An April 2006 survey by the Pew Internet and American Life Project found that 45 per cent of adults who use the internet said it has improved their ability to do their jobs ‘a lot’. These are your employees and their message could not be clearer. Technology, at least in their eyes, has made them significantly more productive. But CIOs should not be patting themselves on the back just yet. For this productivity boost the study credits the internet, not enterprise IT, not the technology you provide, not, in short, the CIO.

While The Pew Research Centre’s findings undoubtedly includes people who use the internet to access corporate applications, Lee Rainie, the survey’s project director, says the research is not pointing to what a good job CIOs have been doing.

“The big story is that the boundary that existed in people’s lives between the workplace and the home has broken down,’ says Rainie. Almost unlimited storage and fast new communication tools allow people to use whatever information they choose, whenever they want to, from wherever is most convenient for them. According to the survey, 42 per cent of internet users download programs, 37 per cent use instant messaging, 27 per cent have used it to share files and 25 per cent access the internet through a wireless device.

Does that sound like the tools you have provided your company’s employees? Do you encourage them to download programs and share files? Do you support instant messaging? Have you outfitted a quarter of your company’s employees with wireless devices?

“A consequence of the blending of worlds is that people bring gadgets from their home life into the workplace and vice versa,” says Rainie. For example, a December 2006 survey by Searchsecurity.com found that only 29 per cent of companies had a corporate instant messaging tool, a number that seems relatively small when compared with the percentage of people Pew says use it in the office. Users have a history of providing their own technology but the capabilities of today’s consumer IT products and the ease with which users can find them is unprecedented. Thumb drives, often given away free at conferences, provide gigabytes of transportable storage. Google spreadsheets and other online documents let multiple people collaborate in one file. The Motorola Q, a phone that uses the mobile network as an always-on high-speed internet connection, lets users forward their work email to their phones without ever touching a mail server.
There is a consumer technology out there for every task imaginable – and if there is not, there is a tool that will let someone create it tomorrow. The era in which IT comes only from the IT department is over. So where does that leave CIOs?

Dark days

The consumer technology universe has evolved to a point where it is, in essence, a fully functioning, alternative IT department.

Today users can choose their technology provider. Your company’s employees may turn to you first but an employee who is given a tool by the corporate IT department that does not meet his needs will find one that does on the internet or at his neighbourhood Dixons.

The emergence of this second IT department – call it “the shadow IT department” – is a natural product of the disconnect that has always existed between those who provide IT and those who use it. And that disconnect is fundamental. Users want IT to be responsive to their individual needs and to make them more productive. CIOs want IT to be reliable, secure, scalable and compliant with the ever increasing number of government regulations. Consequently, when corporate IT designs and provides an IT system, manageability usually comes first, the user’s experience second. But the shadow IT department does not give a hoot about manageability and provides its users with ways to end-run corporate IT when the interests of the two groups do not coincide. “Employees are looking to enhance their efficiency,” says Andre Gold, director of information security at Continental Airlines. “People are saying, ‘I need this to do my job’.” But for all the reasons listed above, he says, corporate IT usually ends up saying no to what they want or at best, promising to get to it eventually. In the interim, users turn to the shadow IT department.

For many good and not-so-good reasons, the CIO’s first instinct frequently is to fight the shadow IT department whenever and wherever he detects it. But that approach can be a recipe for stalemate, if not outright defeat for CIOs.

The employees in your company are using consumer IT to work faster, more efficiently and, in many cases, longer hours. Some are even finding new and better ways to get work done. CIOs should be applauding this trend. “But when you shut down consumer IT you end up as a dissuader of innovation,” says William Harmer, assistant vice-president of architecture and technology at financial services company Manulife.

Power challenge

The shadow IT department presents corporate IT with security and compliance challenges. Users could be opening holes in the corporate firewall by downloading insecure programs, exposing company data irresponsibly by scattering laptops, handhelds, and thumb drives hither and yon, and handling information in any number of ways that could violate any number of regulations.

CIOs need to deal with these problems strategically, not draconically. “There’s a simple golden rule,” says David Smith, vice-president and research fellow at Gartner. “Never use security and compliance as an excuse for not doing the right thing. Never use these as sticks or excuses for controlling things. When you find that people have broken rules, the best thing to do is try to figure out why and to learn from it.”
Successful companies will learn how to strike a productive balance between consumer IT – and the innovative processes for which employees are using these tools – and the need to protect the enterprise. This will require CIOs to re-examine the way they relate to users and to come to terms with the fact that their IT department will no longer be the exclusive provider of technology within an organisation. This, says Smith, is the only way to stay relevant and responsive. CIOs who ignore the benefits of consumer IT, who wage war against the shadow IT department, will be viewed as obstructionist, not to mention out of touch. Once that happens, they will be ignored and any semblance of control will fly out the window. And that will not be good for anyone.

Here is an all-too-common response to the shadow IT department, courtesy of Bill Braun, vice-president of information systems for the Texas Credit Union League: ‘What’s good for me is that it’s simple to say no to consumer IT. There goes most of the problem. Possibly some of the benefit but certainly the problem.” Passing over the fact that Braun admits that he is willing to forego the potential innovations consumer IT can provide, this approach also assumes that the shadow IT department has a similar structure to its corporate counterpart and can be managed in the same way. Sadly this is not the case, the shadow IT department is an entirely different beast.

Impossible to control

Corporate IT is highly structured, with one individual or a small group controlling the nodes in a network and their relationships to one another. The shadow IT department, on the other hand, has no central authority and at best an ill-defined hierarchy; nodes join on their own and develop their own relationships. Marty Anderson, a Professor at the Olin Graduate School of Business at Babson College, calls corporate IT a command architecture and shadow IT an emergent architecture. Command architectures are set up to make them easy to manage and, as a result, they respond to top-down orders. Emergent architectures contain no dominant node and provide no lever by which to manage them. That is why it is impossible to kill the shadow IT department or keep it out of your company. It has no head to cut off or single channel to dam.
It is natural for corporate IT to feel threatened by the shadow IT department but the truth is that they already coexist everywhere. “The two have always been present,” says Anderson. “The management skill is noticing where they intersect and coming up with a strategy for dealing with it.”

For example, a similar dynamic has long played out in HR. A company’s employees have titles and reporting relationships that give their work a formal structure. At the same time every company has an informal structure determined by expertise, interpersonal relationships, work ethic and overall effectiveness. Companies suffer when HR is out of pace with the informal structure. Employees are demoralised when the formal architecture elevates someone at the bottom of the informal architecture and people who occupy the top spots in the informal architecture leave when they are not recognised by the formal one. Good HR departments know where employees stand in both the formal and informal architectures and balance the two. IT needs to learn how to strike a similar balance. Corporate IT is not going to go away and neither are the systems that IT has put in place over the years. But a CIO who does not develop a strategy to accommodate the shadow IT department will be employing an outdated, and more importantly inefficient, business model. And, like the HR department that ignores the informal relationships in a company, the CIO might lose sight of how his users actually work. Corporate IT thereby loses its authority and, eventually, the CIO loses his job. It will not happen quickly but it will happen. As Anderson says: “It will be like getting nibbled to death by ducks.”