Digital cameras didn’t creep up on the Drees Company as much as they pounced. Five years ago a lot of employees at the $1.1 billion real estate company weren’t even using computers. Today, those same employees are responsible for one of the company’s more innovative uses of technology.
But at first, says Brian Clark, Drees’s manager of data management, the company wouldn’t support the devices. Technology that wasn’t approved by the IT department was not supported in the workplace. But employees ignored the rules. “This was when cheap digital cameras were first coming onto the market,” Clark recalls. People used them to take pictures of under-construction homes, upload the pictures to their work computers, and then e-mail them to out-of-state buyers, insurance brokers or contractors. Clark admits it was a great idea. It’s a lot easier to show a contractor a picture of the place on the wall that needs fixing than to try to describe it on the phone. Soon, however, the behavior reached a tipping point, which was when Clark knew he had to fix it.
USER TECH INVASION
Every camera had its own proprietary software, and the IT department didn’t have the resources to test every one to find out what it would do to its environment. When rogue cameras occasionally would appear, Clark made it clear that his department wouldn’t help users with any technical problems. IT also tried to find a camera solution the company could use because the business benefits were undeniable. Finally, about a year ago, a user suggested that Drees use Picasa, a free, camera-agnostic photo management application from Google. Clark ran a few tests, determined that it didn’t pose any risks and rolled it out. Picasa is now standard on every Drees computer.
Picasa is a free consumer application; a company using it doesn’t have to pay for licenses, but it won’t get any support from the vendor either. A recent survey by CIO magazine of 368 IT leaders found that 41 percent wouldn’t even consider such an application for use in their enterprises. But Clark, like the majority of technology executives surveyed, sees it differently. “Our attitude has changed a lot,” he says. “First, you can’t dismiss Google anymore. They aren’t some fly-by-night company.” Second—and he has learned this from experience—using freely available software can have a huge ROI. “We don’t teach people how to use it,” he says. “But when they do, it allows us to leverage someone else’s work at little to no cost. How can you not win in that situation?”
That question is confronting CIOs with increasing regularity. And more often than not, the people asking it are end users. Consumer technology is now better than corporate technology by a factor of 100, maybe even 1,000, says Stowe Boyd, a senior consultant with the Cutter Consortium. “It is significantly better, no matter how you measure innovation,” he says. As information technology shifts from a tool used almost exclusively in the workplace to one used in every facet of life, users’ expectations for what technology should be able to do are shifting as well.
But those expectations only go so far. Users care whether technology is easy to use or makes them more productive. They don’t stop to think about how something fits into an enterprise computing environment. Corporate IT, on the other hand, has a responsibility to consider security, compliance and the impact an application or device has on the company’s infrastructure. The latest consumer IT tool might need testing, management, monitoring and support. In other words, it isn’t the no-brainer it may first appear to be.
It’s these hidden issues that often lead IT to delay or ban consumer technology. And when this happens, IT risks appearing as an inhibitor to innovation, a part of the company that users don’t rely on as much as they bypass. Many CIOs feel this in their gut. Among respondents to our survey, two-thirds or more reported that employees at their companies either download programs, use instant messaging or participate in social networking sites (see chart). But with the exception of instant messaging, fewer than half of the respondents officially support these applications.
Instead, users are getting this technology from the shadow IT department—a catch-all term for the applications and devices that are available on the Internet or from the local consumer electronics store. Users turn to shadow IT when they need to make themselves more productive and they aren’t getting the tools they need to do so from corporate IT. This, in turn, opens up new challenges for CIOs and IT departments, since users have not properly evaluated the impact of these technologies. But all is not lost. Shadow IT can be managed and even leveraged—if only one rethinks the role of IT as shifting from being the provider of technology to the facilitator of its use.
Furthermore, CIOs must look beyond simple ROI and efficiency measures to calculate the value of shadow IT, says Boyd. “Personal productivity is a part of it,” he says. “But it is also about feeling connected.”
What Is Shadow IT?
Shadow I.T. refers to technology that consumers can get on the Internet or at their neighborhood electronics store. These tools, which include Web-based e-mail, instant messaging, iPods, USB storage and more, are the tools people use in their nonwork lives. And now they are starting to use them in the workplace.
Think of these applications and devices not just as a loose collection of tools that can be treated as one-offs, but as the product of a separate IT department staffed by individual users. The difference is simple: If all you have in your organization is a series of one-off user-driven projects, all you have to do is shut them down. But a shadow IT department is a force, and when it emerges, suddenly IT’s monopoly on technology is over.
That’s the point we’ve reached. From now on IT will have to compete with the shadow IT department for every user. If a user doesn’t get the technology he thinks he needs to do his job from you—or gets a solution that doesn’t work as well as she wants—the user can get an alternative from the shadow IT department.
To succeed in this new enterprise environment, CIOs must learn the art of compromise. They need to engage users in a constant dialogue about the pluses and minuses of new technologies and to concede that users can share responsibility for choosing and managing business applications.
It also means picking your battles, so that security and regulatory compliance and the desire to preserve the current environment don’t come at the expense of user productivity. And when concerns about security, compliance or manageability do win out over the potential business benefits, it is important to communicate to users exactly why that decision was made in terms that they understand.
“If you are just going to sit around in your office and pontificate about security and technology you will be in firefighting mode all day long,” says Alan Young, CIO of the Southern Ute Indian Tribe, where he supports an oil and gas company, a casino, a tribal government and an investment fund, among other businesses. “You have to evolve.” Here’s what to do:
1. Share the Sandbox
The IT department used to control all technology. And among corporate IT staff, many still feel that users aren’t responsible enough to handle technology on their own. If you doubt this, search Slashdot.org for the term “luser.”
That’s one reason why corporate IT is often quick to dismiss technology projects initiated by users. But technology encompasses too many categories for the modern IT department to keep up. CIOs have to start thinking differently about what they really need to be responsible for and which responsibilities they can share with users. The way to start is by identifying what is critical to protect the enterprise. One emerging strategy is to secure the network and not worry about client devices—until they connect with the network.
David Steinour, CIO of Furman University, had to learn how to secure a network while at the same time maintaining zero control over what it is used for. Once, several years ago, Steinour worked at a different school, where he limited access to peer-to-peer file-sharing networks. He thought he had good reasons: He was receiving complaints about copyright infringement from the music industry, and the traffic was eating up almost all his bandwidth. After limiting access, the university president—–received complaints from parents and students. The complaints finally stopped when Steinour explained his rationale, but the experience taught him that he could not control everything users put on their computers or limit what they download. The faculty, for instance, had legitimate reasons for using file sharing.
Nevertheless, Steinour stakes his job on protecting the network. Before anyone at Furman can connect to the enterprise network, her computer has to undergo a scan and have its virus definitions updated. The first time a user connects, this takes about a half hour. The process is invisible thereafter. “There is no possible way we can police everything that goes on,” says Steinour. “So I protect the institution, not the individual.”
The same network-centric approach can work in a corporate environment. “I am a data socialist,” says Young, exhibiting this new virtue. “I don’t own the data. My customers own the data.” Young has realized that he can’t control everything that the businesses on the Ute reservation want to do with IT any better than he can predict them. For instance, the equity traders who work for the tribe’s investment fund have to do all kinds of research; it would handicap them if Young blocked certain Internet sites or refused to let them use certain research tools. “I am open to having other forms of tech in our mix without being a snob about it,” he says. “We have guys downloading data from FTP sites.
“I am more wide open today than I have ever been,” he adds, but “it’s not like I opened up port 80 and said have fun.”
In fact, Young has compensated for loosening the control on what end users do by tightening his control on the part of IT that no one else can touch without his permission: the corporate network. “I know everything that is happening on my network at all times,” he says matter-of-factly. He uses a variety of applications, including Websense content filtering software and intrusion detection and monitoring tools from Cisco, to gain real-time insight into everything that is happening. If he finds something on the network that shouldn’t be there, he acts. It’s a way of ensuring security without inhibiting users. And in those rare instances where Young does have to restrict an activity, it is as part of a compromise. For example, he doesn’t allow people to send encrypted JPEG and GIF files because virus prevention software can’t detect viruses embedded in them. But anyone who wants to send an image can send it unencrypted, or send a link to the website where the image resides.
"Shadow IT" Is Everywhere
IT leaders acknowledge most employees use unsupported technology.
|TYPE OF TECHNOLOGY||EMPLOYEES USING IT||I.T. DEPARTMENTS SUPPORTING IT|
|Social networking sites||66%||20%|
|Internet file sharing||65%||29%|
SOURCE: 2007 CIO Magazine Consumer Technology Survey of 368 IT leaders, conducted in March 2007. Margin of error plus or minus 5 percent.
2. Know the Business Case
One of the challenges with shadow IT systems is that they work great for the users—they are usually the most customized solution a user could find. But an application that works for an individual user may not work for the company. A shadow system may not scale, it may open up a hole in the firewall or it may conflict with another system the company runs. Corporate IT departments normally test for compatibility with the existing environment and calculate operating costs before deploying any new system; for these reasons, nominally free software might still cost thousands of dollars to deploy.