by Ben Worthen

User Management – Users Who Know Too Much and the CIOs Who Fear Them

Feb 15, 200717 mins
Consumer ElectronicsIT Leadership

A new IT department is being born. You don’t control it. You may not even be aware of it. But your users are, and figuring out how to work with it will be the key to your future and your company’s success.

An April 2006 survey by the Pew Internet and American Life Project found that 45 percent of adults who use the Internet said it has improved their ability to do their jobs “a lot.”

These are your employees, and their message couldn’t be clearer: Technology, at least in their eyes, has made them significantly more productive. But CIOs shouldn’t be patting themselves on the back just yet. For this productivity boost the study credits the Internet, not enterprise IT, not the technology you provide, not, in short, you. And while Pew’s finding undoubtedly includes people who use the Internet to access your corporate applications, Lee Rainie, the Pew project director, says the research is not pointing to what a good job CIOs have been doing.

It tells a different tale.

“The big story is that the boundary that existed in people’s lives between the workplace and the home has broken down,” says Rainie. Almost unlimited storage and fast new communication tools allow people to use whatever information they choose, whenever they want to, from wherever is most convenient for them.

According to Pew, 42 percent of Internet users download programs, 37 percent use instant messaging, 27 percent have used the Internet to share files, and 25 percent access the Internet through a wireless device. (And these numbers are all one or two years old. Rainie “would bet the ranch” that the current numbers are higher.)

Does that sound like the tools you’ve provided your company’s employees? Do you encourage them to download programs and share files? Do you support IM? Have you outfitted a quarter of your company’s employees with wireless devices?


“A consequence of the blending of worlds is that people bring gadgets from their home life into the workplace and vice versa,” says Rainie. For example, a December 2006 survey by found that only 29 percent of companies had a corporate instant messaging tool, a number that seems relatively small when compared with the percentage of people Pew says use IM in the office.

Users have a history of providing their own technology, but the capabilities of today’s consumer IT products and the ease with which users can find them is unprecedented. Thumb drives, often given away free at conferences, provide gigabytes of transportable storage. Google spreadsheets and other online documents let multiple people collaborate in one file. The Motorola Q, a phone that uses the cell network as an always-on high-speed Internet connection (and can be yours for just $125 on eBay) lets users forward their work e-mail to their phones without ever touching a mail server. And that’s only three examples. There’s a consumer technology out there for every task imaginable—and if there isn’t, there’s a tool that will let someone create it tomorrow.

The era in which IT comes only from your IT department is over.

So where does that leave you?

The Shadow IT Department

The consumer technology universe has evolved to a point where it is, in essence, a fully functioning, alternative IT department. Today, in effect, users can choose their technology provider. Your company’s employees may turn to you first, but an employee who’s given a tool by the corporate IT department that doesn’t meets his needs will find one that does on the Internet or at his neighborhood Best Buy.

The emergence of this second IT department—call it “the shadow IT department”—is a natural product of the disconnect that has always existed between those who provide IT and those who use it.

And that disconnect is fundamental. Users want IT to be responsive to their individual needs and to make them more productive. CIOs want IT to be reliable, secure, scalable and compliant with an ever increasing number of government regulations. Consequently, when corporate IT designs and provides an IT system, manageability usually comes first, the user’s experience second. But the shadow IT department doesn’t give a hoot about manageability and provides its users with ways to end-run corporate IT when the interests of the two groups do not coincide.

“Employees are looking to enhance their efficiency,” says Andr¿old, director of information security at Continental Airlines. “People are saying, ‘I need this to do my job.’” But for all the reasons listed above, he says, corporate IT usually ends up saying no to what they want or, at best, promising to get to it…eventually. In the interim, users turn to the shadow IT department.

For many good and not-so-good reasons, the CIO’s first instinct frequently is to fight the shadow IT department whenever and wherever he detects it. But that approach, according to people who have thought long and hard about this potential war between IT departments, is a recipe for stalemate, if not outright defeat for CIOs.

The employees in your company are using consumer IT to work faster, more efficiently and, in many cases, longer hours. Some are even finding new and better ways to get work done. CIOs should be applauding this trend. But when you shut down consumer IT, says William Harmer III, assistant vice president of architecture and technology of financial services company Manulife, “You end up as a dissuader of innovation.”

Yes, the shadow IT department presents corporate IT with security and compliance challenges. Users could be opening holes in the corporate firewall (by downloading insecure programs), exposing company data irresponsibly (by scattering laptops, handhelds, and thumb drives hither and yon) and handling information in any number of ways that could violate any number of federal regulations. But CIOs need to deal with these problems strategically, not draconically.

“There’s a simple golden rule,” says David Smith, a vice president and research fellow at Gartner. “Never use security and compliance as an excuse for not doing the right thing. Never use these as sticks or excuses for controlling things. When you find that people have broken rules, the best thing to do is try to figure out why and to learn from it.”

Successful companies will learn how to strike a productive balance between consumer IT—and the innovative processes for which employees are using these tools—and the need to protect the enterprise. This will require CIOs to reexamine the way they relate to users, and to come to terms with the fact that their IT department will no longer be the exclusive provider of technology within an organization. This, says Smith, is the only way to stay relevant and responsive. CIOs who ignore the benefits of consumer IT, who wage war against the shadow IT department, will be viewed as obstructionist, not to mention out of touch. And once that happens, they will be ignored and any semblance of control will fly out the window.

And that won’t be good for anyone.

How the Shadow IT Department Works

Here’s an all-too-common response to the shadow IT department, courtesy of Bill Braun, vice president of information systems for the Texas Credit Union League: “What’s good for me is that it’s simple to say no [to consumer IT]. There goes most of the problem. Possibly some of the benefit, but certainly the problem.”

Passing over the fact that Braun admits that he’s willing to forgo the potential innovations consumer IT can provide, this approach also assumes that the shadow IT department has a similar structure to its corporate counterpart and can be managed in the same way.

It doesn’t and it can’t.

The shadow IT department is an entirely different beast.

Corporate IT is highly structured, with one individual or a small group controlling the nodes in a network and their relationships to one another. The shadow IT department, on the other hand, has no central authority and at best an ill-defined hierarchy; nodes join on their own and develop their own relationships. Marty Anderson, a professor at the Olin Graduate School of Business at Babson College, calls corporate IT a command architecture and shadow IT an emergent architecture. Command architectures are set up to make them easy to manage and, as a result, they respond to top-down orders. Emergent architectures contain no dominant node and therefore provide no lever by which to manage them. That’s why it is impossible to kill the shadow IT department or keep it out of your company. It has no head to cut off or single channel to dam.

It’s natural for corporate IT to feel threatened by the shadow IT department, but the truth is that they already coexist everywhere. “The two have always been present,” says Anderson. “The management skill is noticing where they intersect and coming up with a strategy for dealing with it.”

For example, a similar dynamic has long played out in HR. A company’s employees have titles and reporting relationships that give their work a formal structure. But at the same time every company has an informal structure determined by expertise, interpersonal relationships, work ethic, overall effectiveness and so on. Companies suffer when HR is out of phase with the informal structure. Employees are demoralized when the formal architecture elevates someone at the bottom of the informal architecture, and people who occupy the top spots in the informal architecture leave when they aren’t recognized by the formal one. Good HR departments know where employees stand in both the formal and informal architectures and balance the two.

IT needs to learn how to strike a similar balance. Corporate IT isn’t going to go away, and neither are the systems that IT has put in place over the years. But a CIO who doesn’t develop a strategy to accommodate the shadow IT department will be employing an outdated and (more important) an inefficient business model. And, like the HR department that ignores the informal relationships in a company, the CIO might lose sight of how his users actually work. Corporate IT thereby loses its authority and, eventually, the CIO loses his job. It won’t happen quickly, but it will happen. As Anderson puts it, “It will be like getting nibbled to death by ducks.”

How to Make Peace With Shadow IT

Techniques will differ for each company depending upon its business, the degree of regulation to which it’s subject, its risk tolerance and so on, but some principles are universally applicable. Here are some starting points.

1. Find out how people really work.

Whether you know it or not, your company’s employees are using technology of their choosing, or using technology of your choosing in ways you never intended. Brian Flynn, senior VP of IT at BCD Travel, found this out when he deployed software that monitored the content moving across his network. Not only were employees using consumer IT tools (like IM) but they were using IT-provided applications to do things that were clearly security risks (such as sending sensitive information back and forth).

“I am convinced that most companies are flying blind,” says Flynn. “This is going on everywhere and IT just doesn’t know.”

Fight your instinct to discourage these behaviors by legislating against them. Yes, there may be security and compliance risks, but declaring open war on the shadow IT department will only turn it into an insurgency, driving it underground where it will be harder to monitor and harder to negotiate with. Instead, consider this an opportunity to find out where the IT you’ve provided is out of sync with your users’ needs.

2. Say yes to evolution.

CIOs need to make users feel comfortable about bringing their underground behavior into the light. The first step is a change in attitude.

“We tend to think of people who think out of the box as troublemakers,” says Flynn. “But we need to realize that maybe they know what they’re talking about and maybe we should try to meet them halfway if we can.”

Always try to help users figure out a safe and secure way to do whatever it is they’re trying to do. “People get used to [IT] telling them no, and after a while they stop telling you what they’re doing,” says Continental’s Gold. “So we try to say yes, dot dot dot.”

Rob Israel, CIO of the John C. Lincoln Health Network, has developed a policy that formalizes this mind-set.

“I’m the only person in IT allowed to say no,” he says. Conversely, his IT employees have only three options: approve a request, research it or pass it up to him. According to Gold and Israel, getting a reputation for saying yes will encourage users to come to you with ideas. That gives you the chance to learn what it is that the user is really trying to do and come up with a way to do it that won’t compromise security.

As irrelevant or irresponsible as some shadow IT projects seem on the surface, it’s important to accept the fact that users do things for reasons. If they are e-mailing critical files among themselves, it’s because they need to work on something from a different location and that’s the most direct solution that they can come up with. IT’s job shouldn’t be figuring out how to prevent the user from accessing and moving files, but rather to find a solution that lets him take that file home in a way that doesn’t make the company vulnerable and isn’t any more complex than the method that the user discovered on his own.

That last part is important. “No one,” says Flynn, “will jump through hoops.” They’ll go around them.

Gold says that most shadow IT projects are attempts to solve simple problems, and it’s easy for CIOs to mitigate the risks if they’re willing. For example, Gold found that people were taking files home on thumb drives. Instead of trying to outlaw the practice, he began distributing thumb drives with encryption software on them. The users’ experience never changed. “It was common sense to keep both security and how people work in mind,” he says.

3. Ask yourself if the threat is real.

The other part of developing a say-yes reputation is realizing which shadow IT projects really represent a security threat and which just threaten IT’s position as the sole god of technology provisioning. Maria Anzilotti, CIO of Camden Property Trust, a real estate developer, says that she has continued to allow IM even though most people use it for nonwork purposes. “We looked at the risk and decided it wasn’t worth [shutting it down],” she says. “A lot of people use it to communicate with their kids. It’s faster and less disruptive than phone calls.

“We keep an eye on it.”

Killing a shadow IT app without appreciating how thoroughly it’s been integrated into a company’s workflow can have unanticipated and unfortunate consequences. When Gold shut down IM at Continental, he got an angry call from an employee in the fuel management group who was using it (successfully) to negotiate jet fuel pricing for the airline.


When a CIO prohibits people from using a technology that doesn’t pose a real security threat or doesn’t adversely affect his budget, he is setting himself up as a tin idol, a moral arbiter. That’s a guaranteed way to antagonize users. And that’s never a good idea.

4. Enforce rules, don’t make them.

There’s a fine line between providing access to data and determining who should have access to it. And Manulife’s Harmer says IT often crosses it.

“I own the infrastructure,” he says, “but the business owns the data.” IT creates artificial hurdles for employees when it makes blanket judgments about access that affect the entire company. “The key is not to paint all the users the same,” says Harmer.

Lincoln Health’s Israel deals with this challenge every day. It’s one thing, he says, for his nursing staff to search the Internet for the word breast; it’s another for someone in the accounting department. But if Israel installed a filter that prevented access to (apparently) pornographic websites, his nurses might not be able to find information that they need to treat a patient. The solution is for IT to provide tools that let an individual’s manager decide what information she needs to do the job.

“IT doesn’t know everything the business knows,” says Gold. “So it’s hard for me to make rules about who should have access to what.”

5. Be invisible.

Most companies have long lists of policies and regulations with which everyone must comply. But lists don’t enforce themselves.

“I wrote all the policies [here], and I only know two of them well,” says Israel. “So it’s unreasonable for an IT department to expect users to know them all. But we can put systems in place that put some automation behind our policies.”

Manulife’s Harmer says that the key is to develop an approach that secures data without depending upon how a user accesses it or what he does with it.

“The way I approach it is to bring the controls closer to the data,” he says. “That means not relying on a firewall but trying to figure out what I’m actually trying to protect and then dealing with it appropriately.”

At Continental, this type of approach has led to a change in the way the IT department designs systems. “Ninety percent of the applications we have that involve sensitive data are things we’ve written,” Gold explains. All that data was protected…as long as the user accessed it from the application IT built. But when a manager tried to compare revenue for different cities by copying the data into Excel (something Gold says happens routinely), the information was suddenly placed at risk. With this in mind, Gold encouraged the IT department to build encryption and other safeguards directly into the applications. That way, when a user pastes the revenue figures into a spreadsheet, the data, not the sanctity and integrity of the application (which are irrelevant), will still be protected.

Messy But Fertile Beats Neat But Sterile

IT has a natural tendency to think about technology in a system-centric way. Systems automate workflow and control access to information. And for a long time these systems made work and workers more efficient. “But there has always been a bright line between IT systems and what people really wanted to do,” says Babson’s Anderson.

“I used to have users come to me as if I was the almighty IT god,” says Israel, who recalls those as “the good old days.” But in that sense, god is dead, and IT’s authority and sense of purpose can no longer derive from controlling how people use technology.

“IT can’t insist on doling out IT,” says Gartner’s Smith. “The demographics of the workforce are changing. Younger people who are more familiar with technology are coming in, and they will not sit still while [CIOs] dole out corporate apps. If you want to retain the best and the brightest, you can’t lock down your environment.”

Smith advises CIOs to try to stop thinking about technology as something that must always be enterprise class. There are plenty of Web-based tools that can meet their users’ needs and not cost the company a dime. “Be open-minded and bring them in where appropriate,” he says.

Does that mean that the enterprise is going to become a messier place? Absolutely. That’s an inevitable consequence of user-centric IT. But messiness isn’t as bad as stagnation.

“Controlled chaos is always OK,” says Gold. “If you want to be an innovator and leverage IT to get a competitive advantage, there has to be some controlled chaos.”