Last month we examined the rise of the shadow IT department, users in your company who have embraced consumer technology and are using applications and devices not provided, or necessarily approved of, by the CIO to do their work. The natural reaction of the IT department may be to clamp down and try to destroy it but the likelihood is this will prove futile and may even be counterproductive.
Techniques for dealing with shadow IT will differ for each company depending upon its business, the degree of regulation to which it is subject and its risk tolerance but some principles are universally applicable.
Find out how people work
Whether you know it or not, your company’s employees are using technology of their choosing or using technology of your choosing in ways you never intended.
Brian Flynn, senior vice-president of IT at BCD Travel, found this out when he deployed software that monitored the content moving across his network.
Not only were employees using consumer IT tools, like instant messaging but they were using IT-provided applications to do things that were clearly security risks – such as sending sensitive information back and forth. “I am convinced that most companies are flying blind,” says Flynn. “This is going on everywhere and IT just doesn’t know.”
Fight your instinct to discourage these behaviours by legislating against them. Yes, there may be security and compliance risks but declaring open war on the shadow IT department will only turn it into an insurgency, driving it underground where it will be harder to monitor and negotiate with. Instead, consider this an opportunity to find out where the IT you have provided is out of sync with your users’ needs.
Say yes to evolution
CIOs need to make users feel comfortable about bringing their underground behaviour into the light. The first step is a change in attitude. “We tend to think of people who think ‘out of the box’ as troublemakers,” says Flynn. “But we need to realise that maybe they know what they are talking about and we should try to meet them halfway if we can.” Always try to help users figure out a safe and secure way to do whatever it is they are trying to do. “People get used to IT telling them no – and after a while they stop telling you what they are doing,” says Andre Gold, director of information security at Continental Airlines. “So we try to say yes, dot dot dot.”
Rob Israel, CIO of the John C Lincoln Health Network, has developed a policy that formalises this mindset. “I’m the only person in IT allowed to say no,” he says. Conversely, his IT employees have only three options: approve a request, research it or pass it up to him. According to Gold and Israel, getting a reputation for saying yes will encourage users to come to you with ideas. That gives you the chance to learn what it is that the user is really trying to do and come up with a way to do it that will not compromise security.
As irrelevant or irresponsible as some shadow IT projects seem on the surface, it is important to accept the fact that users do things for reasons. If they are emailing critical files among themselves, it is because they need to work on something from a different location and that is the most direct solution that they can come up with. IT’s job should not be figuring out how to prevent the user from accessing and moving files but rather to find a solution that lets him take that file home in a way that does not make the company vulnerable and is not more complex than the method that the user discovered on his own.
That last part is important. “No one will jump through hoops,” says Flynn. “They’ll go around them.”
Gold says that most shadow IT projects are attempts to solve simple problems and it is easy for CIOs to mitigate the risks if they are willing. For example, Gold found that people were taking files home on portable drives. Instead of trying to outlaw the practise, he began distributing portable drives with encryption software on them. The users’ experience never changed. “It was common sense to keep both security and how people work in mind,” he says.
Is the threat real?
The other part of developing a say-yes reputation is realising which shadow IT projects really represent a security threat and which just threaten IT’s position as the sole god of technology provisioning. Maria Anzilotti, CIO of Camden Property Trust, a real estate developer, says that she has continued to allow instant messaging even though most people use it for non-work purposes. “We looked at the risk and decided it wasn’t worth shutting it down,” she says. “A lot of people use it to communicate with their kids. It’s faster and less disruptive than phone calls. But we keep an eye on it.” Killing a shadow IT application without appreciating how thoroughly it has been integrated into a company’s workflow can have unanticipated and unfortunate consequences. When Gold shut down instant messaging at Continental, he got an angry call from an employee in the fuel management group who was using it to negotiate jet fuel pricing for the airline. When a CIO prohibits people from using a technology that does not pose a real security threat or adversely affect his budget, he is setting himself up as a tin idol, a moral arbiter. That is a guaranteed way to antagonise users and that is never a good idea.
Understand the business
There is a fine line between providing access to data and determining who should have access to it. William Harmer, assistant vice-president of architecture and technology at financial services company Manulife, says IT often crosses it. “I own the infrastructure but the business owns the data.” IT creates artificial hurdles for employees when it makes blanket judgements about access that affect the entire company. “The key is not to paint all the users the same,” says Harmer.
Lincoln Health’s Israel deals with this challenge every day. It is one thing, he says, for his nursing staff to search the internet for the word breast; it is another for someone in the accounting department. But if Israel installed a filter that prevented access to apparently pornographic websites, his nurses might not be able to find information that they need to treat a patient. The solution is for IT to provide tools that let an individual’s manager decide what information she needs to do the job.
“IT doesn’t know everything the business knows,” says Gold. “So it’s hard for me to make rules about who should have access to what.”
Most companies have long lists of policies and regulations with which everyone must comply. But lists do not enforce themselves. “I wrote all the policies here and I only know two of them well,” says Israel.
“So it’s unreasonable for an IT department to expect users to know them all. But we can put systems in place that put some automation behind our policies.”
Harmer says that the key is to develop an approach that secures data without depending upon how a user accesses it or what he does with it. “The way I approach it is to bring the controls closer to the data,” he says. “That means not relying on a firewall but trying to figure out what I’m actually trying to protect and then dealing with it appropriately.”
Tools for managing shadow IT
First, you need to know what your employees are doing. Striking the right balance between corporate IT and shadow IT requires possessing detailed knowledge about how the employees in your company are really accessing and using information. This calls for network monitoring, content monitoring and restraint. Unfortunately, no one vendor can give you everything you need to do these things.
This is because different types of workers use different types of data in – you guessed it – different ways. Forrester Research breaks the data into three broad categories.
Transactional content: This is information that is as likely to come from a business partner as from someone in your company. It includes faxes and forms that people fill out, as well as scanned images and corporate information like tax files. This type of information is often closely aligned with a company’s workflow processes and business process management systems. According to Forrester, vendors whose tools work well for capturing this type of content include: 170 Systems, Adobe, Captiva, EMC, FileNet, Mobius, Whitehill Technologies.
Business content: This category includes the multitude of spreadsheets, documents and presentations that the people in your company use to do their jobs every day. These files – and the information that they contain – are typically found throughout an enterprise and are probably managed by any number of systems. But this information is also easily passed on as attachments or as unstructured data removed from the applications in which it is supposed to reside. Forrester says the following vendors help companies monitor the movement and whereabouts of this kind of data: ClearStory Systems, Extensis, Hummingbird, MDY, Oracle, Xerox.
Persuasive content: This is information that is meant to be shared with the outside world. It can be something that an employee puts in a blog or the marketing material that the company distributes. Forrester says the following vendors specialise in managing this kind of content: BroadVision, Ektron, FatWire, Percussion Software, Stellent.
At Continental, this type of approach has led to a change in the way the IT department designs systems. “Around 90 per cent of the applications we have that involve sensitive data are things we’ve written,” says Gold. All that data was protected as long as the user accessed it from the application IT built. But when a manager tried to compare revenue for different cities by copying the data into Excel – something Gold says happens routinely – the information was suddenly placed at risk. With this in mind, Gold encouraged the IT department to build encryption and other safeguards directly into the applications. That way, when a user pastes the revenue figures into a spreadsheet, the data, not the sanctity and integrity of the application – which are irrelevant – will still be protected.
Messy but fertile
IT has a natural tendency to think about technology in a system-centric way. Systems automate workflow and control access to information. For a long time these systems made work and workers more efficient. “But there has always been a line between IT systems and what people really wanted to do,” says Marty Anderson, a Professor at the Olin Graduate School of Business at Babson College.
“I used to have users come to me as if I was the almighty IT god,” says Israel, recalling “the good old days”.
But in that sense, god is dead and IT’s authority and sense of purpose can no longer derive from controlling how people use technology. “IT can’t insist on doling out IT,” says David Smith, vice-president and research fellow at Gartner. “The demographics of the workforce are changing. Younger people who are more familiar with technology are coming in and they will not sit still while CIOs dole out corporate applications. If you want to retain the best and the brightest, you can’t lock down your environment.”
Smith advises CIOs to try to stop thinking about technology as something that must always be enterprise class. There are plenty of web-based tools that can meet their users’ needs and not cost the company a penny. “Be open-minded and bring them in where appropriate,” he says.
Does that mean that the enterprise is going to become a messier place? Absolutely. That is an inevitable consequence of user-centric IT. But messiness is not as bad as stagnation.
“Controlled chaos is always okay,” says Gold. “If you want to be an innovator and leverage IT to get a competitive advantage, there has to be some controlled chaos.”