Point of fact: Users are already more involved than ever before. "I'm seeing it become more about the freedom to choose what device you want -- which laptop, maybe a Mac, what kind of handheld," said Allan Carey, an analyst at the Institute for Applied Network Security, a research firm. "It's part of the consumerization of IT," he added, and requires IT to focus on standards and policies that user choices must meet, rather than worrying about what model of PC is used.
What IT must still manage
Even when companies are willing to let employees manage their PCs, IT still has plenty to manage, including security and data.
"I would expect most companies to implement basic security protocols for employee PCs, including virus scanning, spam filters, and phishing filters," Maine's Angell said. "They might provide software tools or simply implement a system check to make sure that such items are running whenever the employee's laptop is connected to the company environment."
Furthermore, Angell said, "We need to recognize that the company's data belongs to the company. Thus, there are certain data systems that will either need to be controlled as Web applications or that get served up via a platform such as Citrix. Access to both can be controlled by the enterprise without having to touch the worker's PC." In this age of Web apps, that's easy to do, he added.
This Web-based application approach to data management and security is Google's model, Merrill noted. Its employees run Google Apps, no matter what PC they have, and that means that all company data is stored on Google's servers. He also argued that this approach protects Google from the single largest security threat: stolen laptops.
"End-point security never really, honestly works. The number of incidents keeps increasing. If it worked, that wouldn't happen," Merrill said. "So I don't happen to find that argument compelling." Still, Google has a lot of monitors in its infrastructure to notice weird occurrences, both related to security and compliance. It has no choice, Merrill said: The company is subject to heavy regulations including HIPAA, on account of doctors that work on its campus. "Security and regulatory controls run in the background," Merrill said, explaining that they are "hidden from the user in a good way."
Another technology that helps support the user-managed PC model is desktop virtualization, which lets IT provision a standard OS and application configuration while allowing users to run their own apps in a separate layer, preventing infection and corruption. "In this model, users would have access to nonregulation software, personal e-mail, etc., outside of the virtual environment," Resnick said, which is "a reasonable compromise between security requirements, innovation, and employee convenience."
For companies considering empowering their employees with hardware and software choices, Merrill has some advice. "There are three things to do: automate everything you can automate, push toward automation in the cloud, and put together a highly skilled support staff. My support function spends time on fun things, which means I can hire more talented people, so I can automate even more things."