How CIOs Can Learn to Love IM Messages, Social Networking Sites, Blogs, Wikis and Other Tools of User Empowerment

The world has changed. IT executives can't deny employees the freedom to use consumer applications at work. Here's how to live with and profit from them.

1 2 Page 2
Page 2 of 2

“Free isn’t always free,” explains Dwain Wilcox, vice president of information technology for Millipore, a $1.2 billion biotech company. “Even though it is free and enhances productivity, we have to go find out what the hidden issues are.” This is why Drees at first didn’t let people bring their own cameras to work. “Supporting one person with one camera is not a problem,” says Clark. “Supporting 200 people with 200 cameras is.”

Finding a product that works as a corporate standard can solve such problems, however. “With one standard [application], supporting 200 cameras is suddenly doable again,” says Clark about his company’s decision to deploy Google’s Picasa. Like Clark and Wilcox, 30 percent of the respondents to the CIO survey study the business case for a consumer IT project to see if it can be mainstreamed.

Identifying a scalable version of a consumer technology to test and deploy across the enterprise is no different from what CIOs have always done with e-mail and other enterprise systems. “We standardized on BlackBerrys early on,” says Wilcox, the Millipore VP, whose employees use the devices not only for e-mail but also to access corporate data on

Millipore used to support a variety of devices. “We were finding that setting up new users took a really long time, an hour or two,” says Wilcox. “Imagine doing that across the enterprise—it increases the amount of work for IT exponentially.” But once the company adopted BlackBerrys for everyone, the work became manageable, because the IT department had to learn only once how to set up a new user.

There were trade-offs, of course. The people who used Treos or Windows devices were upset that they had to switch. But at the end of the day there wasn’t really anything that they could do on those devices that they couldn’t do with a BlackBerry. Plus, Wilcox was able to sweeten the deal with access to So in the end, Wilcox says, they came around. Again, it was a good compromise.

3. Pick Your Battles

As our survey revealed, most companies have shadow IT systems. Yours probably does, too. But you know you don’t have the resources to stay on top of everything. That’s why it’s important to pick your battles. For example, when data protection is a concern, pay close attention to the parts of your business where the most important information is.

“In our case that’s the R&D organization,” says Wilcox. “You really don’t want those guys storing their research data using a free software as a service tool. But the sales guys using a collaboration tool? That’s a different story.” If a rival found out a new formula that Millipore was working on, that would be a big problem. But a few sales leads? Not the end of the world.

Furman University’s Steinour puts it this way: You need to evaluate risk versus cost. Not from a traditional ROI perspective, necessarily, but from a resource allocation standpoint. You can’t protect everything all the time. “For me it comes down to three priorities,” he says. “Protect the institution, protect the staff, and protect the network. I do everything I can to provide security for our data and I have policies and rules to protect the institution.”

One thing that he allows, despite the potential security risk, is instant messaging, just like 58 percent of the companies CIO surveyed. The students use it—there is no way to prevent that—but so does the school’s staff, who use a sectioned-off part of the network and have usage guidelines more like those of the average company. “We standardize on our scheduling and e-mail, but when we get down to how people want to communicate, we do not enforce policy.”

The reason Steinour has decided to be flexible with IM is that almost nothing people use IM for is sensitive. People might use it to ask a colleague if she is around before walking across campus to her office. Or they may use it for personal reasons, to tell a spouse when they’ll be home for dinner. Thus, says Steinour, “We will never consider looking at it unless there is something that happens on that port and we have a network security incident.”

4. Be Human

Whenever IT equips a user with a laptop or a BlackBerry, it comes with an implicit message: You can work from anywhere. In most cases that message gets extrapolated to, You are expected to work from anywhere, be it home or your hotel while you are traveling. In fact, the barrier between the professional and the personal has all but disappeared for many workers. A study of more than 200,000 workers conducted by the employee research firm ISR found that between 2002 and 2005 the number of workers who said that their jobs seriously interfere with their private lives rose from 24 percent to 34 percent. So why shouldn’t employees be able to bring some elements of their personal life into the workplace? That’s a question CIOs need to start asking.

“We realize the reality of the workplace and we want to make it employee friendly,” says Brent Holladay, chief deputy of information resources for the Lake County (Fla.) Clerk of Courts. “In government we can’t use pay as the only incentive.” Letting workers use personal technology is one way to be flexible. Holladay has decided, for example, to let people listen to music on their computers, provided that they show their managers they can still get their work done.

Employees are discouraged from bringing iPods into the workplace and from listening to music in the office at Millipore. That said, “We realize from time to time people will have music files on their laptops while traveling or whatnot,” says Wilcox. And he lets them, because he doesn’t want work to encroach on people’s lives anymore than it does. But when Millipore backs up its files every night, sometimes the company ends up backing up someone’s MP3s. “We try to exclude that stuff whenever we can,” he says. “But it happens, and it is bandwidth hog.” However, he thinks that’s a small price to pay for happier employees.

Most Companies Tolerate Shadow IT

CIO asked 368 IT leaders how their IT departments approach unsupported technology.

42 percent said their IT department monitors the use of such technology for risk to their organization.

30 percent said they study the business case for mainstreaming the technology.

28 percent said they shut it down as soon as they detect it.

In addition, 61 percent of IT organizations allow end user to find and use their own software applications. But most want users to ask first.

5. Talk to Users

Pop quiz: Do you remember every form you signed when you joined your company and what policies you agreed to follow? Most users don’t know either. That’s why relying on written policies is the worst way to influence user behavior. There are some shadow IT systems that CIOs absolutely have to shut down or prevent from being installed in the first place. But counting on a memo to make that happen is a mistake.

“I don’t like to have a lot of policies,” says Wilcox. “There are certain ones you have to have to CYA, but we don’t have tons and tons of them.” For example Millipore lets employees store personal information on their work computers, and there’s a written policy that says the company owns any information on a company laptop. But usually Wilcox “relies on verbal communication with the users, starting at the top.

“Most managers, when you talk to them, they know you can’t do things one off,” he says. “In this day and age, protection and privacy of info is vitally important. And they know that.” In order to make them understand what IT is going through he tries to put policies into terms that they will understand, drawing on similarities between what the company goes through and what users experience in their own life with their own data.

“Are you sure that [the shadow IT project] is trusted?” Wilcox asks users. “Would you be concerned if it was your personal information?” It’s also possible to draw on past experience. “We’ve had just enough instances where something happened that wasn’t serious but could have been,” says Lake County’s Holladay.

His office has had to deal with everything from viruses that almost shut the office down, to users who didn’t lock their computers, potentially allowing anyone to access hugely secure court records. In each case the users knew they had done something wrong and that it could have been much worse. Call it the guilt approach, but Holladay says that people listen when you explain the risks of a shadow IT system in terms that they can relate to personally.

In one case Holladay encouraged people to install their own screen savers, part of his strategy to create a friendlier workplace. But people started sharing them with each other, which was a copyright violation. Holladay applied his standard test—how would he feel if the local newspaper wrote a story about what was going on? He imagined the headline, “Copyright Violations Run Rampant at County Clerk’s Office,” and used it as the rationale to explain why he had to outlaw the practice.

The ability to communicate well is the key to keeping dangerous shadow IT projects from popping up. The responsibility doesn’t fall just to the CIO but to the entire IT staff. And it requires a conscious effort. “Any time one of my staff is out at a desktop they are communicating our policy,” says the Southern Ute’s Young. “That is the form of communication that stays forefront in the mind of the user and my staff.”

That interaction is a chance to advertise corporate IT—not just the services it provides, but also its openness to new ideas. And at the end of the day, whether IT is perceived as open and helpful could be the difference between having to compete with a shadow IT department or not.

Clark believes the defining characteristic of a company that has a shadow IT problem “is if the users have stopped bringing ideas to you. Do they just assume you will say no? In any good company users are going to be bringing ideas constantly.”

Copyright © 2007 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 secrets of successful remote IT teams