A newly hired CIO arrived at a $500-million consumer products company. He was surprised by what he found. “There wasn’t a standard way of evaluating and approving and managing technology,” recalls Tres Roeder, project management author, speaker, and consultant, who worked with that new CIO.
The CIO set out to do the logical thing: Evaluate the various tools for serving the business units’ needs, select the best, most robust, and most secure of them, and then standardize on those across the company. There was only one problem — the business units refused to comply. “The individual business unit heads did not want to give up the control that they had,” Roeder says. “They could pick the project management tool they wanted or the document repository they wanted. They didn’t want the CIO telling them what they could and couldn’t do.”
It’s a situation CIOs and other IT leaders find themselves facing more and more often. Years ago, funding for technology was overseen by an organization’s IT department. “There was a committee of executives, typically,” says Kurt Underwood, managing director at consulting firm Protiviti. “There would be initiatives that didn’t make it to the top of the list, ones that weren’t as strategic and so didn’t get funding. The governance was usually an open process, but it allowed for a dividing line: ‘Here’s what we’re going to work on over the next 18 months, and what we’re not.’”
That’s ancient history in most of the corporate world. Today, Underwood notes, most anything a business unit might need can be provisioned from the cloud, without involving IT. “Executives are looking at initiatives where timeliness is important. They’re looking for something this quarter — they’re not interested in a long-term process that will involve consultants to plan a project that will then take 18 months to complete,” Underwood says.
That impatience with traditional IT timelines, and IT standards and rules, led to what used to be called “shadow IT.” But these days, most non-IT technology is no longer hiding in the shadows. As at the company where Roeder consulted, business department leaders now have the budget and the ability to buy whatever technology tools they choose, and they don’t much care who knows it. Meantime, preventing data breaches, malware, hacking, outages, and other security, availability, or compliance failures remains IT’s responsibility, whether it controls technology purchases or not.
What’s an IT leader to do? Smart CIOs use soft skills, persuasiveness and leadership acumen to save their organizations from poor or unsafe technology when they can no longer exercise veto power. It’s a tough job, but one they can’t afford not to do. Here are some approaches that can help.
1. ‘No’ by itself is never good enough
“IT needs to stop thinking that a simple veto was ever good for their business partners,” explains Dean Pipes, chief innovation officer at telecommunications company TetraVX. Instead, IT must enable innovation and agility in an organization, he says. It all begins with empathy, a word several CIOs used to describe the most successful approaches. “We don’t want to say, ‘You’re dumb,’” Pipes explains. “We want to say, ‘We looked at that solution and we have some concerns. Let’s look at how different solutions might reduce those risks. We want to help you find the right solution, this just doesn’t seem like it.’”
IT governance can often seem like the biggest priority to an IT leader. And yet, “We cannot drive our business through IT governance,” says Scott Moody, vice president of IT at managed services provider Carousel Industries. “It’s a must-have, but you have to start with the business needs first.”
2. Make group decisions
This is how Roeder’s CIO client solved the problem of multiple technologies throughout his company. It took some patience. “We put together a council of different business unit heads, led by the CIO,” Roeder says. The business leaders were willing to join the council because they could see a potential benefit: In personal conversations, the CIO had explained that if more than one unit was using the same technology, sharing this information could lead to savings through volume pricing.
Everyone discussed the tools they were using and the tools they wanted to use in front of the council. “For the first six months, the CIO wasn’t saying yes or no to anything, but he was getting all the decision-making into one place, where he could see it and everybody else could see it,” Roeder says.
In the end, the CIO didn’t need to force any decisions on anyone. Once they were all talking in the same room, the business leaders themselves could see how using multiple tools for the same function was impractical. “It became obvious,” Roeder says. “They said, ‘Why are we doing this? It doesn’t make sense.’”
3. Bring self-proclaimed experts into the fold
Most IT professionals feel disrespected when business users declare they know all about technology. And yet, in these times when technology is part of most schools’ curricula, and many people use lots of technology in their personal lives, business users are likelier than ever to have at least some expertise.
Related video: CIO Leadership Live with Douglas Blackwell, CIO at Horizon Blue Cross Blue Shield of New Jersey | CIO Leadership Live series
It’s an annoying problem, but not unique to IT, Roeder says. “Everyone thinks they know the right way to market, or how to improve culture, or how to motivate people.” As IT leaders learn to take more of consultative, rather than authoritative approach, he says, “They might say to that person, ‘Great! Tell me your knowledge, tell me your ideas.’ And you can have a conversation while still establishing yourself as that consultant. If someone says they’re an expert, you can say, ‘Let’s put together a team to evaluate this technology, and you’re on it.’”
4. Find your natural allies
Dealing with the use of insecure or impractical technologies when you don’t have the authority to veto them is certainly a challenge. But it’s not one you have to take on alone. There are other officers and departments in your company whose interests align with IT’s when it comes to making sound technology choices for the organization as a whole. If your company has a chief information security officer, for example, he or she is a natural ally when it comes to addressing security or compliance concerns about third-party technology tools.
Risk management is another discipline whose interests coincide with yours. “If you think about the chief risk officer or chief audit executive, that’s someone typically focused on how to protect the business with controls,” Underwood says. “That goes for technology as well. So as well as being able to collaborate with and facilitate the business, CIOs need to have that grounding in enterprise risk management and make sure they’re leveraging that relationship to produce efficient and effective policies for the organization.”
Procurement executives will also take a natural interest in what kinds of technologies business units are buying. “With the consumerization of IT, you have a lot more people who are skilled technical folks. They understand technology because it’s part of their daily lives,” says Mike Kelly, CIO of Red Hat [Disclosure: For several years Minda Zetlin was a regular contributor to the Red Hat website The Enterprisers Project]. “So you have a more educated base, but they’re not experts in procurement or legal agreements.”
For Moody, a recent win came about through his excellent relationship with Carousel’s director of continuous improvement. The company’s recruiting team had purchased some cloud-based software that they then implemented on their own. But they weren’t able to provide efficient user support, for instance when passwords needed resetting. And they were having trouble extracting useful data from their new software. The director of continuous improvement flagged this situation as an improvement opportunity, and acted as a go-between for IT to take over support. “That was a successful partnering exercise,” he says. “Since then, they’ve come to us for other assistance.”
5. Put standards in place ahead of time
Once business users have selected a technology tool, downloaded it, and grown accustomed to using it, persuading them to give it up will be an uphill battle. So you’re much better off setting guidelines beforehand that will help business executives know in advance whether a new tool will likely get your approval or not.
One way to do this is with a white list of pre-approved technologies and devices, but unless it’s extensive or very flexible, you’re likely to miss something your users feel strongly that they need. Another approach is to institute a security audit or review for every new piece of technology, allowing business departments to use anything that passes the audit.
Brian Lillie spent eight years as CIO of data center provider Equinix before becoming chief product officer. During that time, he used a cloud access security broker (CASB) to both track which cloud services and software employees were using, and to provide a detailed audit of those services’ security. The CASB would give each service a number grade, with lower numbers denoting excellent security and higher numbers indicating security risks. If a product gets a 1 or 2 score in the security audit, business departments have IT’s blessing to use it. If it’s an 8 or 9, IT may block that app and offer an alternative.
“We had the marketing department tell us they had a cloud application they wanted to use,” Lillie recalls. “We said, that’s fine, but you have to go through our security protocol. Everybody from the board to the executive management team supports that. We put it through and it scores an 8, and we said, ‘Do you really want to do this?’ And they said no.”
But then Lillie’s team went the extra mile and got in touch with the software maker. “We said, ‘Maybe you are prioritizing features over security. If you improve your security, come back and talk to us.’ They did, and six months later we became a customer.”
6. Know when to give in and when to stand firm
At Red Hat, Kelly says, there are four or five different chat services employees use to communicate throughout the day. It might seem logical to consolidate on just one, but he’s choosing to let things stay as they are. “Yes, we should have a single chat solution for all of Red Hat,” he says. “But if we take one of the four or five systems people are using and make it the standard, we’ll have a lot of unhappy users.”
On the other hand, some battles are worth fighting, for example when security or customer data is at risk. “I’m not going to abrogate my responsibility as CIO,” Lillie says. “So if at the end of the day, they say, ‘I hear your point but I’m going to do it anyway,’ we’re going to have a conversation.”
Ultimately, he says, a business department that insists on choosing its own technology without IT input doesn’t make much sense. “It’s like saying, ‘I’m going to hire my own HR person because I don’t like our benefits package. I’m going to hire my own finance person because I don’t like the numbers in my budget. It doesn’t make sense from a shareholder value perspective, or a governance perspective. While this rarely happens, you have to be able to stand your ground and say, ‘Let’s agree to disagree and let’s go have a conversation.’ I’m not an escalation kind of guy, but if I have to escalate, I will.”