Digital cameras didn’t creep up on the Drees Company as much as they pounced. Five years ago a lot of employees at the US$1.1 billion real estate company weren’t even using computers. Today, those same employees are responsible for one of the company’s more innovative uses of technology.”
But at first, says Brian Clark, Drees’s manager of data management, the company wouldn’t support the devices. Technology that wasn’t approved by the IT department was not supported in the workplace. But employees ignored the rules. “This was when cheap digital cameras were first coming onto the market,” Clark recalls.
People used them to take pictures of under-construction homes, upload the pictures to their work computers, and then e-mail them to out-of-state buyers, insurance brokers or contractors. Clark admits it was a great idea. It’s a lot easier to show a contractor a picture of the place on the wall that needs fixing than to try to describe it on the phone.
Soon, however, the behavior reached a tipping point, which was when Clark knew he had to fix it. Every camera had its own proprietary software, and the IT department didn’t have the resources to test every one to find out what it would do to its environment.
When rogue cameras occasionally would appear, Clark made it clear that his department wouldn’t help users with any technical problems. IT also tried to find a camera solution the company could use because the business benefits were undeniable.
Finally, about a year ago, a user suggested that Drees use Picasa, a free, camera-agnostic photo management application from Google. Clark ran a few tests, determined that it didn’t pose any risks and rolled it out. Picasa is now standard on every Drees computer.
Picasa is a free consumer application; a company using it doesn’t have to pay for licenses, but it won’t get any support from the vendor either. A recent survey by CIO magazine of 368 IT leaders found that 41 percent wouldn’t even consider such an application for use in their enterprises.
But Clark, like the majority of technology executives surveyed, sees it differently. “Our attitude has changed a lot,” he says. “First, you can’t dismiss Google anymore. They aren’t some fly-by-night company.”
Second — and he has learned this from experience — using freely available software can have a huge ROI. “We don’t teach people how to use it,” he says. “But when they do, it allows us to leverage someone else’s work at little to no cost. How can you not win in that situation?” That question is confronting CIOs with increasing regularity. And more often than not, the people asking it are end users.
Consumer technology is now better than corporate technology by a factor of 100, maybe even 1,000, says Stowe Boyd, a senior consultant with the Cutter Consortium. “It is significantly better, no matter how you measure innovation,” he says.
As information technology shifts from a tool used almost exclusively in the workplace to one used in every facet of life, users’ expectations for what technology should be able to do are shifting as well.
But those expectations only go so far. Users care whether technology is easy to use or makes them more productive. They don’t stop to think about how something fits into an enterprise computing environment. Corporate IT, on the other hand, has a responsibility to consider security, compliance and the impact an application or device has on the company’s infrastructure.
The latest consumer IT tool might need testing, management, monitoring and support. In other words, it isn’t the no-brainer it may first appear to be.
It’s these hidden issues that often lead IT to delay or ban consumer technology. And when this happens, IT risks appearing as an inhibitor to innovation, a part of the company that users don’t rely on as much as they bypass. Many CIOs feel this in their gut.
Among respondents to our survey, two-thirds or more reported that employees at their companies either download programs, use instant messaging or participate in social networking sites. But with the exception of instant messaging, fewer than half of the respondents officially support these applications.
Instead, users are getting this technology from the shadow IT department–a catch-all term for the applications and devices that are available on the Internet or from the local consumer electronics store.
Users turn to shadow IT when they need to make themselves more productive and they aren’t getting the tools they need to do so from corporate IT. This, in turn, opens up new challenges for CIOs and IT departments, since users have not properly evaluated the impact of these technologies.
But all is not lost.
Shadow IT can be managed and even leveraged–if only one rethinks the role of IT as shifting from being the provider of technology to the facilitator of its use.
Furthermore, CIOs must look beyond simple ROI and efficiency measures to calculate the value of shadow IT, says Boyd. “Personal productivity is a part of it,” he says. “But it is also about feeling connected.”
What is shadow IT?
Shadow I.T. refers to technology that consumers can get on the Internet or at their neighborhood electronics store. These tools, which include Web-based e-mail, instant messaging, iPods, USB storage and more, are the tools people use in their nonwork lives. And now they are starting to use them in the workplace.
Think of these applications and devices not just as a loose collection of tools that can be treated as one-offs, but as the product of a separate IT department staffed by individual users. The difference is simple: If all you have in your organization is a series of one-off user-driven projects, all you have to do is shut them down. But a shadow IT department is a force, and when it emerges, suddenly IT’s monopoly on technology is over.
That’s the point we’ve reached. From now on IT will have to compete with the shadow IT department for every user. If a user doesn’t get the technology he thinks he needs to do his job from you–or gets a solution that doesn’t work as well as she wants–the user can get an alternative from the shadow IT department.
To succeed in this new enterprise environment, CIOs must learn the art of compromise. They need to engage users in a constant dialogue about the pluses and minuses of new technologies and to concede that users can share responsibility for choosing and managing business applications.
It also means picking your battles, so that security and regulatory compliance and the desire to preserve the current environment don’t come at the expense of user productivity. And when concerns about security, compliance or manageability do win out over the potential business benefits, it is important to communicate to users exactly why that decision was made in terms that they understand.
“If you are just going to sit around in your office and pontificate about security and technology you will be in firefighting mode all day long,” says Alan Young, CIO of the Southern Ute Indian Tribe, where he supports an oil and gas company, a casino, a tribal government and an investment fund, among other businesses. “You have to evolve.”
Here’s what to do:
1. Share the sandbox
The IT department used to control all technology. And among corporate IT staff, many still feel that users aren’t responsible enough to handle technology on their own. If you doubt this, search Slashdot.org for the term “luser.”
That’s one reason why corporate IT is often quick to dismiss technology projects initiated by users. But technology encompasses too many categories for the modern IT department to keep up.
CIOs have to start thinking differently about what they really need to be responsible for and which responsibilities they can share with users. The way to start is by identifying what is critical to protect the enterprise. One emerging strategy is to secure the network and not worry about client devices–until they connect with the network.
David Steinour, CIO of Furman University, had to learn how to secure a network while at the same time maintaining zero control over what it is used for. Once, several years ago, Steinour worked at a different school, where he limited access to peer-to-peer file-sharing networks. He thought he had good reasons: He was receiving complaints about copyright infringement from the music industry, and the traffic was eating up almost all his bandwidth. After limiting access, the university president—-received complaints from parents and students.
The complaints finally stopped when Steinour explained his rationale, but the experience taught him that he could not control everything users put on their computers or limit what they download. The faculty, for instance, had legitimate reasons for using file sharing.
Nevertheless, Steinour stakes his job on protecting the network. Before anyone at Furman can connect to the enterprise network, her computer has to undergo a scan and have its virus definitions updated. The first time a user connects, this takes about a half hour. The process is invisible thereafter. “There is no possible way we can police everything that goes on,” says Steinour. “So I protect the institution, not the individual.”
The same network-centric approach can work in a corporate environment. “I am a data socialist,” says Young, exhibiting this new virtue. “I don’t own the data. My customers own the data.” Young has realized that he can’t control everything that the businesses on the Ute reservation want to do with IT any better than he can predict them.
For instance, the equity traders who work for the tribe’s investment fund have to do all kinds of research; it would handicap them if Young blocked certain Internet sites or refused to let them use certain research tools. “I am open to having other forms of tech in our mix without being a snob about it,” he says. “We have guys downloading data from FTP sites.
“I am more wide open today than I have ever been,” he adds, but “it’s not like I opened up port 80 and said have fun.”
In fact, Young has compensated for loosening the control on what end users do by tightening his control on the part of IT that no one else can touch without his permission: the corporate network. “I know everything that is happening on my network at all times,” he says matter-of-factly.
He uses a variety of applications, including Websense content filtering software and intrusion detection and monitoring tools from Cisco, to gain real-time insight into everything that is happening. If he finds something on the network that shouldn’t be there, he acts. It’s a way of ensuring security without inhibiting users.
And in those rare instances where Young does have to restrict an activity, it is as part of a compromise. For example, he doesn’t allow people to send encrypted JPEG and GIF files because virus prevention software can’t detect viruses embedded in them. But anyone who wants to send an image can send it unencrypted, or send a link to the website where the image resides.
2. Know the business case
One of the challenges with shadow IT systems is that they work great for the users–they are usually the most customized solution a user could find. But an application that works for an individual user may not work for the company. A shadow system may not scale, it may open up a hole in the firewall or it may conflict with another system the company runs.
Corporate IT departments normally test for compatibility with the existing environment and calculate operating costs before deploying any new system; for these reasons, nominally free software might still cost thousands of dollars to deploy.
“Free isn’t always free,” explains Dwain Wilcox, vice president of information technology for Millipore, a $1.2 billion biotech company. “Even though it is free and enhances productivity, we have to go find out what the hidden issues are.”
This is why Drees at first didn’t let people bring their own cameras to work. “Supporting one person with one camera is not a problem,” says Clark. “Supporting 200 people with 200 cameras is.”
Finding a product that works as a corporate standard can solve such problems, however. “With one standard [application], supporting 200 cameras is suddenly doable again,” says Clark about his company’s decision to deploy Google’s Picasa. Like Clark and Wilcox, 30 percent of the respondents to the CIO survey study the business case for a consumer IT project to see if it can be mainstreamed.
Identifying a scalable version of a consumer technology to test and deploy across the enterprise is no different from what CIOs have always done with e-mail and other enterprise systems. “We standardized on BlackBerrys early on,” says Wilcox, the Millipore VP, whose employees use the devices not only for e-mail but also to access corporate data on Salesforce.com.
Millipore used to support a variety of devices. “We were finding that setting up new users took a really long time, an hour or two,” says Wilcox. “Imagine doing that across the enterprise–it increases the amount of work for IT exponentially.” But once the company adopted BlackBerrys for everyone, the work became manageable, because the IT department had to learn only once how to set up a new user.
There were trade-offs, of course. The people who used Treos or Windows devices were upset that they had to switch. But at the end of the day there wasn’t really anything that they could do on those devices that they couldn’t do with a BlackBerry.
Plus, Wilcox was able to sweeten the deal with access to Salesforce.com. So in the end, Wilcox says, they came around. Again, it was a good compromise.
3. Pick your battles
As our survey revealed, most companies have shadow IT systems. Yours probably does, too. But you know you don’t have the resources to stay on top of everything. That’s why it’s important to pick your battles. For example, when data protection is a concern, pay close attention to the parts of your business where the most important information is.
“In our case that’s the R&D organization,” says Wilcox. “You really don’t want those guys storing their research data using a free software as a service tool. But the sales guys using a collaboration tool? That’s a different story.” If a rival found out a new formula that Millipore was working on, that would be a big problem. But a few sales leads? Not the end of the world.
Furman University’s Steinour puts it this way: You need to evaluate risk versus cost. Not from a traditional ROI perspective, necessarily, but from a resource allocation standpoint. You can’t protect everything all the time.
“For me it comes down to three priorities,” he says. “Protect the institution, protect the staff, and protect the network. I do everything I can to provide security for our data and I have policies and rules to protect the institution.”
One thing that he allows, despite the potential security risk, is instant messaging, just like 58 percent of the companies CIO surveyed. The students use it–there is no way to prevent that–but so does the school’s staff, who use a sectioned-off part of the network and have usage guidelines more like those of the average company. “We standardize on our scheduling and e-mail, but when we get down to how people want to communicate, we do not enforce policy.”
The reason Steinour has decided to be flexible with IM is that almost nothing people use IM for is sensitive. People might use it to ask a colleague if she is around before walking across campus to her office. Or they may use it for personal reasons, to tell a spouse when they’ll be home for dinner. Thus, says Steinour, “We will never consider looking at it unless there is something that happens on that port and we have a network security incident.”
4. Be human
Whenever IT equips a user with a laptop or a BlackBerry, it comes with an implicit message: You can work from anywhere. In most cases that message gets extrapolated to, You are expected to work from anywhere, be it home or your hotel while you are traveling. In fact, the barrier between the professional and the personal has all but disappeared for many workers.
A study of more than 200,000 workers conducted by the employee research firm ISR found that between 2002 and 2005 the number of workers who said that their jobs seriously interfere with their private lives rose from 24 percent to 34 percent. So why shouldn’t employees be able to bring some elements of their personal life into the workplace? That’s a question CIOs need to start asking.
“We realize the reality of the workplace and we want to make it employee friendly,” says Brent Holladay, chief deputy of information resources for the Lake County (Fla.) Clerk of Courts. “In government we can’t use pay as the only incentive.” Letting workers use personal technology is one way to be flexible. Holladay has decided, for example, to let people listen to music on their computers, provided that they show their managers they can still get their work done.
Employees are discouraged from bringing iPods into the workplace and from listening to music in the office at Millipore. That said, “We realize from time to time people will have music files on their laptops while traveling or whatnot,” says Wilcox. And he lets them, because he doesn’t want work to encroach on people’s lives anymore than it does.
But when Millipore backs up its files every night, sometimes the company ends up backing up someone’s MP3s. “We try to exclude that stuff whenever we can,” he says. “But it happens, and it is bandwidth hog.” However, he thinks that’s a small price to pay for happier employees.
5. Talk to users
Pop quiz: Do you remember every form you signed when you joined your company and what policies you agreed to follow? Most users don’t know either. That’s why relying on written policies is the worst way to influence user behavior. There are some shadow IT systems that CIOs absolutely have to shut down or prevent from being installed in the first place. But counting on a memo to make that happen is a mistake.
“I don’t like to have a lot of policies,” says Wilcox. “There are certain ones you have to have to CYA, but we don’t have tons and tons of them.” For example Millipore lets employees store personal information on their work computers, and there’s a written policy that says the company owns any information on a company laptop. But usually Wilcox “relies on verbal communication with the users, starting at the top. “Most managers, when you talk to them, they know you can’t do things one off,” he says.
“In this day and age, protection and privacy of info is vitally important. And they know that.” In order to make them understand what IT is going through he tries to put policies into terms that they will understand, drawing on similarities between what the company goes through and what users experience in their own life with their own data.
“Are you sure that [the shadow IT project] is trusted?” Wilcox asks users. “Would you be concerned if it was your personal information?” It’s also possible to draw on past experience. “We’ve had just enough instances where something happened that wasn’t serious but could have been,” says Lake County’s Holladay.
His office has had to deal with everything from viruses that almost shut the office down, to users who didn’t lock their computers, potentially allowing anyone to access hugely secure court records. In each case the users knew they had done something wrong and that it could have been much worse. Call it the guilt approach, but Holladay says that people listen when you explain the risks of a shadow IT system in terms that they can relate to personally.
In one case Holladay encouraged people to install their own screen savers, part of his strategy to create a friendlier workplace. But people started sharing them with each other, which was a copyright violation. Holladay applied his standard test–how would he feel if the local newspaper wrote a story about what was going on? He imagined the headline, “Copyright Violations Run Rampant at County Clerk’s Office,” and used it as the rationale to explain why he had to outlaw the practice.
The ability to communicate well is the key to keeping dangerous shadow IT projects from popping up. The responsibility doesn’t fall just to the CIO but to the entire IT staff. And it requires a conscious effort. “Any time one of my staff is out at a desktop they are communicating our policy,” says the Southern Ute’s Young. “That is the form of communication that stays forefront in the mind of the user and my staff.”
That interaction is a chance to advertise corporate IT–not just the services it provides, but also its openness to new ideas. And at the end of the day, whether IT is perceived as open and helpful could be the difference between having to compete with a shadow IT department or not.
Clark believes the defining characteristic of a company that has a shadow IT problem “is if the users have stopped bringing ideas to you. Do they just assume you will say no? In any good company users are going to be bringing ideas constantly.”
