Rogue IT Driven By Need For Speed

Over the last 35 years I've seen technologies come and go. For the most part, I can drop them into one of three buckets. (Keeping track of more than three is tough at my age.)

The first bucket is technologies that move the industry forward -- Ethernet on twisted pair instead of coax, mini computers instead of mainframes, routers instead of bridges, tablets instead of laptops.

Second are technologies that are the equivalent of pet rocks -- lots of fanfare, big flash, didn't last in the real world. I have a few in mind, but in the interest of not starting a flame war, I'll just ask you to share your favorites in the comments.

The third, and smallest, bucket holds tech that disrupts the way we do business. Users won't wait to adopt these technologies through normal IT channels. They find ways to bypass controls in the name of business growth. Who hasn't read about the difficulty of dealing with BYOD? Stopping the use of mobile devices for work is about as likely as cleansing the Internet of that embarrassing YouTube video. Another poster child for rogue IT is SaaS applications that allow users to move faster than the traditional IT model.

Their justification: "It's just a tool, and it will help me meet or beat my business goals."

If history repeats itself, and I'll give odds that it will, at some point the cost and risk of using disruptive tech without IT involvement will exceed the short-term benefit. I'll also give odds that when IT is called in to clean up out-of-sync data, provide appropriate security, and assure there is a backup and recovery system, it will be cloud technology and services that will help us get things under control. It's actually a predictable cycle. Let's look at the three steps that rogue IT will go through in its latest iteration around cloud apps.

Speed vs. control: Speed wins.
When a business unit gets its hands on a new technology it can use to accelerate operations, that tech will spread like water finding the path of least resistance. After all, it's unhindered by policies, purchasing red tape, and security and compliance concerns. When faced with the tradeoff between waiting for normal policies and controls to be put in place (the brakes) or the business moving fast to compete more effectively (the gas), speed wins.

Speed vs. risk: Balancing act commences.
At heart, risk is "impact x likelihood." I can say from experience that sometimes even low-likelihood situations (like not sending flowers on my anniversary) can create very high risk. This is the analysis CIOs must do to determine when the risk to the company exceeds the value to the business or department. Ignoring compliance, for instance, may reap benefits for a business unit -- until an audit finding embarrasses the CEO in front of the board. Quantifying risk may be just as difficult as getting the technology under control, but it moves the discussion from being about technology to one about business.

Speed vs. pain: Ultimately, pain wins.
All things created equal, when the pain to the business of managing a rogue technology exceeds the value it provides, something gives. Frequently, that "give" is an effort to transfer the pain to someone else... like IT. It's not a question of if this will happen with cloud, only when. The business has no interest (or expertise in most cases) in managing security, compliance, SLAs, or technology administration. I don't know many sales departments that can assess the security issues of that cool new mobile app they're using, or marketing departments that can manage a PCI audit of their cloud vendor.

While all this may fall on internal IT, we now have the option to use new cloud technologies to shift some of the pain to outside services. Your first step should be to investigate what the providers that business units have contracted with can do for you. They want to keep that business, and they get that working with IT is how that happens.

As for business departments going rogue with IT projects, first and foremost, heed the old adage -- if you can't beat them, join them. Don't get mad, get in front of the curve by providing guidelines that the business can use to evaluate a hosting vendor or software company in the areas of security, compliance, and support. Be a partner, not an adversary.

If IT resources allow, offer to send someone to consult during the selection process so that IT is involved without being an impediment.

Finally, document the risks associated with any rogue projects that you get wind of, and share that information. You may not stop a department from doing something stupid, but it's important to make business managers understand and accept the risks they're taking. Just keep in mind that, as the CIO, you are still on the hook for the results -- as I found out when the florist didn't deliver those flowers.

You can keep only three security products. Which ones stay? Tell us in InformationWeek's 2014 Strategic Security Survey and enter to win a 64 GB iPad or a one-on-one consultation with the report author, Michael A. Davis.