Strategic CIO // IT Strategy
Commentary
4/11/2014
09:06 AM
David Fowler
David Fowler
Commentary
100%
0%

Rogue IT Driven By Need For Speed

We've lost control to business users before. But this time, the thing that initiated our pain (the cloud) may also be the cure.

Over the last 35 years I've seen technologies come and go. For the most part, I can drop them into one of three buckets. (Keeping track of more than three is tough at my age.)

The first bucket is technologies that move the industry forward -- Ethernet on twisted pair instead of coax, mini computers instead of mainframes, routers instead of bridges, tablets instead of laptops.

Second are technologies that are the equivalent of pet rocks -- lots of fanfare, big flash, didn't last in the real world. I have a few in mind, but in the interest of not starting a flame war, I'll just ask you to share your favorites in the comments.

The third, and smallest, bucket holds tech that disrupts the way we do business. Users won't wait to adopt these technologies through normal IT channels. They find ways to bypass controls in the name of business growth. Who hasn't read about the difficulty of dealing with BYOD? Stopping the use of mobile devices for work is about as likely as cleansing the Internet of that embarrassing YouTube video. Another poster child for rogue IT is SaaS applications that allow users to move faster than the traditional IT model.

Their justification: "It's just a tool, and it will help me meet or beat my business goals."

If history repeats itself, and I'll give odds that it will, at some point the cost and risk of using disruptive tech without IT involvement will exceed the short-term benefit. I'll also give odds that when IT is called in to clean up out-of-sync data, provide appropriate security, and assure there is a backup and recovery system, it will be cloud technology and services that will help us get things under control. It's actually a predictable cycle. Let's look at the three steps that rogue IT will go through in its latest iteration around cloud apps.

The InformationWeek 2014 Strategic CIO Survey shows IT executives worry about implementing fast enough to satisfy the business. No wonder rogue IT is a perennial problem.
The InformationWeek 2014 Strategic CIO Survey shows IT executives worry about implementing fast enough to satisfy the business. No wonder rogue IT is a perennial problem.

Speed vs. control: Speed wins.
When a business unit gets its hands on a new technology it can use to accelerate operations, that tech will spread like water finding the path of least resistance. After all, it's unhindered by policies, purchasing red tape, and security and compliance concerns. When faced with the tradeoff between waiting for normal policies and controls to be put in place (the brakes) or the business moving fast to compete more effectively (the gas), speed wins.

Speed vs. risk: Balancing act commences.
At heart, risk is "impact x likelihood." I can say from experience that sometimes even low-likelihood situations (like not sending flowers on my anniversary) can create very high risk. This is the analysis CIOs must do to determine when the risk to the company exceeds the value to the business or department. Ignoring compliance, for instance, may reap benefits for a business unit -- until an audit finding embarrasses the CEO in front of the board. Quantifying risk may be just as difficult as getting the technology under control, but it moves the discussion from being about technology to one about business.

Speed vs. pain: Ultimately, pain wins.
All things created equal, when the pain to the business of managing a rogue technology exceeds the value it provides, something gives. Frequently, that "give" is an effort to transfer the pain to someone else... like IT. It's not a question of if this will happen with cloud, only when. The business has no interest (or expertise in most cases) in managing security, compliance, SLAs, or technology administration. I don't know many sales departments that can assess the security issues of that cool new mobile app they're using, or marketing departments that can manage a PCI audit of their cloud vendor.

While all this may fall on internal IT, we now have the option to use new cloud technologies to shift some of the pain to outside services. Your first step should be to investigate what the providers that business units have contracted with can do for you. They want to keep that business, and they get that working with IT is how that happens.

As for business departments going rogue with IT projects, first and foremost, heed the old adage -- if you can't beat them, join them. Don't get mad, get in front of the curve by providing guidelines that the business can use to evaluate a hosting vendor or software company in the areas of security, compliance, and support. Be a partner, not an adversary.

If IT resources allow, offer to send someone to consult during the selection process so that IT is involved without being an impediment.

Finally, document the risks associated with any rogue projects that you get wind of, and share that information. You may not stop a department from doing something stupid, but it's important to make business managers understand and accept the risks they're taking. Just keep in mind that, as the CIO, you are still on the hook for the results -- as I found out when the florist didn't deliver those flowers.

You can keep only three security products. Which ones stay? Tell us in InformationWeek's 2014 Strategic Security Survey and enter to win a 64 GB iPad or a one-on-one consultation with the report author, Michael A. Davis.

Dave Fowler is currently vice president of marketing for INetU. Fowler is a veteran of the software industry, with more than 35 years of industry and senior management experience in marketing, product management and development, business development, and sales. His most ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Author
4/11/2014 | 10:45:54 AM
SaaS Smarts
I find it surprising that SaaS vendors are not all over the typical IT concerns (security, performance, integration with internal systems, data portability). This is a pretty mature area. Do you see SaaS vendors, even smaller ones, begining to be more proactive in this regard, or are they in general betting on the business to beat IT into submission?
dfowlerinu
50%
50%
dfowlerinu,
User Rank: Strategist
4/11/2014 | 2:44:08 PM
Re: SaaS Smarts
Great question.  For many of the SaaS companies I work with they are very concerned about security and compliance issues but what might be just fine for the application vendor may not meet the policies of the company.   In many cases we see the SaaS vendors leveraging the experience and resources of their hosting partner to help them stay on top of these issues.  We had an example this week with the Heartbleed bug where as a hosting company we were way ahead of our customers in bringing it to their attention and providing the solution.    Given how early we are in the evolution of the cloud market it's no surprise that we have a long way to go to catch up to the level of expertise and discipline you see in IT departments.
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
4/14/2014 | 3:12:38 PM
Pain rules but is that rational?
The axioms that speed always wins and pain rules are true enough all too often, but I'm not sure well run companies would hold them up as guidance. It seems to me a  CIO engaged with other executives can teach the business to avoid some hazards leading to pain, even while tolerating some amount of shadow IT. It's simply irrational fire-fighting all the time for the business to allow speed to win and pain to rule in every case.
dfowlerinu
50%
50%
dfowlerinu,
User Rank: Strategist
4/14/2014 | 3:35:06 PM
Re: Pain rules but is that rational?
Totally agree Charlie.   One of the problems in an organization that doesn't have checks and balances in this area is that the business unit is willing to take risks (or they don't understand the risk)  that the company as a whole may not be willing to take.   A CIO engaged with the businesses and a simple multi-department risk clearing house on projects can help to at least raise the discuss so a conscious decision can be made to accept the risk.
BruceHarpham
50%
50%
BruceHarpham,
User Rank: Apprentice
10/24/2014 | 1:55:37 PM
Stop trying to "beat them"
"As for business departments going rogue with IT projects, first and foremost, heed the old adage -- if you can't beat them, join them. Don't get mad, get in front of the curve by providing guidelines that the business can use"

This is right on. A proactive mindset will raise the profile of IT.
dfowlerinu
50%
50%
dfowlerinu,
User Rank: Strategist
10/24/2014 | 2:14:00 PM
Re: Stop trying to "beat them"
Agreed Bruce.   Some organizations are even providing templates to make it easy for the business to spin up an environment.    Not only do they get visibility on the business projects but also the opportunity to proactively offer assistance.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.