadcast programmes], for example, we use the Twitter community to get feedback on different features.” Mr Linwood admits that using social media has increased the risks BBC, the British public service broadcaster, has adopted a for the company: “Social networks are another vehicle that malicious liberal view on the use of new technologies. Its journalists and people can use; we are aware of that and are making sure that our IT reporters use social media sites, such as Twitter, on a daily basis policies and procedures can deal with it.” The corporation has rules as one of many sources of information and public opinion, and for the use of social media and blogging, and it sends its employees leverage Facebook in their research of news stories and people. on mandatory training courses to make sure they have sufficient BBC employees also use Facebook for internal networking and knowledge and skills to use information effectively and wisely. communication with colleagues. The IT department is also mulling Information security is a shared responsibility at the BBC, over the policies that would permit the use of personal laptops. according to Mr Linwood. “Responsibility for developing information John Linwood, the BBC’s CTO, who joined the corporation in early policy and understanding the IT threats lies with the CIO. But in 2009 from Yahoo, an online media portal, is receptive to many other terms of implementation, it is up to each individual employee. Once uses of social media in the workplace. “We are the largest media they receive the training, they need to step up and take responsibility company in the UK, with 28,000 employees, and interaction with our for their own actions and for data security within their area. Our role audiences is very important to us. Social networking is an additional is to equip and educate staff across the organisation and then have tool we can use to achieve greater interactivity. Whenever we release them take responsibility for the areas in which they are involved.”

chains increase companies’ reliance on their partners and suppliers, and require more extensive channels for communication. Social networking by no means replaces more traditional forms of communication such as phone, e-mail and face-to-face meetings, but rather complements and augments them. Even in companies that are wary of the idea of “technology freedom”, the use of new tools is on the rise: Achmea, an insurance provider based in the Netherlands, for example, uses instant messaging to link its 13,500 employees spread across 12 locations.

10 © The Economist Intelligence Unit Limited 2009 Power to the people? Managing technology democracy in the workplace

Key points n Productivity loss is viewed as the chief risk of according employees greater technology freedom. n In the world of social networking, firms have very little control over the outward stream of information, increasing the risk of losing IP and customer data. n File-sharing sites and applications top European executives’ list of the most risky technologies.

New technologies, familiar risks

or every organisation like the BBC which is comfortable with according employees freedom Fto use technologies of their choice, there is at least one, if not more, which is not. Kellogg Company, a food producer, is one of the latter. Says Mike Nagle, Kellogg’s director of regional IT in Europe and Asia-Pacific: “We currently do not allow employees to choose and use their own devices or applications in the workplace. We also disallow the use of social networking sites selectively and personal e-mail completely. We apply these rules on the basis of threats to security and productivity.” The aforementioned Achmea is another firm wary of allowing technology choice. Bob Jutte, Achmea’s CIO, explains his management’s view: “We do not think it is appropriate for our employees to choose and use their own devices. There is too much risk of losing confidential company information and customer data.” This is not, however, an immutable position. “We are reviewing our policy on social

Which of the following, if any, are likely to be the main negative consequences for your organisation resulting from employees' greater freedom to use applications and devices? Select up to two. (Top responses from selected countries; % responses) Loss of productivity Leakage of confidential company information Increased network vulnerability to viruses Total 35 32 24 Sweden 30 29 27 Germany 36 41 23 Italy 47 33 20 Russia 42 36 31 France 38 31 21 Source: Economist Intelligence Unit survey, April 2009.

11 © The Economist Intelligence Unit Limited 2009 Power to the people? Managing technology democracy in the workplace

networking sites all the time,” affirms Mr Jutte. “When we have a clear picture of the risks and know that we can manage them, then we make changes.” Even executives supportive of technology democracy in the business acknowledge that it comes with many strings attached in the form of risks. The biggest of these, according to survey respondents, is the potential loss of employee productivity; this is especially worrying for firms in Italy and Russia. Others are security-related: the loss of confidential company information and a firm’s increased vulnerability to viruses. As many as 41% of Germany’s executives, for example, view the loss of sensitive information as a major risk of greater technology freedom for employees. Efficiency drain Social networking sites, blogs and wikis (websites that allows visitors to contribute or modify content) were created for the purpose of socialising with friends, family and peers. These sites are all too often used in the office for just this purpose, wasting hours of productive time. Facebook is the best- known distraction, but there is a site just like it in all markets, be it Bebo in the UK or Odnoklassniki. ru (translated as “classmates”) in Russia. In many cases, employers draw the line between personal social sites and those that aid professional and business networking. Achmea in the Netherlands, for example, allows its employees to use LinkedIn, but prohibits the use of Facebook. The line between the two is often very thin: reading pages of news and information from such sites as Twitter can distract employees from more important work, even if they read it for professional purposes. The abuse of The easiest way to minimise this source of productivity loss is to ban the use of certain social social networking networking sites. In the survey, 24% of European executives state that access to Facebook should be sites is more of disallowed in their organisations, and 22% would ban blogging sites and services. This is the practice a managerial or at some of the firms whose executives were interviewed for this study. human resources Mr Linwood of the BBC takes a different view, namely that the abuse of social networking sites is issue than a more of a managerial or human resources issue than a technology one. “Social networking is just one technology one. of many things people do to waste their time,” he says. “If employees are not doing their job, the management should deal with it through other processes.” Such an approach may be better suited to the BBC and other companies that measure their employees’ performance against specific deliverable targets and deadlines. For those where the number of productive hours is of greater importance, shifting the emphasis to the quality of work could be a better way to fight against procrastination. A restrictive approach of banning sites may also have negative productivity implications for the IT function itself. Prohibition requires the tracking of sites and policing of employees’ computer use. When it comes to the Internet, tracking and policing is becoming more complex by the day, and IT departments must often task staff to do this on a regular basis. Freedom to lose information? Accidental or deliberate leakage of sensitive information is a significant threat to a company’s security. Firms have ploughed enormous investments over the past decade into beefing up network defences against security breaches, and in training employees to use information, networks and the devices attached to them with care. The executives in our survey appear sanguine about the level of information security threats they face today, even in these extraordinary times: most say the risk of breaches from

12 © The Economist Intelligence Unit Limited 2009 Power to the people? Managing technology democracy in the workplace

Which type of potential loss or damage from information security breaches should your organisation be most concerned about over the next two years? (% respondents)

Loss of intellectual property 22 Reputation or brand damage 20 Loss of customer data 19 Financial loss (eg, through fraud) 13 All of the above equally 22 Other, please specify 4 Source: Economist Intelligence Unit survey, April 2009. external or internal sources is unchanged (or even smaller) since the onset of the economic crisis. However, as mentioned above, leakage of information and increased vulnerability to viruses and hackers are among the primary fears that European executives harbour when it comes to extending greater technology freedom to employees. Intellectual property—the company’s competitive secrets—and customer data are the types of information that firms will most fear losing over the next two years, and they are also concerned about reputation or brand damage resulting from such breaches. Companies discover—sometimes too late—that in the world of social networking and blogging they have very little control over the outward stream of information: postings from hundreds of employees can reveal too much about the firm’s operations or intellectual property, even if the information itself is not confidential. Mary Sheppard, financial controller at 4X Currency Corporation, a financial services firm, portrays the risk: “Business perception is very important to us. Many of our clients blog and we need to be aware what information is being released. The main risk here is the damage to the company’s reputation. You don’t have a business if a client doesn’t feel secure about what you do.” Some large organisations such as KPMG, a professional services firm, address the problem of information security by developing internal social networking applications. According to Bryan Clarke, KPMG’s head of ICT, these deliver the benefits of information sharing without the security risks. “Facebook is clearly very popular,” Mr Clarke explains, “but it is not an appropriate place to discuss work; it is simply not secure. We are working to provide a similar capability internally, so that the information could be securely exchanged in a similar fashion.” He warns, however, that “it is not easy to get it right”. High-risk technologies When it comes to specific technologies, social media are only one of many potential sources of threat. For survey respondents, file-sharing sites and applications top the list of the most risky technologies; nearly one-half of respondents believe that these should be banned in the workplace altogether. Potential breaches of security and viruses are not the only problems with peer-to-peer technologies; file sharing can lead to copyright violations—and thus exposure to legal risks—and it also affects the performance of companies’ networks. According to the OECD, in 2007 as many as 17% of west European Internet users regularly accessed peer-to-peer file sharing sites, but even a small number of people downloading music and videos can slow a company’s Internet traffic to a trickle. In markets where

13 © The Economist Intelligence Unit Limited 2009 Power to the people? Managing technology democracy in the workplace

The use of which of the following technologies/applications will pose the greatest information security risks in your workplace over the next two years? Select up to two. (Top responses; % responses)

File-sharing sites/applications 28 Laptop and notebook computers 27 E-mail 25 Social networking sites (eg, Facebook, LinkedIn) 22 Smartphones 21 Blogging sites or services 12 Instant messaging 9 Netbook computers 7 Mobile phones 6 Wikis and similar collaborative sites 3 Source: Economist Intelligence Unit survey, April 2009. companies are required to pay for their Internet traffic—in Russia, for example—file sharing can be very costly. Executives in Italy and the UK express a particularly high degree of concern with the risks posed by file-sharing sites. The use of personal laptops and notebook computers is another category of high-risk devices mentioned by European executives. Some firms are beginning to encourage employees to use these in order to reduce infrastructure costs and also to boost personal productivity, particularly while travelling. However, laptops and notebooks equipped with WiFi or a mobile broadband connection and unprotected by virtual private network (VPN) software can create holes in network security and be easily exploited by hackers. The potential loss of large amounts of sensitive data stored on laptops is likely to preclude a majority of organisations from going down this road. Mr Jutte of Achmea, for example, says that he would not consider allowing the use of personal portables. “Laptops are high risk because they are used by senior management, who have access to the most sensitive information. We are, however, very familiar with the potential risks around using laptops; there is plenty of hardware and software to deal with them.” The issue is not as clear-cut for netbooks—low-cost mini-notebooks used to browse the Internet and access the most basic personal productivity applications. With a price tag of US$300-400, they are affordable for many employees, while their small size makes them easy to carry around. The risks around the use of netbooks, however, are very similar to laptops; 7% of executives in the survey believe that the use of personal netbooks should be banned in the workplace.

14 © The Economist Intelligence Unit Limited 2009 Power to the people? Managing technology democracy in the workplace

Key points n No more than a handful of European firms provide training on the workplace use of social networks and personal communications devices, or have plans to do so. n Allowing employees or business units the power to make decisions about new applications and sites should, in theory, ease some of the burden on IT departments. n More IT staff may be needed to ensure application and device security, but these are more likely to work in business units than in the IT department.

Keeping chaos at bay

irtually all companies will need to allow a greater degree of technology freedom than exists at Vpresent, as completely controlling employees’ use of a burgeoning number of devices, websites and applications is simply not feasible. More freedom to choose their own IT tools might be good news for tech-savvy employees, but for CIOs and IT teams it presents the headache of having to find new ways of providing a secure working environment. For business unit managers, it means increasing watchfulness over employees’ daily work practices to discourage productivity-sapping activities. Organisations such as IBM and the BBC have made headway in introducing rules for more technology freedom, but most others have barely made a start. What can management do to prepare their organisations for the transition to a more open technology environment? When it comes to guarding against information security breaches, executives in our survey believe that the most useful steps would be to conduct regular and mandatory training courses for employees, upgrade network security defences and develop formal guidelines

Which of the following would be the most practical and effective measures the organisation can take to ensure that greater employee freedom in the use of technology does not result in the loss of company information? Select up to two. (% respondents) Conduct regular and mandatory training courses for employees Upgrade network security systems Draft and distribute formal guidelines for employees' use of on guarding against information loss social networking and similar applications Total 38 35 28 Netherlands 21 47 21 UK 38 48 27 Germany 50 25 39 Russia 49 33 27 Source: Economist Intelligence Unit survey, April 2009.

15 © The Economist Intelligence Unit Limited 2009 Power to the people? Managing technology democracy in the workplace

governing the use of social networking and similar applications. German and Russian respondents put particular stress on the importance of employee training and education, whereas those from the UK and Netherlands emphasize the need to upgrade network security. Training goes missing Most executives claim that their firms have already developed the IT policies that govern the use of hardware devices, applications and websites which employees can use in the workplace. “We learn some of these tools by doing,” says Mr Bevan of IBM. “If you let your employees loose with new technologies, almost anything can happen.” IBM created a set of non-compulsory guidelines for its Innovation Jams and for blogs. In its online guide for bloggers, IBM admonishes its employees: “Don’t cite or reference clients, partners or suppliers without their approval”; and it proceeds to offer other guidelines on the use of content, proprietary information and copyright issues. The BBC, according to Mr Linwood, requires that employees clearly identify themselves when discussing company-related matters and use disclaimers. If the survey is any judge, however, very few European companies have begun to instil these principles in the minds of their employees. More than one-half of survey respondents say their firms provide training on safe computing practices, but no more than 21% provide training to employees on the use of personal communications devices (including laptops) at work, and only 17% do this for using social networking applications. What’s worse, no more than one-fifth of these companies have plans to provide such training in the future. Education and training normally do not require heavy investment and should be straightforward first steps to ensure that technology democracy does not descend into chaos. But who in the organisation should be responsible for this?

No rest for the vigilant IT team on what should be allowed or banned. Mr Jutte, however, sees a problem with this approach. “The challenge is that when you find a solution for one PDA or smartphone model, a new generation Achmea, the Netherlands’ largest insurance company with is coming out a month later with new technology and means 13,500 employees, added PDAs (personal digital assistants) and completely new risks. This adds considerably to the workload of the smartphones to its portfolio of business communications devices IT team.” about two years ago, but Bob Jutte, the firm’s CIO, continues to This dilemma is familiar to most companies grappling with review the potential risks of using them. “Smartphones,” he says, “technology democracy” even in industries less conservative than “now have connections to the mobile Internet and have effectively insurance. If personal mobile devices and social media are to be become small notebooks. Originally it was a mobile contact book, used in the workplace, the IT division will need to feel that their now it is a mobile office. So we need to continue looking for a good security is ensured. However, the explosion in the number of sites security solution for PDAs. Once we find it, we will be able to use and devices make their use increasingly difficult to control. One PDAs more widely in the company.” possible answer is to create a single security management interface Similarly, Achmea is constantly reviewing the use of social media that would safeguard different devices and applications. For now, and Internet sites. It blacklists and blocks the sites it considers too however, something will have to give: the security of workplace risky, but the list is reviewed and modified on a continuous basis, devices is likely to come at the expense of their variety and choice, allowing access to sites if they are considered secure. but some control over the use of social media sites and applications Both Achmea’s business units and external partners advise the will need to be delegated to business units.

16 © The Economist Intelligence Unit Limited 2009 Power to the people? Managing technology democracy in the workplace

Do you agree or disagree with the following statements about the role of the IT function in governing employee's use of technology? (% respondents) Strongly agree Agree Disagree Strongly disagree Don't know/Not applicable Rules governing how employees use personal devices and applications should be specific to each business unit and not uniform — technology autonomy is appropriate for some types of employees more than others 15 53 20 5 6 The IT department should focus on other, more critical issues than controlling how employees use devices and applications 14 42 32 6 6 Source: Economist Intelligence Unit survey, April 2009.

Should IT ease up on the reins? Finding the right balance between according greater technology freedom to employees and safeguarding against technology misuse and security breaches will be extremely difficult for companies. On the one hand, the younger workforce has more knowledge about new technologies and—in theory at least—requires less hand-holding from IT. Allowing employees or their business units the power to make Devolving some decisions about new applications and sites should also—in theory—ease the burden on IT departments responsibility that themselves are being given many new challenges to help the business grow. On the other hand, for information as the technology demands of different business units start to diverge, the range of potential security security to breaches is likely to expand, and the IT team may need to spend more time securing new devices and individual business software. More, not fewer, IT staff may be required to ensure adequate network and device security in units is one likely this environment (although recession will mitigate against hiring new staff in the short term). These are response to more likely to end up working in business units than in the central IT department. greater technology Faced with these new requirements, a centralised IT approach may run counter to the objective of freedom. ensuring that “technology freedom” does not lead to damaging security breaches or other problems. Devolving some responsibility for security appears to be the next best option. When asked their view on the implications of greater technology freedom for the IT function, survey respondents reply that the delegation of responsibility for information security to individual business units is the most likely outcome. (IT executives are even more emphatic that this will be the case than other categories of respondent.) This would allow the IT function to focus on other tasks, such as the management of firewalls and other aspects of physical network security and tracking new external threats. Even firms that are unlikely to go in for a decentralised approach to security (and managing technology use) see the value in consulting with the business units on security policy. According to Mr Nagle of Kellogg, “IT regards itself as the guardian of access to the Internet, but we set the rules in consultation with business units. We also liaise with the HR, communications and marketing divisions as to who should have access to various social networking sites, to make sure that IT is aware of their relevance to different functions.”

17 © The Economist Intelligence Unit Limited 2009 PowerPower to the to thepeople? people? ManagingManaging technology technology democracy democracy in the in workplacethe workplace

Conclusion

emocracy, in the view of the Economist Intelligence Unit, is the most efficient and equitable form Dof political organisation that countries can hope to achieve. But it is far from perfect, and its imperfections keep us from arguing that it is a viable form of organisation for businesses, which often require executive diktat to achieve the objectives set for them by shareholders. In business as well as politics, however, information is a powerful tool, and modern technology is putting more information into the hands of more people at all levels than ever before. For this reason, companies may not be able to resist the encroachment of some principles of democracy into some parts of their operations. To the extent that expanded freedom boosts morale and energises the forces of innovation, this development will be good for businesses. So, we believe, will be the case when it comes to the use of technology itself. As Generation Y establishes itself in the workforce, employees will increasingly seek to use the devices and applications they are most familiar with to do their jobs. Companies will not be able to control this entirely, and this may be no bad thing. The most innovative solutions to business challenges tend to be conceived at the grassroots level; increasingly tech-savvy employees make it likely that information and communications technology will be part of most new business innovations. Much education, training and organisational experimentation is needed to ensure that greater technology freedom does not sap productivity or cause damage to the company. The sooner that firms begin to tackle this, the sooner the benefits of technology democracy will start to flow.

18 © The Economist Intelligence Unit Limited 2009 Appendix Power to the people? Survey results Managing technology democracy in the workplace

Appendix: Survey results

In March-April 2009 the Economist Intelligence Unit conducted a survey of 390 executives of companies from seven countries in Europe. Our sincere thanks go to all those who took part in the survey. Please note that not all answers add up to 100%, either because of rounding or because respondents were able to provide multiple answers to some questions.

Are your employees making increasing use of the following types of technologies to conduct their work (as opposed to using them for personal reasons during work hours)? (% respondents) Yes No Not sure, but sense they are Don't know/Not applicable Social networking and similar applications 49 23 24 4 Personal communications devices (employees' own mobile phones, own notebook computers, etc) 68 18 11 3

Do you agree or disagree with the following statements about employees' use of digital technology in the workplace? (% respondents) Strongly agree Agree Disagree Strongly disagree Don't know/Not applicable Our employees frequently use social networking and similar applications for personal rather than work purposes 15 52 21 5 8 Senior management is supportive of according employees greater freedom to use applications and devices of their choice (not necessarily those provided by the company) in order to perform their work 6 42 37 10 5 We can trust our employees to use the applications and devices of their choice appropriately for work purposes 8 53 27 5 7 Employees' increased use of social networking and similar applications has increased our organisation's security risk 12 44 28 5 11 Employees in our organisation who use social networking or similar applications while at work are likely to face disciplinary action 4 26 42 18 11

Significantly more opportunity than risk 12 Somewhat more opportunity than risk 30 Equal balance of opportunity and risk 23 Somewhat more risk than opportunity 18 Significantly more risk than opportunity 13 Don't know/Not applicable 4

19 © The Economist Intelligence Unit Limited 2009 Appendix Power to the people? Survey results Managing technology democracy in the workplace

Which of the following, if any, are likely to be the main benefits to your organisation resulting from employees’ greater freedom to use applications and devices? Select up to two. (% respondents)

Enhanced innovation (eg, from employees' involvement in online forums, etc) 31 Enhanced employee morale 27 More effective collaboration with external partners 25 Improved productivity 22 Faster decision-making 16 Greater team cohesion 15 More effective marketing and advertising 15 Improved brand visibility 8 Improved customer loyalty (eg, from employee use of multiple channels in customer communications) 5 IT staff are freed up to focus on other responsibilities 3 Other, please specify 1 None of the above 6 Don't know/Not applicable 5

Loss of productivity 35 Leakage of confidential company information 32 Increased network vulnerability to viruses 24 Loss of IT department's control over technology use in the company 19 Increased network vulnerability to external hackers 18 Damage to the firm's reputation and brand 12 Leakage of customer data 12 Managers' reduced control over information flow within their teams 11 Increased liability to legal claims against the company 6 Other, please specify 1 None of the above 5 Don't know/Not applicable 3

20 © The Economist Intelligence Unit Limited 2009 Appendix Power to the people? Survey results Managing technology democracy in the workplace

Do you agree or disagree with the following statements about the use of social media in the workplace? (% respondents) Strongly agree Agree Disagree Strongly disagree Don't know/Not applicable The business benefits of employee use of social networks, blogs and other online communities are underrated 11 49 25 5 9 The benefits of allowing employees to utilise applications (such as social networks and blogs) of their choice in the workplace outweigh the risk of productivity loss resulting from their use 7 46 34 5 8 The benefits of allowing employees to utilise these applications outweigh the risk of information security breaches resulting from their use 5 43 35 6 11

How has the overall level of risk of information security breaches — from both internal and external threats — changed for your organisation since economic and market conditions began to deteriorate? (% respondents)

Significantly increased Slightly increased Remained unchanged Slightly decreased Significantly decreased Don't know/Not applicable From internal threats (employee malfeasance or negligence) 4 26 58 4 8 From external threats (viruses, hacking and other cybercrime) 9 21 56 6 8

If you responded "increased" to any part of question 7, what are the main reasons for the change? Select up to two. (% respondents)

Lack of employee understanding of security policies 34 Increasing sophistication of hackers and other external sources of threat 28 Sabotage or threat of sabotage from disgruntled employees 20 Employees' increasing use of social networking and similar applications while at work 19 Falling employee morale 17 Employees' increasing use of their own communications devices while at work 17 Failure of the organisation's network defences to keep pace with the existing threats 17 Increase in remote working (employees working from home) 14 Other, please specify 2 Don't know/Not applicable 2

Which type of potential loss or damage from information Which type of potential loss or damage from information security breaches has your organisation been most concerned security breaches should your organisation be most about over the past two years? concerned about over the next two years? (% respondents) (% respondents)

Loss of customer data Loss of intellectual property 23 22 Loss of intellectual property Reputation or brand damage 21 20 Reputation or brand damage Loss of customer data 18 19 Financial loss (eg, through fraud) Financial loss (eg, through fraud) 14 13 All of the above equally All of the above equally 21 22 Other, please specify Other, please specify 3 4

21 © The Economist Intelligence Unit Limited 2009 Appendix Power to the people? Survey results Managing technology democracy in the workplace

When important company information is lost or compromised, what are the most likely factors? Select up to two. (% respondents)

Employee negligence (eg, losing a work device, forgetting to sign off of the network) 46 Employee use of devices not authorised or approved by the IT department 23 Employee sabotage or theft 20 Data loss from third parties (eg, outsourcing partners, suppliers) 20 Network defences are breached by external attackers 18 Employee misuse of blogs, social networks or similar applications 16 Data loss in transit (eg, by couriers) 11 Other, please specify 2 Don't know/Not applicable 9

The use of which of the following technologies/applications Which, if any, of the following technologies or applications will pose the greatest information security risks in your should employees be banned from using in the workplace for workplace over the next two years? Select up to two. information security reasons? Select all that apply. (% respondents) (% respondents)

File-sharing sites/applications File-sharing sites/applications 28 47 Laptop and notebook computers Personal email accounts (eg, Hotmail, Google mail) 27 29 E-mail Personal social networking sites such as Facebook 25 24 Social networking sites (eg, Facebook, LinkedIn) Blogging sites or services 22 22 Smartphones (eg, Blackberry devices, personal digital assistants) Instant messaging 21 17 Blogging sites or services Music players such as the iPod 12 12 Instant messaging Professional social networking sites such as LinkedIn 9 10 Netbook computers Netbook computers 7 8 Mobile phones Personal mobile phones 6 6 Wikis and similar collaborative sites (eg, Wikipedia) Other, please specify 3 2 Other, please specify None of these 4 17 Don't know/Not applicable Don't know/Not applicable 8 5

22 © The Economist Intelligence Unit Limited 2009 Appendix Power to the people? Survey results Managing technology democracy in the workplace

Which, if any, of the following technologies or applications How familiar are your employees with the information security should employees be banned from using in the workplace for policies and procedures in place in your organisation? productivity reasons? Select all that apply. (% respondents) (% respondents) Very familiar Personal social networking sites such as Facebook 26 47 Somewhat familiar Blogging sites or services 47 32 Only partially familiar Music players such as the iPod 21 30 Not at all familiar Personal email accounts (eg, Hotmail, Google mail) 4 28 Don't know/Not applicable Instant messaging 3 25 File-sharing sites/applications 23 Professional social networking sites such as LinkedIn 13 Personal mobile phones 13 Netbook computers 6 Other, please specify 1 None of these 14 Don't know/Not applicable 4

Does your organisation currently have IT policies which outline the following? (% respondents) Yes No Don’t know Which hardware devices (eg, laptops, storage devices, personal digital assistants) can or cannot be used in the workplace for work purposes? 69 24 6 Which websites (eg, social networking sites) can or cannot be accessed using the work computer? 56 36 8 Which applications (eg, media players, Web 2.0 toolbars) may be installed on the work computer? 65 28 7 The use of computers and applications by home-based workers 59 28 13

Conduct regular and mandatory training courses for employees on guarding against information loss 38 Upgrade network security systems 35 Draft and distribute formal guidelines for employees' use of social networking and similar applications 28 Prohibit employees' use of anything but company-authorised applications and devices 25 Extend network protection systems to employees' personal communications devices 21 Establish internal websites (eg, social networks) where employees can communicate with each other 16 Increase the monitoring of social networks and blogs 7 Other, please specify 1 Don't know/Not applicable 8

23 © The Economist Intelligence Unit Limited 2009 Appendix Power to the people? Survey results Managing technology democracy in the workplace

Does your organisation provide formal training (eg, seminars) to employees on the following? (% respondents) Yes No Don’t know The use of social networking and similar applications at work 17 77 7 The use of personal communications devices (their own mobile phones, own notebook computers, etc) at work 21 72 7 General safe computing practices 52 41 7

If you responded "no" to any part of question 16, does your organisation intend to provide formal training (eg, seminars) to employees in that area? (% respondents) Yes No Don’t know The use of social networking and similar applications at work 13 61 26 The use of personal communications devices (their own mobile phones, own notebook computers, etc) at work 20 58 22 General safe computing practices 49 35 16

Do you agree or disagree with the following statements about the role of the IT function in governing employees’ use of technology? (% respondents) Strongly agree Agree Disagree Strongly disagree Don't know/Not applicable Rules governing how employees use personal devices and applications should be specific to each business unit and not uniform — technology autonomy is appropriate for some types of employees more than others 15 53 20 5 6 The IT department should focus on other, more critical issues than controlling how employees use devices and applications 14 42 32 6 6

If employees in your organisation are likely to gain greater freedom to use applications and devices of their choice, what are the main implications for the IT function? Select all that apply. (% respondents)

Responsibility for information security (excluding the management of network firewalls, perimeter protection, etc) will increasingly be devolved to the individual business units 36 More IT staff will be needed to ensure adequate network and device security in this more open environment 33 IT staffing will remain the same but they will be able to focus on activities of more direct relevance to the business objectives 29 Responsibility for delivery of IT services is likely to become increasingly de-centralised to individual business units 21 Responsibility for delivery of IT services is likely to become more centralised than it is now 20 Don't know 16

24 © The Economist Intelligence Unit Limited 2009 Appendix Power to the people? Survey results Managing technology democracy in the workplace

In which country are you personally based? What are your organisation's global annual revenues in US (% respondents) dollars? (% respondents) Sweden 18 Netherlands 17 $500m or less 50 United Kingdom $500m to $1bn 12 15 $1bn to $5bn 13 Germany 14 $5bn to $10bn 7 Italy $10bn or more 18 13 Russia 12 France 11

What is your primary industry? Which of the following best describes your title? (% respondents) (% respondents)

Financial services Board member 17 7 Professional services CEO/President/Managing director 16 23 IT and technology CFO/Treasurer/Comptroller 9 9 Manufacturing CIO/Technology director 8 4 Government/Public sector Other C-level executive 6 5 Consumer goods SVP/VP/Director 6 16 Healthcare, pharmaceuticals and biotechnology Head of Business Unit 6 4 Telecoms Head of Department 6 10 Education Manager 4 15 Entertainment, media and publishing Other 4 7 Energy and natural resources 4 Construction and real estate 3 Transportation, travel and tourism 3 Retailing 3 Automotive 2 Chemicals 2 Agriculture and agribusiness 1 Logistics and distribution 1

25 © The Economist Intelligence Unit Limited 2009 Appendix Power to the people? Survey results Managing technology democracy in the workplace

What are your main functional roles? Please choose no more than three functions. (% respondents)

General management 36 Strategy and business development 29 Marketing and sales 24 Finance 22 IT 16 Operations and production 12 Customer service 9 Risk 8 R&D 8 Human resources 8 Information and research 7 Legal 4 Supply-chain management 3 Procurement 3 Other 7

Approximately how many full-time IT staff does your organisation have worldwide? (% respondents)

Less than 100 55 100 to 299 11 300 to 499 3 500 to 699 4 700 to 999 3 1,000 or more 16 Don't know 9

26 © The Economist Intelligence Unit Limited 2009 Whilst every effort has been taken to verify the accuracy of this information, neither The Economist Intelligence Unit Ltd. nor the sponsor of this report can accept any responsibility or liability for reliance by any person on this white paper or any of the information, opinions or conclusions set out in the white paper.

Cover image - © Stephan Zirwes/Getty Images LONDON 26 Red Lion Square London WC1R 4HQ United Kingdom Tel: (44.20) 7576 8000 Fax: (44.20) 7576 8476 E-mail: [email protected]

NEW YORK 111 West 57th Street New York NY 10019 United States Tel: (1.212) 554 0600 Fax: (1.212) 586 1181/2 E-mail: [email protected]

HONG KONG 6001, Central Plaza 18 Harbour Road Wanchai Hong Kong Tel: (852) 2585 3888 Fax: (852) 2802 7638 E-mail: [email protected]