Courtesy of InformationWeek Internet activist and entrepreneur John Gilmore once declared, "The Net treats censorship as a defect and routes around it." Today, that's how many employees view their IT departments. Widespread user adoption of familiar, often free consumer-oriented Web tools has left IT professionals scrambling to balance permissiveness and paternalism. Fact is, workers like consumer technologies--whether instant messaging, e-mail from Yahoo or Microsoft with abundant storage, information-sharing sites, or handy Web apps--often better than the tech tools their companies prescribe. At the same time, employees shouldn't be allowed to download the latest Google beta just because they can. System security and management are still critical considerations, often with legal and regulatory teeth behind them. But if IT pros are seen only as "The Ones Who Say No," they risk surrendering their roles as innovators. Such a posture also has serious economic consequences. Only 6 percent of U.S. companies say they want to lead in adopting newer technologies, compared with 15 percent in Europe and 19 percent in China, according to an Accenture survey of more than 500 companies and government agencies. Seventy-five percent of Chinese companies are committing a major part of their business to Web services, compared with less than half of U.S. and European companies. The risk: Companies in emerging markets will have systems that let them adapt to change faster, while U.S. companies pour their money into fortifying older systems. Ray Ozzie rang this bell at Microsoft's Tech-Ed 2006 conference, days before he was named the company's chief software architect earlier this month. Ozzie challenged IT pros to redefine their oversight role to reflect the blurring of boundaries between the enterprise and the outside world, between personal and professional computing. "IT's requirements needn't be inconsistent with end users' desires," he said. Given the consequences of losing control--most worrisome, a security breach--most IT pros aren't eager to stoke this debate inside their companies. But it's raging whether they're involved or not. "Central IT's getting out of control," fumes one software developer at a major public company, citing the difficulty running several computers in his office. "It takes an act of Congress to get them all on the network. To get around the issue we have put hubs in our offices, and whenever we need IT support we hide them." But rules and controls exist for a reason. In a discussion on the InformationWeek Weblog, a business owner says he found that 60 percent of his bandwidth was being hogged for personal use, such as streaming music and video. "Then IT and senior management are branded evil because we turn off streaming video and streaming radio and whatnot," he writes. "But there are real, tangible costs involved." The proper length of leash differs for every company, but IT teams must ask themselves if they're giving employees enough room to maneuver. For example, instead of blocking Web sites using filtering software, they can let people who need wide-ranging information have unfettered access, but with the knowledge that filters will report whether they visit potentially inappropriate sites and will even alert managers. They can accept that instant messaging is here to stay and work with vendors like FaceTime or IMlogic to secure it. If employees are bringing in Google Desktop to search across e-mail, Web, and desktop files, and the IT organization bans it for security or manageability reasons, the conversation shouldn't end there. There's a lesson in every rogue Web application employees bring in, says Brad Shipp, VP of IT for Cox New England, a unit of broadband services company Cox Communications. "Find out why that Web app is being used, because it's obviously filling some kind of need that IT isn't meeting," Shipp says. "They're all red flags, but they're also opportunities for doing something better." Veterans will see in this a timeless debate over the role of centralized versus decentralized IT management. Mainframes meant centralization, client-server brought decentralization, which brought enough mayhem to spark "recentralization." Do we need to cook up some new jargon--employee-centric centralization? Whatever it takes, consumer technology's forcing this debate, and IT teams must take it on. The Apps Will Keep Coming Google is just one of the many companies offering Web tools that appeal to people at work. Microsoft and Yahoo last week added features to their IM systems, like the ability to share files more easily, that will thrill employees yet terrify some IT teams. Dave Girouard, general manager of Google Enterprise, insists that consumer technology "is really what's driving information technology today." In a keynote speech at the MIT Sloan CIO Symposium last week, Girouard said business software is built for businesses, but "not for humans." New features only add to IT's complexity and make it "less usable over time to most employees." Business apps require too much training and expertise, he said, contrasting a standard user interface to the Apple iPod's simple one. Self-directed workers need access to information, yet they're stymied by IT silos. And this from the Google guy who's trying to court business IT. "Google doesn't come down on the side of letting people use whatever they want," he said. "Businesses are businesses." But companies must provide more options that let innovative employees work in the way they're most productive. Focus on the end user, Girouard implored business and IT managers, "and all else will follow." One simple example facing IT departments: Should they offer information workers the option of Web-based word processing tools, like Google Writely? The tools offer features that can make working remotely with a colleague or partner on a project easier, but they haven't been battle-tested for security risk or network impact. Still, a few companies are starting to consider them. In a survey by JupiterResearch, 6 percent of companies with 100 or more employees say they use a Web-based productivity suite, and that will rise to 9 percent over the next 12 months. Employees are only going to keep challenging their IT departments. "The days of IT doling out technology as they see fit are numbered," Gartner VP David Smith says. At information services company Thomson, the use of software as a service to manage financial reporting, purchasing, travel claims, and other processes already has diminished the scope of the IT group's influence, says security architect Ron Ogle. The transition, however, will take years, not months. Short term, consumer technology in the workplace will increase internal IT requirements because data control and integration across Web applications must be dealt with through on-staff expertise, says Nicholas Carr, author of the iconoclastic "Does IT Matter?" But over the next decade, Carr argues, most corporate IT jobs will go away. "As companies shift to the software-as-a-service model, it means that the infrastructure they're going to have to maintain locally is going to shrink," he says. Ozzie dismissed such predictions as "extremist" and said every company will have a mix of hosted and on-site apps, including software very specific to an individual business. As far as Keith Martin is concerned, the role of the traditional IT organization hasn't changed. Martin, a director of financial and payroll application development at the University of Houston, says he's still caught up in rolling out enterprise application upgrades. The university spends several hundred thousand dollars a year on Microsoft productivity applications, and Martin says that cost--not great features or employee demand--would be the only reason to replace them with online apps. For many IT pros like him, all this is a nice theoretical debate that crashes against day-to-day realities: They spend 80 percent or more of their budgets maintaining what they have, and there's scant time, money, or management direction to explore new options. Practical Choices Ron Bonig, deputy CIO of George Washington University, thinks businesses already are reshaping their IT for Web-centric end users, though not necessarily by importing consumer apps. "We use a lot of Web front ends to our ERP systems, so that people don't have the old way of getting to them," he says. "So we're delivering services through the Web as opposed to downloading reports or filling out Oracle forms." Law firm Keesal, Young & Logan doesn't try to prevent users from bringing in Web tools and apps. Instead, it tries to block potential threats. The firm uses McAfee's security suite to scan all activity at the desktop and Websense's bandwidth optimizer to limit streaming video and audio to a maximum of 30 percent of the firm's total bandwidth. The goal is to meet security and performance standards while giving employees the freedom to experiment with new technologies, says Justin Hectus, director of information. "Control and structure are important," he says, "but sometimes the best tools are introduced organically." Construction company Barton Malow takes the hard-line approach, using proxy servers to give employees access only to sites deemed business-relevant. It works with business units to add sites to the list or give limited access if there's a business need. The company controls access to Web apps through ports in its firewall. "It's not perfect, but it is very effective," CIO Phil Go says. The Bottom Line For many IT managers, talk of expanding access to Web apps or giving employees more control begins and ends with security. With the increased revelations of system breaches and vulnerabilities, and warnings about all manner of other misconduct employees are capable of, it's no wonder that business technologists are paranoid. "We've found things like active prostitution rings being run out of organizations," says John Amaral, VP of research and development at content monitoring and filtering company Vericept. "We've found corporate espionage, people falsifying claims of sexual harassment." But security concerns can become a crutch for IT teams, Gartner's Smith says. "If they put policies in place and make it so that people go around them, they end up opening up bigger security holes," he says. For instance, severely limiting e-mail storage can encourage employees to use a free service like Google's Gmail, putting sensitive information at risk. Better to just give employees the e-mail storage they need. Overbearing security can hurt productivity. The software developer cited earlier relates how the IT department's fear of malware has led to an over-the-top computer hygiene regimen that even shuts off a PC's audio, cutting him off from Web conferences and seminars. Then there's the matter of basic computer performance. "I don't mind the scans when I go to a Web site or the prolonged downloads," he says, "but when my cheap, underpowered computer at home kicks butt on my work computer, there is something wrong." ProBusiness Services, a division of payroll services company Automatic Data Processing, gives considerable flexibility to its tech pros at least. Senior network engineer Bob Pierce uses lots of open source security tools, such as Nessus and LaBrea, not sanctioned by the IT shop. "I kinda come from the Wild West, so I definitely would push back against any policy that prevented me from downloading software that I needed to do my job," Pierce says. "Almost everything I use is not supported by the organization." That doesn't mean companies should give employees carte blanche, Pierce says. Anything imported must be run through security checks to ensure that they don't contain viruses or spyware. Any output from the unauthorized software must be compatible with corporate software standards--spreadsheets that produce Excel files, for instance. And don't expect the help desk to support the unauthorized stuff. "But having a blanket policy that says you may only run our standard applications is awfully shortsighted," Pierce says. "People work and learn in different ways, and having some arbitrary decision made isn't a very realistic perspective on productivity." The pressure isn't going to let up on central IT teams, whether it's from people like Pierce on the inside or from an outsider like Bennett Haselton. Haselton, a programmer, runs Peacefire.org, a site that helps Internet users figure out how to bypass filtering software. Some sites, like Boing Boing, offer tips on their site for how to foil business's Web filters. "I've always thought if your employer needs to censor your Web access to keep you productive, then your workplace rewards must not be very performance-based," Haselton says. Employers are limiting the use of unauthorized technology, often for the sake of safety. The question is whether IT's caution creates too much drag. The challenge ahead for IT organizations is to strike the right balance--and to maintain that balance as the ground shifts.