A new IT department is being born. You don’t control
it. You may not even be aware of it. But your users are, and figuring
out how to work with it will be the key to your future and your
BY BEN WORTHEN
An April 2006 survey by the Pew Internet and American Life Project
found that 45 percent of adults who use the Internet said it has
improved their ability to do their jobs “a lot.”
These are your employees, and their message couldn’t be
clearer: Technology, at least in their eyes, has made them
significantly more productive. But CIOs shouldn’t be patting
themselves on the back just yet. For this productivity boost the study
credits the Internet, not enterprise IT, not the technology
you provide, not, in short, you. And while Pew’s finding
undoubtedly includes people who use the Internet to access your
corporate applications, Lee Rainie, the Pew project director, says the
research is not pointing to what a good job CIOs have been doing.
It tells a different tale.
“The big story is that the boundary that existed in
people’s lives between the workplace and the home has broken
down,” says Rainie. Almost unlimited storage and fast new
communication tools allow people to use whatever information they
choose, whenever they want to, from wherever is most convenient for
According to Pew, 42 percent of Internet users download programs,
37 percent use instant messaging, 27 percent have used the Internet to
share files, and 25 percent access the Internet through a wireless
device. (And these numbers are all one or two years old. Rainie
“would bet the ranch” that the current numbers are higher.)
Does that sound like the tools you’ve provided your
company’s employees? Do you encourage them to download programs
and share files? Do you support IM? Have you outfitted a quarter of
your company’s employees with wireless devices?
“A consequence of the blending of worlds is that people bring
gadgets from their home life into the workplace and vice versa,”
says Rainie. For example, a December 2006 survey by Searchsecurity.com
found that only 29 percent of companies had a corporate instant
messaging tool, a number that seems relatively small when compared with
the percentage of people Pew says use IM in the office.
Users have a history of providing their own technology, but the
capabilities of today’s consumer IT products and the ease with
which users can find them is unprecedented. Thumb drives, often given
away free at conferences, provide gigabytes of transportable storage.
Google spreadsheets and other online documents let multiple people
collaborate in one file. The Motorola Q, a phone that uses the cell
network as an always-on high-speed Internet connection (and can be
yours for just $125 on eBay) lets users forward their work e-mail to
their phones without ever touching a mail server. And that’s only
three examples. There’s a consumer technology out there for every
task imaginable—and if there isn’t, there’s a tool
that will let someone create it tomorrow.
The era in which IT comes only from your IT department is over.
So where does that leave you?
The Shadow IT Department
The consumer technology universe has evolved to a point where it
is, in essence, a fully functioning, alternative IT department. Today,
in effect, users can choose their technology provider. Your
company’s employees may turn to you first, but an employee
who’s given a tool by the corporate IT department that
doesn’t meets his needs will find one that does on the Internet
or at his neighborhood Best Buy.
The emergence of this second IT department—call it “the
shadow IT department”—is a natural product of the
disconnect that has always existed between those who provide IT and
those who use it.
And that disconnect is fundamental. Users want IT to be responsive
to their individual needs and to make them more productive. CIOs want
IT to be reliable, secure, scalable and compliant with an ever
increasing number of government regulations. Consequently, when
corporate IT designs and provides an IT system, manageability usually
comes first, the user’s experience second. But the shadow IT
department doesn’t give a hoot about manageability and provides its users with ways to end-run corporate IT when the interests of the two groups do not coincide.
“Employees are looking to enhance their
efficiency,” says André Gold, director of information
security at Continental Airlines. “People are saying, ‘I
need this to do my job.’” But for all the reasons listed
above, he says, corporate IT usually ends up saying no to what they
want or, at best, promising to get to it…eventually. In the interim,
users turn to the shadow IT department.
For many good and not-so-good reasons, the CIO’s first
instinct frequently is to fight the shadow IT department whenever and
wherever he detects it. But that approach, according to people who have
thought long and hard about this potential war between IT departments,
is a recipe for stalemate, if not outright defeat for CIOs.
The employees in your company are using consumer IT to work faster,
more efficiently and, in many cases, longer hours. Some are even
finding new and better ways to get work done. CIOs should be applauding
this trend. But when you shut down consumer IT, says William Harmer
III, assistant vice president of architecture and technology of
financial services company Manulife, “You end up as a dissuader
Yes, the shadow IT department presents corporate IT with security
and compliance challenges. Users could be opening holes in the
corporate firewall (by downloading insecure programs), exposing company
data irresponsibly (by scattering laptops, handhelds, and thumb drives
hither and yon) and handling information in any number of ways that
could violate any number of federal regulations. But CIOs need to deal
with these problems strategically, not draconically.
“There’s a simple golden rule,” says David Smith,
a vice president and research fellow at Gartner. “Never use
security and compliance as an excuse for not doing the right thing.
Never use these as sticks or excuses for controlling things. When you
find that people have broken rules, the best thing to do is try to
figure out why and to learn from it.”
Successful companies will learn how to strike a productive balance
between consumer IT—and the innovative processes for which
employees are using these tools—and the need to protect the
enterprise. This will require CIOs to reexamine the way they relate to
users, and to come to terms with the fact that their IT department will
no longer be the exclusive provider of technology within an
organization. This, says Smith, is the only way to stay relevant and
responsive. CIOs who ignore the benefits of consumer IT, who wage war
against the shadow IT department, will be viewed as obstructionist, not
to mention out of touch. And once that happens, they will be ignored
and any semblance of control will fly out the window.
And that won’t be good for anyone.
How the Shadow IT Department Works
Here’s an all-too-common response to the shadow IT
department, courtesy of Bill Braun, vice president of information
systems for the Texas Credit Union League: “What’s good for
me is that it’s simple to say no [to consumer IT]. There goes
most of the problem. Possibly some of the benefit, but certainly the
Passing over the fact that Braun admits that he’s willing to
forgo the potential innovations consumer IT can provide, this approach
also assumes that the shadow IT department has a similar structure to
its corporate counterpart and can be managed in the same way.
It doesn’t and it can’t.
The shadow IT department is an entirely different beast.
Corporate IT is highly structured, with one individual or a small
group controlling the nodes in a network and their relationships to one
another. The shadow IT department, on the other hand, has no central
authority and at best an ill-defined hierarchy; nodes join on their own
and develop their own relationships. Marty Anderson, a professor at the
Olin Graduate School of Business at Babson College, calls corporate IT
a command architecture and shadow IT an emergent architecture. Command
architectures are set up to make them easy to manage and, as a result,
they respond to top-down orders. Emergent architectures contain no
dominant node and therefore provide no lever by which to manage them.
That’s why it is impossible to kill the shadow IT department or
keep it out of your company. It has no head to cut off or single
channel to dam.
It’s natural for corporate IT to feel threatened by the
shadow IT department, but the truth is that they already coexist
everywhere. “The two have always been present,” says
Anderson. “The management skill is noticing where they intersect
and coming up with a strategy for dealing with it.”
For example, a similar dynamic has long played out in HR. A
company’s employees have titles and reporting relationships that
give their work a formal structure. But at the same time every company
has an informal structure determined by expertise, interpersonal
relationships, work ethic, overall effectiveness and so on. Companies
suffer when HR is out of phase with the informal structure. Employees
are demoralized when the formal architecture elevates someone at the
bottom of the informal architecture, and people who occupy the top
spots in the informal architecture leave when they aren’t
recognized by the formal one. Good HR departments know where employees
stand in both the formal and informal architectures and balance the
IT needs to learn how to strike a similar balance.
Corporate IT isn’t going to go away, and neither are the systems
that IT has put in place over the years. But a CIO who doesn’t
develop a strategy to accommodate the shadow IT department will be
employing an outdated and (more important) an inefficient business
model. And, like the HR department that ignores the informal
relationships in a company, the CIO might lose sight of how his users
actually work. Corporate IT thereby loses its authority and,
eventually, the CIO loses his job. It won’t happen quickly, but
it will happen. As Anderson puts it, “It will be like getting
nibbled to death by ducks.”
How to Make Peace With Shadow IT
Techniques will differ for each company depending upon its
business, the degree of regulation to which it’s subject, its
risk tolerance and so on, but some principles are universally
applicable. Here are some starting points.
1. Find out how people really work.
Whether you know it or not, your company’s employees are
using technology of their choosing, or using technology of your
choosing in ways you never intended. Brian Flynn, senior VP of IT at
BCD Travel, found this out when he deployed software that monitored the
content moving across his network. Not only were employees using
consumer IT tools (like IM) but they were using IT-provided
applications to do things that were clearly security risks (such as
sending sensitive information back and forth).
“I am convinced that most companies are flying blind,”
says Flynn. “This is going on everywhere and IT just
Fight your instinct to discourage these behaviors by legislating
against them. Yes, there may be security and compliance risks, but
declaring open war on the shadow IT department will only turn it into
an insurgency, driving it underground where it will be harder to
monitor and harder to negotiate with. Instead, consider this an
opportunity to find out where the IT you’ve provided is out of
sync with your users’ needs.
2. Say yes to evolution.
CIOs need to make users feel comfortable about bringing their
underground behavior into the light. The first step is a change in
“We tend to think of people who think out of the box as
troublemakers,” says Flynn. “But we need to realize that
maybe they know what they’re talking about and maybe we should
try to meet them halfway if we can.”
Always try to help users figure out a safe and secure way to do
whatever it is they’re trying to do. “People get used to
[IT] telling them no, and after a while they stop telling you what
they’re doing,” says Continental’s Gold. “So we
try to say yes, dot dot dot.”
Rob Israel, CIO of the John C. Lincoln Health Network, has developed a policy that formalizes this mind-set.
“I’m the only person in IT allowed to say no,” he
says. Conversely, his IT employees have only three options: approve a
request, research it or pass it up to him. According to Gold and
Israel, getting a reputation for saying yes will encourage users to
come to you with ideas. That gives you the chance to learn what it is
that the user is really trying to do and come up with a way to do it
that won’t compromise security.
As irrelevant or irresponsible as some shadow IT projects seem on
the surface, it’s important to accept the fact that users do
things for reasons. If they are e-mailing critical files among
themselves, it’s because they need to work on something from a
different location and that’s the most direct solution that they
can come up with. IT’s job shouldn’t be figuring out how to
prevent the user from accessing and moving files, but rather to find a
solution that lets him take that file home in a way that doesn’t
make the company vulnerable and isn’t any more complex than the
method that the user discovered on his own.
That last part is important. “No one,” says Flynn,
“will jump through hoops.” They’ll go around them.
Gold says that most shadow IT projects are attempts to solve simple
problems, and it’s easy for CIOs to mitigate the risks if
they’re willing. For example, Gold found that people were taking
files home on thumb drives. Instead of trying to outlaw the practice,
he began distributing thumb drives with encryption software on them.
The users’ experience never changed. “It was common sense
to keep both security and how people work in mind,” he says.
3. Ask yourself if the threat is real.
The other part of developing a say-yes reputation is realizing
which shadow IT projects really represent a security threat and which
just threaten IT’s position as the sole god of technology
provisioning. Maria Anzilotti, CIO of Camden Property Trust, a real
estate developer, says that she has continued to allow IM even though
most people use it for nonwork purposes. “We looked at the risk
and decided it wasn’t worth [shutting it down],” she says.
“A lot of people use it to communicate with their kids.
It’s faster and less disruptive than phone calls.
“We keep an eye on it.”
Killing a shadow IT app without appreciating how thoroughly
it’s been integrated into a company’s workflow can have
unanticipated and unfortunate consequences. When Gold shut down IM at
Continental, he got an angry call from an employee in the fuel
management group who was using it (successfully) to negotiate jet fuel
pricing for the airline.
When a CIO prohibits people from using a technology
that doesn’t pose a real security threat or doesn’t
adversely affect his budget, he is setting himself up as a tin idol, a
moral arbiter. That’s a guaranteed way to antagonize users. And
that’s never a good idea.
4. Enforce rules, don’t make them.
There’s a fine line between providing access to data and determining who should have access to it. And Manulife’s Harmer says IT often crosses it.
“I own the infrastructure,” he says, “but the
business owns the data.” IT creates artificial hurdles for
employees when it makes blanket judgments about access that affect the
entire company. “The key is not to paint all the users the
same,” says Harmer.
Lincoln Health’s Israel deals with this challenge every day.
It’s one thing, he says, for his nursing staff to search the
Internet for the word breast; it’s another for someone
in the accounting department. But if Israel installed a filter that
prevented access to (apparently) pornographic websites, his nurses
might not be able to find information that they need to treat a
patient. The solution is for IT to provide tools that let an
individual’s manager decide what information she needs to do the
“IT doesn’t know everything the business knows,”
says Gold. “So it’s hard for me to make rules about who
should have access to what.”
5. Be invisible.
Most companies have long lists of policies and regulations with
which everyone must comply. But lists don’t enforce themselves.
“I wrote all the policies [here], and I only know two of them
well,” says Israel. “So it’s unreasonable for an IT
department to expect users to know them all. But we can put systems in
place that put some automation behind our policies.”
Manulife’s Harmer says that the key is to develop an approach
that secures data without depending upon how a user accesses it or what
he does with it.
“The way I approach it is to bring the controls closer to the
data,” he says. “That means not relying on a firewall but
trying to figure out what I’m actually trying to protect and then
dealing with it appropriately.”
At Continental, this type of approach has led to a change in the
way the IT department designs systems. “Ninety percent of the
applications we have that involve sensitive data are things we’ve
written,” Gold explains. All that data was protected…as long as
the user accessed it from the application IT built. But when a manager
tried to compare revenue for different cities by copying the data into
Excel (something Gold says happens routinely), the information was
suddenly placed at risk. With this in mind, Gold encouraged the IT
department to build encryption and other safeguards directly into the
applications. That way, when a user pastes the revenue figures into a
spreadsheet, the data, not the sanctity and integrity of the
application (which are irrelevant), will still be protected.
Messy But Fertile Beats Neat But Sterile
IT has a natural tendency to think about technology in a
system-centric way. Systems automate workflow and control access to
information. And for a long time these systems made work and workers
more efficient. “But there has always been a bright line between
IT systems and what people really wanted to do,” says
“I used to have users come to me as if I was the almighty IT
god,” says Israel, who recalls those as “the good old
days.” But in that sense, god is dead, and IT’s authority
and sense of purpose can no longer derive from controlling how people
“IT can’t insist on doling out IT,” says
Gartner’s Smith. “The demographics of the workforce are
changing. Younger people who are more familiar with technology are
coming in, and they will not sit still while [CIOs] dole out corporate
apps. If you want to retain the best and the brightest, you can’t
lock down your environment.”
Smith advises CIOs to try to stop thinking about technology as
something that must always be enterprise class. There are plenty of
Web-based tools that can meet their users’ needs and not cost the
company a dime. “Be open-minded and bring them in where
appropriate,” he says.
Does that mean that the enterprise is going to become a messier
place? Absolutely. That’s an inevitable consequence of
user-centric IT. But messiness isn’t as bad as stagnation.
“Controlled chaos is always OK,” says
Gold. “If you want to be an innovator and leverage IT to get a
competitive advantage, there has to be some controlled chaos.”