User Management - Users Who Know Too Much and the CIOs Who Fear Them

A new IT department is being born. You don’t control it. You may not even be aware of it. But your users are, and figuring out how to work with it will be the key to your future and your company’s success.

1 2 Page 2
Page 2 of 2

That last part is important. “No one,” says Flynn, “will jump through hoops.” They’ll go around them.

Gold says that most shadow IT projects are attempts to solve simple problems, and it’s easy for CIOs to mitigate the risks if they’re willing. For example, Gold found that people were taking files home on thumb drives. Instead of trying to outlaw the practice, he began distributing thumb drives with encryption software on them. The users’ experience never changed. “It was common sense to keep both security and how people work in mind,” he says.

3. Ask yourself if the threat is real.

The other part of developing a say-yes reputation is realizing which shadow IT projects really represent a security threat and which just threaten IT’s position as the sole god of technology provisioning. Maria Anzilotti, CIO of Camden Property Trust, a real estate developer, says that she has continued to allow IM even though most people use it for nonwork purposes. “We looked at the risk and decided it wasn’t worth [shutting it down],” she says. “A lot of people use it to communicate with their kids. It’s faster and less disruptive than phone calls.

“We keep an eye on it.”

Killing a shadow IT app without appreciating how thoroughly it’s been integrated into a company’s workflow can have unanticipated and unfortunate consequences. When Gold shut down IM at Continental, he got an angry call from an employee in the fuel management group who was using it (successfully) to negotiate jet fuel pricing for the airline.

Oops.

When a CIO prohibits people from using a technology that doesn’t pose a real security threat or doesn’t adversely affect his budget, he is setting himself up as a tin idol, a moral arbiter. That’s a guaranteed way to antagonize users. And that’s never a good idea.

4. Enforce rules, don’t make them.

There’s a fine line between providing access to data and determining who should have access to it. And Manulife’s Harmer says IT often crosses it.

“I own the infrastructure,” he says, “but the business owns the data.” IT creates artificial hurdles for employees when it makes blanket judgments about access that affect the entire company. “The key is not to paint all the users the same,” says Harmer.

Lincoln Health’s Israel deals with this challenge every day. It’s one thing, he says, for his nursing staff to search the Internet for the word breast; it’s another for someone in the accounting department. But if Israel installed a filter that prevented access to (apparently) pornographic websites, his nurses might not be able to find information that they need to treat a patient. The solution is for IT to provide tools that let an individual’s manager decide what information she needs to do the job.

“IT doesn’t know everything the business knows,” says Gold. “So it’s hard for me to make rules about who should have access to what.”

5. Be invisible.

Most companies have long lists of policies and regulations with which everyone must comply. But lists don’t enforce themselves.

“I wrote all the policies [here], and I only know two of them well,” says Israel. “So it’s unreasonable for an IT department to expect users to know them all. But we can put systems in place that put some automation behind our policies.”

Manulife’s Harmer says that the key is to develop an approach that secures data without depending upon how a user accesses it or what he does with it.

“The way I approach it is to bring the controls closer to the data,” he says. “That means not relying on a firewall but trying to figure out what I’m actually trying to protect and then dealing with it appropriately.”

At Continental, this type of approach has led to a change in the way the IT department designs systems. “Ninety percent of the applications we have that involve sensitive data are things we’ve written,” Gold explains. All that data was protected...as long as the user accessed it from the application IT built. But when a manager tried to compare revenue for different cities by copying the data into Excel (something Gold says happens routinely), the information was suddenly placed at risk. With this in mind, Gold encouraged the IT department to build encryption and other safeguards directly into the applications. That way, when a user pastes the revenue figures into a spreadsheet, the data, not the sanctity and integrity of the application (which are irrelevant), will still be protected.

Messy But Fertile Beats Neat But Sterile

IT has a natural tendency to think about technology in a system-centric way. Systems automate workflow and control access to information. And for a long time these systems made work and workers more efficient. “But there has always been a bright line between IT systems and what people really wanted to do,” says Babson’s Anderson.

“I used to have users come to me as if I was the almighty IT god,” says Israel, who recalls those as “the good old days.” But in that sense, god is dead, and IT’s authority and sense of purpose can no longer derive from controlling how people use technology.

“IT can’t insist on doling out IT,” says Gartner’s Smith. “The demographics of the workforce are changing. Younger people who are more familiar with technology are coming in, and they will not sit still while [CIOs] dole out corporate apps. If you want to retain the best and the brightest, you can’t lock down your environment.”

Smith advises CIOs to try to stop thinking about technology as something that must always be enterprise class. There are plenty of Web-based tools that can meet their users’ needs and not cost the company a dime. “Be open-minded and bring them in where appropriate,” he says.

Does that mean that the enterprise is going to become a messier place? Absolutely. That’s an inevitable consequence of user-centric IT. But messiness isn’t as bad as stagnation.

“Controlled chaos is always OK,” says Gold. “If you want to be an innovator and leverage IT to get a competitive advantage, there has to be some controlled chaos.”

Copyright © 2007 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Survey says! Share your insights in our 19th annual State of the CIO study