Digital cameras didn’t creep up on the Drees
Company as much as they pounced. Five years ago a lot of
employees at the $1.1 billion real estate company weren’t
even using computers. Today, those same employees are
responsible for one of the company’s more innovative uses
But at first, says Brian Clark, Drees’s manager of
data management, the company wouldn’t support the
devices. Technology that wasn’t approved by the IT
department was not supported in the workplace. But employees
ignored the rules. “This was when cheap digital cameras
were first coming onto the market,” Clark recalls. People
used them to take pictures of under-construction homes, upload
the pictures to their work computers, and then e-mail them to
out-of-state buyers, insurance brokers or contractors. Clark
admits it was a great idea. It’s a lot easier to show a
contractor a picture of the place on the wall that needs fixing
than to try to describe it on the phone. Soon, however, the
behavior reached a tipping point, which was when Clark knew he
had to fix it.
Read about Users Who Know
Too Much and 5 Tips
for Bringing Web 2.0 into the Enterprise.
Every camera had its own proprietary software, and the IT
department didn’t have the resources to test every one to
find out what it would do to its environment. When rogue
cameras occasionally would appear, Clark made it clear that his
department wouldn’t help users with any technical
problems. IT also tried to find a camera solution the company
could use because the business benefits were undeniable.
Finally, about a year ago, a user suggested that Drees use
Picasa, a free, camera-agnostic photo management application
from Google. Clark ran a few tests, determined that it
didn’t pose any risks and rolled it out. Picasa is now
standard on every Drees computer.
Picasa is a free consumer application; a company using it
doesn’t have to pay for licenses, but it won’t get
any support from the vendor either. A recent survey by CIO
magazine of 368 IT leaders found that 41 percent wouldn’t
even consider such an application for use in their enterprises.
But Clark, like the majority of technology executives surveyed,
sees it differently. “Our attitude has changed a
lot,” he says. “First, you can’t dismiss
Google anymore. They aren’t some fly-by-night
company.” Second—and he has learned this from
experience—using freely available software can have a
huge ROI. “We don’t teach people how to use
it,” he says. “But when they do, it allows us to
leverage someone else’s work at little to no cost. How
can you not win in that situation?”
That question is confronting CIOs with increasing
regularity. And more often than not, the people asking it are
end users. Consumer technology is now better than corporate
technology by a factor of 100, maybe even 1,000, says Stowe
Boyd, a senior consultant with the Cutter Consortium. “It
is significantly better, no matter how you measure
innovation,” he says. As information technology shifts
from a tool used almost exclusively in the workplace to one
used in every facet of life, users’ expectations for what
technology should be able to do are shifting as well.
But those expectations only go so far. Users care whether
technology is easy to use or makes them more productive. They
don’t stop to think about how something fits into an
enterprise computing environment. Corporate IT, on the other
hand, has a responsibility to consider security, compliance and
the impact an application or device has on the company’s
infrastructure. The latest consumer IT tool might need testing,
management, monitoring and support. In other words, it
isn’t the no-brainer it may first appear to be.
It’s these hidden issues that often lead IT to delay
or ban consumer technology. And when this happens, IT risks
appearing as an inhibitor to innovation, a part of the company
that users don’t rely on as much as they bypass. Many
CIOs feel this in their gut. Among respondents to our survey,
two-thirds or more reported that employees at their companies
either download programs, use instant messaging or participate
in social networking sites (see chart). But with the exception
of instant messaging, fewer than half of the respondents
officially support these applications.
Instead, users are getting this technology from the shadow
IT department—a catch-all term for the applications and
devices that are available on the Internet or from the local
consumer electronics store. Users turn to shadow
IT when they need to make themselves more productive and they
aren’t getting the tools they need to do so from
corporate IT. This, in turn, opens up new challenges for CIOs
and IT departments, since users have not properly evaluated the
impact of these technologies. But all is not lost. Shadow IT
can be managed and even leveraged—if only one rethinks
the role of IT as shifting from being the provider of
technology to the facilitator of its use.
Furthermore, CIOs must look beyond simple ROI and efficiency
measures to calculate the value of shadow IT, says Boyd.
“Personal productivity is a part of it,” he says.
“But it is also about feeling connected.”
What Is Shadow IT?
Shadow I.T. refers to technology that consumers can
get on the Internet or at their neighborhood
electronics store. These tools, which include Web-based
e-mail, instant messaging, iPods, USB storage and more,
are the tools people use in their nonwork lives. And
now they are starting to use them in the workplace.
Think of these applications and devices not just as
a loose collection of tools that can be treated as
one-offs, but as the product of a separate IT
department staffed by individual users. The difference
is simple: If all you have in your organization is a
series of one-off user-driven projects, all you have to
do is shut them down. But a shadow IT department is a
force, and when it emerges, suddenly IT’s
monopoly on technology is over.
That’s the point we’ve reached. From now
on IT will have to compete with the shadow IT
department for every user. If a user doesn’t get
the technology he thinks he needs to do his job from
you—or gets a solution that doesn’t work as
well as she wants—the user can get an alternative
from the shadow IT department.
To succeed in this new enterprise environment, CIOs must
learn the art of compromise. They need to engage users in a
constant dialogue about the pluses and minuses of new
technologies and to concede that users can share responsibility
for choosing and managing business applications.
It also means picking your battles, so that security and
regulatory compliance and the desire to preserve the current
environment don’t come at the expense of user
productivity. And when concerns about security, compliance or
manageability do win out over the potential business benefits,
it is important to communicate to users exactly why that
decision was made in terms that they understand.
“If you are just going to sit around in your office
and pontificate about security and technology you will be in
firefighting mode all day long,” says Alan Young, CIO of
the Southern Ute Indian Tribe, where he supports an oil and gas
company, a casino, a tribal government and an investment fund,
among other businesses. “You have to evolve.”
Here’s what to do:
1. Share the Sandbox
The IT department used to control all technology. And among
corporate IT staff, many still feel that users aren’t
responsible enough to handle technology on their own. If you
doubt this, search Slashdot.org for the term
That’s one reason why corporate IT is often quick to
dismiss technology projects initiated by users. But technology
encompasses too many categories for the modern IT department to
keep up. CIOs have to start thinking differently about what
they really need to be responsible for and which
responsibilities they can share with users. The way to start is
by identifying what is critical to protect the enterprise. One
emerging strategy is to secure the network and not worry about
client devices—until they connect with the network.
David Steinour, CIO of Furman University, had to learn how
to secure a network while at the same time maintaining zero
control over what it is used for. Once, several years ago,
Steinour worked at a different school, where he limited access
to peer-to-peer file-sharing networks. He thought he had good
reasons: He was receiving complaints about copyright
infringement from the music industry, and the traffic was
eating up almost all his bandwidth. After limiting access, the
university president—–received complaints from
parents and students. The complaints finally stopped when
Steinour explained his rationale, but the experience taught him
that he could not control everything users put on their
computers or limit what they download. The faculty, for
instance, had legitimate reasons for using file sharing.
Nevertheless, Steinour stakes his job on protecting the
network. Before anyone at Furman can connect to the enterprise
network, her computer has to undergo a scan and have its virus
definitions updated. The first time a user connects, this takes
about a half hour. The process is invisible thereafter.
“There is no possible way we can police everything that
goes on,” says Steinour. “So I protect the
institution, not the individual.”
The same network-centric approach can work in a corporate
environment. “I am a data socialist,” says Young,
exhibiting this new virtue. “I don’t own the data.
My customers own the data.” Young has realized that he
can’t control everything that the businesses on the Ute
reservation want to do with IT any better than he can predict
them. For instance, the equity traders who work for the
tribe’s investment fund have to do all kinds of research;
it would handicap them if Young blocked certain Internet sites
or refused to let them use certain research tools. “I am
open to having other forms of tech in our mix without being a
snob about it,” he says. “We have guys downloading
data from FTP sites.
“I am more wide open today than I have ever
been,” he adds, but “it’s not like I opened
up port 80 and said have fun.”
In fact, Young has compensated for loosening the control on
what end users do by tightening his control on the part of IT
that no one else can touch without his permission: the
corporate network. “I know everything that is happening
on my network at all times,” he says matter-of-factly. He
uses a variety of applications, including Websense content
filtering software and intrusion detection and monitoring tools
from Cisco, to gain real-time insight into everything that is
happening. If he finds something on the network that
shouldn’t be there, he acts. It’s a way of ensuring
security without inhibiting users. And in those rare instances
where Young does have to restrict an activity, it is as part of
a compromise. For example, he doesn’t allow people to
send encrypted JPEG and GIF files because virus prevention
software can’t detect viruses embedded in them. But
anyone who wants to send an image can send it unencrypted, or
send a link to the website where the image resides.
“Shadow IT” Is Everywhere
IT leaders acknowledge most employees use unsupported technology.
|TYPE OF TECHNOLOGY
||EMPLOYEES USING IT
||I.T. DEPARTMENTS SUPPORTING IT
|Social networking sites
|Internet file sharing
2007 CIO Magazine Consumer Technology Survey of 368 IT leaders, conducted in March 2007. Margin of error plus or minus 5 percent.
2. Know the Business Case
One of the challenges with shadow IT systems is that they work
great for the users—they are usually the most customized
solution a user could find. But an application that works for
an individual user may not work for the company. A shadow
system may not scale, it may open up a hole in the firewall or
it may conflict with another system the company runs. Corporate
IT departments normally test for compatibility with the
existing environment and calculate operating costs before
deploying any new system; for these reasons, nominally free
software might still cost thousands of dollars to deploy.
“Free isn’t always free,” explains Dwain
Wilcox, vice president of information technology for Millipore,
a $1.2 billion biotech company. “Even though it is free
and enhances productivity, we have to go find out what the
hidden issues are.” This is why Drees at first
didn’t let people bring their own cameras to work.
“Supporting one person with one camera is not a
problem,” says Clark. “Supporting 200 people with
200 cameras is.”
Finding a product that works as a corporate standard can
solve such problems, however. “With one standard
[application], supporting 200 cameras is suddenly doable
again,” says Clark about his company’s decision to
deploy Google’s Picasa. Like Clark and Wilcox, 30 percent
of the respondents to the CIO survey study the business case
for a consumer IT project to see if it can be mainstreamed.
Identifying a scalable version of a consumer technology to
test and deploy across the enterprise is no different from what
CIOs have always done with e-mail and other enterprise systems.
“We standardized on BlackBerrys early on,” says
Wilcox, the Millipore VP, whose employees use the devices not
only for e-mail but also to access corporate data on
Millipore used to support a variety of devices. “We
were finding that setting up new users took a really long time,
an hour or two,” says Wilcox. “Imagine doing that
across the enterprise—it increases the amount of work for
IT exponentially.” But once the company adopted
BlackBerrys for everyone, the work became manageable, because
the IT department had to learn only once how to set up a new
There were trade-offs, of course. The people who used Treos
or Windows devices were upset that they had to switch. But at
the end of the day there wasn’t really anything that they
could do on those devices that they couldn’t do with a
BlackBerry. Plus, Wilcox was able to sweeten the deal with
access to Salesforce.com. So in the end, Wilcox says, they came
around. Again, it was a good compromise.
3. Pick Your Battles
As our survey revealed, most companies have shadow IT systems.
Yours probably does, too. But you know you don’t have the
resources to stay on top of everything. That’s why
it’s important to pick your battles. For example, when
data protection is a concern, pay close attention to the parts
of your business where the most important information is.
“In our case that’s the R&D
organization,” says Wilcox. “You really don’t
want those guys storing their research data using a free
software as a service tool. But the sales guys using a
collaboration tool? That’s a different story.” If a
rival found out a new formula that Millipore was working on,
that would be a big problem. But a few sales leads? Not the end
of the world.
Furman University’s Steinour puts it this way: You
need to evaluate risk versus cost. Not from a traditional ROI
perspective, necessarily, but from a resource allocation
standpoint. You can’t protect everything all the time.
“For me it comes down to three priorities,” he
says. “Protect the institution, protect the staff, and
protect the network. I do everything I can to provide security
for our data and I have policies and rules to protect the
One thing that he allows, despite the potential security
risk, is instant messaging, just like 58 percent of the
companies CIO surveyed. The students use it—there is no
way to prevent that—but so does the school’s staff,
who use a sectioned-off part of the network and have usage
guidelines more like those of the average company. “We
standardize on our scheduling and e-mail, but when we get down
to how people want to communicate, we do not enforce
The reason Steinour has decided to be flexible with IM is
that almost nothing people use IM for is sensitive. People
might use it to ask a colleague if she is around before walking
across campus to her office. Or they may use it for personal
reasons, to tell a spouse when they’ll be home for
dinner. Thus, says Steinour, “We will never consider
looking at it unless there is something that happens on that
port and we have a network security incident.”
4. Be Human
Whenever IT equips a user with a laptop or a BlackBerry, it
comes with an implicit message: You can work from anywhere. In
most cases that message gets extrapolated to, You are expected
to work from anywhere, be it home or your hotel while you are
traveling. In fact, the barrier between the professional and
the personal has all but disappeared for many workers. A study
of more than 200,000 workers conducted by the employee research
firm ISR found that between 2002 and 2005 the number of workers
who said that their jobs seriously interfere with their private
lives rose from 24 percent to 34 percent. So why
shouldn’t employees be able to bring some elements of
their personal life into the workplace? That’s a question
CIOs need to start asking.
“We realize the reality of the workplace and we want
to make it employee friendly,” says Brent Holladay, chief
deputy of information resources for the Lake County (Fla.)
Clerk of Courts. “In government we can’t use pay as
the only incentive.” Letting workers use personal
technology is one way to be flexible. Holladay has decided, for
example, to let people listen to music on their computers,
provided that they show their managers they can still get their
Employees are discouraged from bringing iPods into the
workplace and from listening to music in the office at
Millipore. That said, “We realize from time to time
people will have music files on their laptops while traveling
or whatnot,” says Wilcox. And he lets them, because he
doesn’t want work to encroach on people’s lives
anymore than it does. But when Millipore backs up its files
every night, sometimes the company ends up backing up
someone’s MP3s. “We try to exclude that stuff
whenever we can,” he says. “But it happens, and it
is bandwidth hog.” However, he thinks that’s a
small price to pay for happier employees.
Most Companies Tolerate Shadow IT
CIO asked 368 IT leaders how their IT departments approach unsupported technology.
42 percent said their IT department
monitors the use of such technology for risk to their
30 percent said they study the
business case for mainstreaming the technology.
28 percent said they shut it down
as soon as they detect it.
In addition, 61 percent of IT
organizations allow end user to find and use their own
software applications. But most want users to ask
5. Talk to Users
Pop quiz: Do you remember every form you signed when you
joined your company and what policies you agreed to follow?
Most users don’t know either. That’s why relying on
written policies is the worst way to influence user behavior.
There are some shadow IT systems that CIOs absolutely have to
shut down or prevent from being installed in the first place.
But counting on a memo to make that happen is a mistake.
“I don’t like to have a lot of policies,”
says Wilcox. “There are certain ones you have to have to
CYA, but we don’t have tons and tons of them.” For
example Millipore lets employees store personal information on
their work computers, and there’s a written policy that
says the company owns any information on a company laptop. But
usually Wilcox “relies on verbal communication with the
users, starting at the top.
“Most managers, when you talk to them, they know you
can’t do things one off,” he says. “In this
day and age, protection and privacy of info is vitally
important. And they know that.” In order to make them
understand what IT is going through he tries to put policies
into terms that they will understand, drawing on similarities
between what the company goes through and what users experience
in their own life with their own data.
“Are you sure that [the shadow IT project] is
trusted?” Wilcox asks users. “Would you be
concerned if it was your personal information?”
It’s also possible to draw on past experience.
“We’ve had just enough instances where something
happened that wasn’t serious but could have been,”
says Lake County’s Holladay.
His office has had to deal with everything from viruses that
almost shut the office down, to users who didn’t lock
their computers, potentially allowing anyone to access hugely
secure court records. In each case the users knew they had done
something wrong and that it could have been much worse. Call it
the guilt approach, but Holladay says that people listen when
you explain the risks of a shadow IT system in terms that they
can relate to personally.
In one case Holladay encouraged people to install their own
screen savers, part of his strategy to create a friendlier
workplace. But people started sharing them with each other,
which was a copyright violation. Holladay applied his standard
test—how would he feel if the local newspaper wrote a
story about what was going on? He imagined the headline,
“Copyright Violations Run Rampant at County Clerk’s
Office,” and used it as the rationale to explain why he
had to outlaw the practice.
The ability to communicate well is the key to keeping
dangerous shadow IT projects from popping up. The
responsibility doesn’t fall just to the CIO but to the
entire IT staff. And it requires a conscious effort. “Any
time one of my staff is out at a desktop they are communicating
our policy,” says the Southern Ute’s Young.
“That is the form of communication that stays forefront
in the mind of the user and my staff.”
That interaction is a chance to advertise corporate
IT—not just the services it provides, but also its
openness to new ideas. And at the end of the day, whether IT is
perceived as open and helpful could be the difference between
having to compete with a shadow IT department or not.
Clark believes the defining characteristic of a company that
has a shadow IT problem “is if the users have stopped
bringing ideas to you. Do they just assume you will say no? In
any good company users are going to be bringing ideas