The latest catchy but dubious term to emanate from the vendor and pundit community in an attempt to get our attention is 'The Rogue Cloud'. The word 'rogue' has undoubtedly been chosen because it immediately makes us think of something totally out of control, unpredictable and risky, which is great to stimulate an emotional response.
And when you consider that the term relates to the unilateral adoption of hosted services by users and business groups independently of the IT department and established policy, a negative reception is understandable in some IT professional circles. Practitioners on the front line are particularly sensitive, as these are the folks who often have to deal with the fallout from DIY activity when users who don’t know what they don’t know get themselves (or the business) into trouble through their technology-related adventures. Whether it’s data security or integrity problems, or simply something not working and the user not knowing how to fix things, the end result is so often a distress call to IT support.
With this in mind, it’s a shame that ‘freedom advocates’ seem to delight so much in the notion of frustrated users ‘sticking it’ to IT with things like BYOD and the rogue cloud. It has become quite trendy, in fact, to talk about IT people being out of touch and losing a grip on the way technology is used within the business, despite a distinct lack of any convincing evidence to back up such claims. PR funded polls on the topic don’t really count here as they are so often very misleading (see here for why).
The feedback we get from mainstream organisations during our studies at Freeform Dynamics suggests that the more extreme interpretations of what’s going on out there are highly exaggerated. We are, however, finding that many businesses are now seeing at least some BYOD and unilateral adoption of cloud services among certain groups of users, even if it is relatively patchy or small scale at the moment. This type of ‘consumerisation’ activity is therefore not something that can be ignored by CIOs.
But neither should we view unilateral adoption of IT by users and business groups as purely a question of risk management and damage limitation. There is a positive side to BYOD and ‘unofficial’ use of cloud services that is often dismissed by IT professionals. While activity often comes about for a lot of the wrong reasons (status, image, ill-disciplined tech enthusiasm, misguided parochial views of productivity, not knowing about similar capabilities already in place, etc.), it can also be a valuable early indicator of an unmet business need or unrecognised business opportunity. Some employees are using their personal iPads, Android devices, Dropbox, SkyDrive, Google Apps and so on, because it genuinely helps them be more effective.
From a CIO perspective, it’s therefore necessary to keep an open mind. If a particular action or behaviour is obviously going to cause a security or compliance problem, then it clearly needs to be halted right away. If it’s just that there ‘might’ be an issue, however, then it’s often better to acknowledge what’s going on, provide some guidance and ground rules to help protect the organisation and its assets, but let the activity continue. This is a bit like preaching ‘safe sex’ rather than total abstinence, the principle being that if you try to prohibit natural behaviour, you won’t actually stop it, you’ll just encourage people to hide it from you. This in turn means you can’t influence the kind of protection they use.
From a tactical process perspective, when new behaviour is spotted, the first thing to do is therefore assess the level of risk. If this is minimal, then just let the activity continue. If the risk can be managed with a little advice and guidance, then provide this (or remind the users of relevant existing policy) and again, let the activity continue. If the question of risk is more concerned with how a solution is being used rather than the solution itself, the alternative here is to set some boundaries. You might, for example allow sales reps to continue using Dropbox for presentations and marketing material, but not for confidential company or client information. Only shut things down totally if the risks are clearly significant and difficult or impossible to manage.
If you decide to let unilateral behaviour continue, the general rule is to watch what goes on from that point onwards. You’ll be surprised how much activity fizzles out of its own accord as users get bored or find more attractive or useful ways of doing things, but if it does persist, and particularly if it spreads, then that’s the time to consider things like support and procurement efficiency.
What you do here will typically boil down to either embracing what’s already being used and putting a proper support mechanism in place for it, or implementing an enterprise class alternative that meets the same business need. The advantage at this point is that users are likely to have already made the business case, albeit implicitly, if you choose to go down the investment route.
The investment approach may also be appropriate if you have had to block certain activity, not because it’s illegitimate from a business value perspective, but because of inherent weaknesses in the technology or services users have elected to use. Again you can look at providing a properly supported enterprise class alternative.
Of course a pre-requisite for all of the above is visibility. Monitoring tools get you so far with this, but as important is open and continuous communication between IT and business people. Like so many aspects of IT service management, dealing with user-driven adoption of technology and services is mostly a matter of effective relationships and mutual respect.