Torossian, corporate vice president of worldwide small and midmarket solutions and partners for Microsoft, spoke on the subject here at the 2011 Forrester IT Forum, careening between two positions: on one hand, taking a hard line on security, yet on the other hand, questioning how it meshed with people's inevitable and unavoidable habits.
Not long ago, computers were used to get things done, IT made sure they worked properly, and the boundaries between work and life were distinct.
But things have changed dramatically and rapidly.
"The notion of ending [the workday] at 5 or 6 [p.m.] is over," he said. "People are using devices as an extension of the office."
Suddenly, PCs are everywhere. Employees telecommute, they bring their own laptops to work, they use smartphones and tablets to extend that work, and use cloud apps and social networking to collaborate and connect.
"People say you have better technology at home than at work. That's true," he said. "Thirty-seven percent of U.S. info workers are solving customer and business problems using technology they master first at home, then bring to work."
It has become a work-the-way-you-want-to world. Right?
Wrong, Torossian said. That's not to say it isn't happening -- but it can't be that simple for the companies that must provide such flexibility securely and safely. At least not yet -- and IT pros are stuck in the middle, balancing the interests and expectations of the organization and its employees.
"Most of the time, consumers don't realize the challenges behind privacy," he said, citing theft, security, privacy, compliance and intellectual property protection as business risks.
"The consumerization of IT started many years ago," he said. "This notion of push from the end user [is not new]."
The two biggest hurdles? Device proliferation and the explosion of social media.
"Unmanaged devices have hidden costs," he said. "And on social media networks, you don't know who is a real friend or a business friend."
Specifically, this means headaches such as:
- Unknown patch states
- Unknown application vendors
- Unknown app compatibility
- Corporate data access complexity
- Different management requirements for each device
"We are seeing increasing numbers of iPads stolen, tablets stolen, laptops stolen -- with no encryption on them," he said. "This is a disaster."
But productivity increases with the level of trust. So IT pros need to ask themselves: as consumers' own devices inevitably infiltrate the network, who gets read-write access, and who gets only read?
"Someone stealing that device can have a huge impact on your company," he said. "Make sure that some key line-of-business apps aren't installed on hard drive."
The cloud could help mitigate some of these risks, he said.
So will the passage of time.
"The people born in the last 20 years were born as digital natives," he said. "They were born with a mouse in their hand. This is a fact. Sometimes they are posting things that might be related to your company -- and you have no clue. What's your policy on blogging?"
(He added that 'smart blogging' is acceptable, including about commenting about the company, which he called "risky but fair." But employees with access to financial results or product R&D should keep that under wraps. "People are not journalists," he said. "People are members of your organization.")
You can either embrace it, or don't. But companies must ask themselves: should they lead by example? how should they enforce policies?
"If you implement policies but don't enforce them, don't expect any change," he said. "It's beyond sensitivity of people -- it's about sensitivity of the business itself."
If there's one thing that's clear here, it's that there's nothing clear about this issue. The threats are very real, but each organization needs to tailor its restrictions based on the kind of work groups within it need to perform. It should be no surprise in 2011 that this post was published (and tweeted about) using a non-CBSi-sanctioned computer -- without the use of a VPN.