I moderated a Webcast recently on messaging-based security threats. An analyst on the panel did what analysts always do???provided some very sound advice that happens to be very difficult to implement.
His recommendation for enterprises was to accommodate user workflows???that is, to embrace the new technologies that users bring in from the outside to help them do their jobs.
It's great advice, but not always feasible because user-driven technologies are always ahead of enterprise policy, which tends to take a default-deny stance. IM, which was discussed in the Webcast, is a textbook example. Users brought IM into the enterprise because it facilitated communication with clients and coworkers. But IM is a nightmare for IT, particularly for highly regulated industries, because it's an inbound channel for malware and an outbound channel for sensitive data.
User-driven technologies also tend to be ahead of the tools that IT requires to monitor and manage them. Again, IM is a good example. Before dedicated IM proxies emerged, IT had to play the firewall version of whack-a-mole with port-hopping IM services.
Another problem is that IT serves multiple masters. No IT professional wants to stand in the way of user productivity, but they also have to answer to an extremely long list of corporate, industry and federal requirements. Like a parachute behind a race car, these requirements slow IT's response to emergent technologies.
So while I salute the analyst for some good advice, I'm not sure how effective it will be in today's IT reality. And the conflicts we've seen over IM are sure to be played out again over technologies such as the iPhone and enterprise mashups.