What CIOs Should Do About Rogue IT

The CEO has fallen head over heels for his iPad. The marketing team has set up shop on every social media site known to man. The sales group has secretly purchased its own software-as-a-service subscriptions. Meanwhile, the VP of operations is wondering whether there isn’t something better out in the cloud that the company could use to run its supply chain.

The whole world, it seems, is going rogue.

And why not? With the consumerization of IT, the rise of the cloud, and unrelenting business demands for technology, who isn’t wondering if they can’t bypass IT for technology that’s better, faster or cheaper? Forrester Research has dubbed this the empowered era of corporate IT. “Business is playing a greater and greater role in IT decisions,” says Forrester vice president Matt Brown. “It’s a long-term trend.”

Mark Schwartz, CIO for the U.S. Citizenship and Immigration Services (USCIS) department, understands what’s behind the shift. When employees see a way to improve a process or require technology to enable a new business need, they want to take action right away, Schwartz says. “The IT organization—with its constrained resources, backlog of projects, governance processes and controls, and focus on security and maintainability—can’t always help or respond quickly enough.”

Experienced IT leaders will recognize the beginning of a story that usually has an unhappy ending. Remember when low-cost servers were introduced? Business units, frustrated by flatfooted IT organizations, bought their own. And once they realized how costly and difficult it was to manage their impromptu server farms, they promptly plopped them back in IT’s lap. The PC revolution? Same story, different decade.

But this time, forward-thinking CIOs are being proactive, in the hope that they can alter the ending of this oft-told tale. The challenge now is figuring out how to get to yes. CIOs are thinking about how to make better and faster technology choices, educating business colleagues about the enterprise risks posed by those choices, and developing guidelines—or conversation starters—to help business leaders make some of their own IT decisions.

In the future, corporate technology decision-making won’t be paternalistic; it will be partnership-based. IT will not control all of a company’s technology choices. But CIOs must retain control over their companies’ technology narratives. Whenever possible, IT shops will figure out how to meet business needs faster and more flexibly. But when they can’t, IT leaders must ensure that shadow IT shops act as true shadows—making the kinds of choices and trade-offs that IT would have made for them.

It’s a difficult transition for the traditional IT organization, but it’s not optional. “If you don’t support some piece of technology, a user will go out and do it on their own,” says Andy Mulholland, global CTO of consultancy Capgemini. “We’ve crossed the Rubicon. The thought, ‘If I deny it, I will drive it out of sight,’ is nonsense.”

The New IT Mantra: Yes, We Can

When Lisa Davis joined the U.S. Marshals Service as CIO three years ago, the federal law enforcement agency was thick with do-it-yourself IT. “Customers had lost confidence in IT and went ahead and found solutions to meet their needs,” Davis says. In addition to consolidating and stabilizing the technology environment, Davis also had to tame the insurgency. Her campaign to do so was grounded in one simple word: yes.

Business users weren’t adopting their own IT because they wanted to. “The answer from IT had always been ‘no,’” says Davis. For example, when marshals wanted to connect with state and local police using the agency’s network, IT refused the requests. So each field office set up ad hoc connections—at great cost to the agency. Today, it’s a different story. “We find every way to say ‘yes’” while considering cost, security and the requirements of federal law, says Davis.

One way is to take the initiative. Davis surveyed users to learn about the IT capabilities they imagined having in the next several years. The prevailing vision was one of mobility. Davis quickly set up an iPad pilot program. “They all want the newer and slicker technology, and one way to scratch that itch is to have proof-of-concepts to test them out,” she says.

Together with 60 business users, IT developed several operational-use scenarios, such as language translation at the U.S.-Mexico border and operation planning for fugitive apprehension.

Now IT is developing the business case to justify a larger purchase of iPads, which would replace laptops or desktops for some users. The effort will satisfy that business yen for the latest and greatest, provide a more appropriate tool for some processes, and cut capital equipment-replacement costs.

At National Geographic Global Media, employees’ unhappiness with workplace technology was apparent in the results of CEO John Fahey Jr.’s employee satisfaction survey. The business environment was changing rapidly, expanding from magazine, book and map publishing to include film and television production and distribution, Web properties, interactive tablet publishing, and gaming. Yet IT wasn’t keeping up with the need for new productivity tools.

The employee satisfaction survey in 2009 found discontent with the antiquated email system, the mobile device options, and the old computers. Corporate leaders created an IT council to tackle the complaints. Last year, Senior Vice President and CTO Stavros Hilaris put email in the cloud, began offering users a choice of smartphones and tablets, and revamped the hardware refresh rate. The key, says Hilaris, “is to work in partnership with your business colleagues, understand and address their challenges and pain points, and understand the industries you’re a part of in order to anticipate and plan for changes that are on the horizon.”

The larger the organization is, however, the harder it is to keep tabs on what the business wants. Capgemini’s Mulholland has a trick for figuring it out: Ask the CFO for data on technology spending by individual business units. “[IT leaders] always come back slightly shocked because it’s going on more than they thought.” Mulholland says. But they also come away with a list of people to focus on. “Ask them what you can give them, how you can support them better,” advises Mulholland. “Come in as a friend to help them, not an enemy to stop them.”

Of course, saying “yes” isn’t always easy—or right. That puts Schwartz’s team in an uncomfortable position. They feel, he says, “a strong sense of responsibility” for maintaining security, complying with regulations and spending money wisely. “Saying ‘yes’ can easily feel risky,” Schwartz adds, so he’s found a middle ground. Now IT says, “We can if….” The idea is to ultimately say yes by first finding the conditions—whether they’re adding user support resources or hiring experts in a new technology—under which that “yes” becomes possible. “Tell me what would need to change in order to be able to solve the business problem,” Schwartz says.

Help End Users Help Themselves

Getting to yes is just a start. The demand for new technology and the speed at which business needs are changing mean that many IT organizations are no longer capable of managing it all on their own. “Where this leads us to is a place where the IT department is going to have to stop doing what it’s been doing for many, many years, which is, ‘Here’s our standard. Take it or leave it,’” says Ken Dulaney, vice president and distinguished analyst for Gartner. “IT is going to have to let the end user decide where they want to be in terms of service levels and risk.”

The first step is to bring the basis for IT decisions into the open.

Davis created a customer guide to IT’s solution-request process at the U.S. Marshals Service. “It removes the mystery of why it seems to take so long for IT to get anything done,” she says. “It illustrates the entire process.” The guide covers every step, from the “Aha” moment when users think of a technology need through articulating requirements, evaluating products and choosing vendors. She’s also setting up what she calls a CIO Store on the intranet to list software the agency already owns. (For more on improving communication with end users, see “Tips for Taming Rogue IT.”) When someone is shopping for a specific tool, he can look in-house first. He might still go buy something different, but Davis’s hope is that users shop smarter.

But it’s not enough for IT to reveal its secret rule book; CIOs should also rewrite some of the rules.

Dulaney says CIOs will move toward providing users with a menu of IT options. He calls it “managed diversity”: different user choices result in different responsibilities for IT. If users want a technology IT has approved, they get full IT support. If they want technology IT hasn’t blessed yet, the IT group may help out, but it won’t take full responsibility for installing or supporting it. Somewhere in the middle, if a business leader wants to choose her own device, IT makes sure data is delivered to it, but the user has to get her own hardware support. Few IT shops are there yet, says Dulaney, “but this is where we have to go.”

In a perfect world, says Susan Cramm, founder of IT leadership consultancy Valuedance, IT would define technology investment policies rather than policing every IT business case from creation to approval. CIOs would provide a list of approved vendors instead of getting involved in all technology provisioning. Technologists would control access to data and applications rather than devices. “IT is at a crossroads. It needs to either figure out how to bring shadow IT out of the dark and into the light or risk being marginalized as increasingly tech-friendly business leaders take innovation into their own hands,” says Cramm, a former CIO and CFO. “It’s time for IT to control what matters.”

To get there, the IT organization needs to offer master classes in IT decision making. “Business managers—god love ’em, and I do love ’em—can be naïve,” says Capgemini’s Mulholland. “Some of these guys might be individually bright, but don’t understand risk.” Capgemini’s internal IT organization now develops guidelines for business users in how to mitigate risk when choosing and using IT by, for example, spelling out which services or providers are trustworthy and under what conditions.

There’s no shortage of ghost stories in IT circles about such horrors as frustrated marketers setting up their own IT organizations. So Jay Burgess, CIO of Muscogee Nation Casinos, takes preventive measures. He offers business units, such as marketing, a manager-level IT liaison who can commit IT resources to their projects. “The business brings him in as one of their own. He becomes the IT marketing guy, and it gives the marketing group the feeling that they have their own IT. His or her job is to become not just a liaison, but a translator of their business needs into IT strategy.”

The goal is to direct, not to dictate. “We set forth a group of standards, but the business unit is free to make adjustments within them,” says Burgess. At some point, however, too much free reign makes IT unmanageable. Business processes may fail and people may get hurt. “Our business funds the tribal government,” says Burgess. “If we allow the business to fall on its face and we’re not there to pick them up, healthcare clinics shut down, people don’t get their food stamps.”

It’s a constant balancing act. “Standards are guidelines, not a brick wall,” says Burgess. “They allow us to operate with some kind of discipline, but if the business is really trying to grow and really has a need, we need to adjust to meet that.” He wants to talk about it first, though. For example, it’s the casino’s policy that operational systems should be integrated with company’s core strategic systems, such as ERP. However, the purchasing module offered by its ERP vendor wasn’t ideal for the casino’s food and beverage managers and purchasers, who wanted to break items down by ingredient to track food costs. IT bent the rule, allowing them to purchase a more effective tool and integrate that with the ERP system. It was a difficult project, but “this flexibility achieved the business goal while preserving the spirit of our policy for integration,” says Burgess.

At the USCIS, Schwartz is working on several fronts to create a kinder, gentler IT image by making development processes more agile, streamlining controls, acquiring virtual server capacity and using lightweight development tools. “I don’t want a power struggle,” he says. The flexible infrastructure, which includes reusable services, also lets people use IT more freely. “We can help them craft their own solutions without time-consuming development work and without compromising the security and integrity of our IT systems environment.”

Technology Risk for Dummies

Some industry watchers say today’s user-driven IT environment suggests users should share more technology risks, but Schwartz doesn’t see it that way. “One of IT’s contributions to the business should be its assessment of and position on risk management.”

But a shared understanding of the risks to which technology exposes the enterprise is a must. “There still remains, in many organizations, a lack of understanding by the end user of what IT does,” says Gartner’s Dulaney. “It’s an educational process, but just teaching end users about what IT does doesn’t go far.”

The business gets a better handle on risk management, Dulaney says, when IT involves it in evaluating risk profiles and value propositions. “It all comes down to explaining the consequences of each decision and having them choose, [because] telling them what to do just leads them to do the opposite.”

At the National Geographic Society, joint risk-management decisions are now the rule. “By engaging the business owners and partners in the decision-making process, they understand the risk and share in the decisions regarding the amount of expenditures we will incur to mitigate risk,” says CTO Hilaris.

Security and risk management are business decisions, says Schwartz. “I don’t want to talk to the business users abstractly about security best practices, or about man-in-the-middle attacks. I want to tell them instead about the potential consequences of a security breach on the agency and the people whose lives we affect.” For instance, what if a hostile organization could hack into USCIS systems and grant citizenship to a terrorist? Or a repressive government could find out which of its citizens wanted to emigrate to the United States? Those questions get people’s attention. “Risk management and security are business decisions,” says Schwartz, “and need to be framed that way.”

Sometimes the best way for business users to understand the risk of making a bad technology choice is to let them do it, suggests Burgess with the Muscogee Nation Casinos. Last year, the casinos’ HR department wanted a new e-learning platform that wasn’t on its list of approved IT projects. After Burgess explained that IT staff were busy with HR’s other projects, the department decided to deploy the e-learning platform by itself. The technology seemed straightforward, and the vendor promised a two-month turnaround.

Two months turned into six, and HR, feeling pressure from the board, called IT for help.

It turned out that the vendor had no viable plan for registering employees for the new tool. IT wrote the queries to retrieve the necessary employee login data, but the vendor had changed the import process and failed to inform anyone. So although the system appeared to work, the passwords didn’t. Angry users overwhelmed HR with complaints, and the overwhelmed HR managers learned how complex IT project management really is. “They now understand some of the things we do,” Burgess says. “No real damage was incurred, only a few bruised egos.”

Never Say No

Being a better business partner, offering a more flexible menu of IT options, and educating users about risk must happen. But will it eliminate rogue IT? Probably not.

Forrester’s Brown predicts that business users will continue to make potentially bad IT decisions in the near term. When rogue systems proliferate too wildly, “there will be some retrenchment,” he says, but the pendulum won’t swing as far back to IT control as it has in the past. Still, despite all the joint risk-assessment and the requirements gathering and the CIO’s striving to get to yes, not every user will be convinced to cooperate.

Davis found that out last year after working for months with an agency executive to figure out the right collaboration software to deploy. They worked through requirements, integration issues, cost and ROI, then chose a system that could be used by the entire agency. “Then at the last minute, he changed his mind,” Davis says. She reminded him that the product they had selected met 90 percent of his requirements. “There’s the whole broader spectrum of issues we consider about a product, versus a customer saying, ‘This is the product I want because I like it.’”

Additional discussions ensued. Eventually, the executive realized the initial software choice was the best option. But it was a costly lesson.

“It held us back from providing capabilities desperately needed for every customer in the agency,” says Davis. Even in the face of poor decisions, however, Davis and her forward-thinking peers have a bias for yes.

“Before when we said, ‘This is our standard,’ the reply from users was, ‘I don’t care,’” says Dulaney. “Keep working to make sure the user understands the risk and the trade-offs they are willing to make. The modern CIO should never say ‘no.’”