An April 2006 survey by the Pew Internet and American Life Project found that 45 percent of adults who use the Internet said it has improved their ability to do their jobs “a lot.”
These are your employees, and their message couldn’t be clearer: Technology, at least in their eyes, has made them significantly more productive. But CIOs shouldn’t be patting themselves on the back just yet. For this productivity boost the study credits the Internet, not enterprise IT, not the technology you provide, not, in short, you. And while Pew’s finding undoubtedly includes people who use the Internet to access your corporate applications, Lee Rainie, the Pew project director, says the research is not pointing to what a good job CIOs have been doing.
It tells a different tale.
“The big story is that the boundary that existed in people’s lives between the workplace and the home has broken down,” says Rainie. Almost unlimited storage and fast new communication tools allow people to use whatever information they choose, whenever they want to, from wherever is most convenient for them.
According to Pew, 42 percent of Internet users download programs, 37 percent use instant messaging, 27 percent have used the Internet to share files, and 25 percent access the Internet through a wireless device. (And these numbers are all one or two years old. Rainie “would bet the ranch” that the current numbers are higher.)
Does that sound like the tools you’ve provided your company’s employees? Do you encourage them to download programs and share files? Do you support IM? Have you outfitted a quarter of your company’s employees with wireless devices?
“A consequence of the blending of worlds is that people bring gadgets from their home life into the workplace and vice versa,” says Rainie. For example, a December 2006 survey by Searchsecurity.com found that only 29 percent of companies had a corporate instant messaging tool, a number that seems relatively small when compared with the percentage of people Pew says use IM in the office.
Users have a history of providing their own technology, but the capabilities of today’s consumer IT products and the ease with which users can find them is unprecedented. Thumb drives, often given away free at conferences, provide gigabytes of transportable storage. Google spreadsheets and other online documents let multiple people collaborate in one file. The Motorola Q, a phone that uses the cell network as an always-on high-speed Internet connection (and can be yours for just $125 on eBay) lets users forward their work e-mail to their phones without ever touching a mail server. And that’s only three examples. There’s a consumer technology out there for every task imaginable—and if there isn’t, there’s a tool that will let someone create it tomorrow.
The era in which IT comes only from your IT department is over.
So where does that leave you?
The Shadow IT Department
The consumer technology universe has evolved to a point where it is, in essence, a fully functioning, alternative IT department. Today, in effect, users can choose their technology provider. Your company’s employees may turn to you first, but an employee who’s given a tool by the corporate IT department that doesn’t meets his needs will find one that does on the Internet or at his neighborhood Best Buy.
The emergence of this second IT department—call it “the shadow IT department”—is a natural product of the disconnect that has always existed between those who provide IT and those who use it.
And that disconnect is fundamental. Users want IT to be responsive to their individual needs and to make them more productive. CIOs want IT to be reliable, secure, scalable and compliant with an ever increasing number of government regulations. Consequently, when corporate IT designs and provides an IT system, manageability usually comes first, the user’s experience second. But the shadow IT department doesn’t give a hoot about manageability and provides its users with ways to end-run corporate IT when the interests of the two groups do not coincide.
“Employees are looking to enhance their efficiency,” says Andr¿old, director of information security at Continental Airlines. “People are saying, ‘I need this to do my job.’” But for all the reasons listed above, he says, corporate IT usually ends up saying no to what they want or, at best, promising to get to it...eventually. In the interim, users turn to the shadow IT department.
For many good and not-so-good reasons, the CIO’s first instinct frequently is to fight the shadow IT department whenever and wherever he detects it. But that approach, according to people who have thought long and hard about this potential war between IT departments, is a recipe for stalemate, if not outright defeat for CIOs.
The employees in your company are using consumer IT to work faster, more efficiently and, in many cases, longer hours. Some are even finding new and better ways to get work done. CIOs should be applauding this trend. But when you shut down consumer IT, says William Harmer III, assistant vice president of architecture and technology of financial services company Manulife, “You end up as a dissuader of innovation.”
Yes, the shadow IT department presents corporate IT with security and compliance challenges. Users could be opening holes in the corporate firewall (by downloading insecure programs), exposing company data irresponsibly (by scattering laptops, handhelds, and thumb drives hither and yon) and handling information in any number of ways that could violate any number of federal regulations. But CIOs need to deal with these problems strategically, not draconically.
“There’s a simple golden rule,” says David Smith, a vice president and research fellow at Gartner. “Never use security and compliance as an excuse for not doing the right thing. Never use these as sticks or excuses for controlling things. When you find that people have broken rules, the best thing to do is try to figure out why and to learn from it.”
Successful companies will learn how to strike a productive balance between consumer IT—and the innovative processes for which employees are using these tools—and the need to protect the enterprise. This will require CIOs to reexamine the way they relate to users, and to come to terms with the fact that their IT department will no longer be the exclusive provider of technology within an organization. This, says Smith, is the only way to stay relevant and responsive. CIOs who ignore the benefits of consumer IT, who wage war against the shadow IT department, will be viewed as obstructionist, not to mention out of touch. And once that happens, they will be ignored and any semblance of control will fly out the window.
And that won’t be good for anyone.
How the Shadow IT Department Works
Here’s an all-too-common response to the shadow IT department, courtesy of Bill Braun, vice president of information systems for the Texas Credit Union League: “What’s good for me is that it’s simple to say no [to consumer IT]. There goes most of the problem. Possibly some of the benefit, but certainly the problem.”
Passing over the fact that Braun admits that he’s willing to forgo the potential innovations consumer IT can provide, this approach also assumes that the shadow IT department has a similar structure to its corporate counterpart and can be managed in the same way.
It doesn’t and it can’t.
The shadow IT department is an entirely different beast.
Corporate IT is highly structured, with one individual or a small group controlling the nodes in a network and their relationships to one another. The shadow IT department, on the other hand, has no central authority and at best an ill-defined hierarchy; nodes join on their own and develop their own relationships. Marty Anderson, a professor at the Olin Graduate School of Business at Babson College, calls corporate IT a command architecture and shadow IT an emergent architecture. Command architectures are set up to make them easy to manage and, as a result, they respond to top-down orders. Emergent architectures contain no dominant node and therefore provide no lever by which to manage them. That’s why it is impossible to kill the shadow IT department or keep it out of your company. It has no head to cut off or single channel to dam.
It’s natural for corporate IT to feel threatened by the shadow IT department, but the truth is that they already coexist everywhere. “The two have always been present,” says Anderson. “The management skill is noticing where they intersect and coming up with a strategy for dealing with it.”
For example, a similar dynamic has long played out in HR. A company’s employees have titles and reporting relationships that give their work a formal structure. But at the same time every company has an informal structure determined by expertise, interpersonal relationships, work ethic, overall effectiveness and so on. Companies suffer when HR is out of phase with the informal structure. Employees are demoralized when the formal architecture elevates someone at the bottom of the informal architecture, and people who occupy the top spots in the informal architecture leave when they aren’t recognized by the formal one. Good HR departments know where employees stand in both the formal and informal architectures and balance the two.
IT needs to learn how to strike a similar balance. Corporate IT isn’t going to go away, and neither are the systems that IT has put in place over the years. But a CIO who doesn’t develop a strategy to accommodate the shadow IT department will be employing an outdated and (more important) an inefficient business model. And, like the HR department that ignores the informal relationships in a company, the CIO might lose sight of how his users actually work. Corporate IT thereby loses its authority and, eventually, the CIO loses his job. It won’t happen quickly, but it will happen. As Anderson puts it, “It will be like getting nibbled to death by ducks.”
How to Make Peace With Shadow IT
Techniques will differ for each company depending upon its business, the degree of regulation to which it’s subject, its risk tolerance and so on, but some principles are universally applicable. Here are some starting points.
1. Find out how people really work.
Whether you know it or not, your company’s employees are using technology of their choosing, or using technology of your choosing in ways you never intended. Brian Flynn, senior VP of IT at BCD Travel, found this out when he deployed software that monitored the content moving across his network. Not only were employees using consumer IT tools (like IM) but they were using IT-provided applications to do things that were clearly security risks (such as sending sensitive information back and forth).
“I am convinced that most companies are flying blind,” says Flynn. “This is going on everywhere and IT just doesn’t know.”
Fight your instinct to discourage these behaviors by legislating against them. Yes, there may be security and compliance risks, but declaring open war on the shadow IT department will only turn it into an insurgency, driving it underground where it will be harder to monitor and harder to negotiate with. Instead, consider this an opportunity to find out where the IT you’ve provided is out of sync with your users’ needs.
2. Say yes to evolution.
CIOs need to make users feel comfortable about bringing their underground behavior into the light. The first step is a change in attitude.
“We tend to think of people who think out of the box as troublemakers,” says Flynn. “But we need to realize that maybe they know what they’re talking about and maybe we should try to meet them halfway if we can.”
Always try to help users figure out a safe and secure way to do whatever it is they’re trying to do. “People get used to [IT] telling them no, and after a while they stop telling you what they’re doing,” says Continental’s Gold. “So we try to say yes, dot dot dot.”
Rob Israel, CIO of the John C. Lincoln Health Network, has developed a policy that formalizes this mind-set.
“I’m the only person in IT allowed to say no,” he says. Conversely, his IT employees have only three options: approve a request, research it or pass it up to him. According to Gold and Israel, getting a reputation for saying yes will encourage users to come to you with ideas. That gives you the chance to learn what it is that the user is really trying to do and come up with a way to do it that won’t compromise security.
As irrelevant or irresponsible as some shadow IT projects seem on the surface, it’s important to accept the fact that users do things for reasons. If they are e-mailing critical files among themselves, it’s because they need to work on something from a different location and that’s the most direct solution that they can come up with. IT’s job shouldn’t be figuring out how to prevent the user from accessing and moving files, but rather to find a solution that lets him take that file home in a way that doesn’t make the company vulnerable and isn’t any more complex than the method that the user discovered on his own.
That last part is important. “No one,” says Flynn, “will jump through hoops.” They’ll go around them.