Although much has been written about "bring your own device" (BYOD) and the "consumerization of IT," it is easy to forget the practical dangers that arise when business users feel ignored by technology professionals.
It's a huge problem, so I was hardly surprised when mobile document management vendor, harmon.ie, announced a contest on "Rogue IT" horror stories. The company invited six analysts, including me, to judge the entries.
BYOD: The new battleground for CIO value
These horror stories are absurd, ironic, and outrageous; here are a few examples taken verbatim from the contest page:
- "A new MacBook owner was frustrated by the lack of Wi-Fi in his office and so invested in a wireless router. The router was so simple to setup – it did not require configuration of wireless or security settings! All was fine, until a few days later, the executive noticed his internet was running slower than usual. Thinking it was just his ISP he ignored it, but after a few days with no improvement he called in a security expert to assess the situation. The expert discovered that someone was sitting in on the local network and had captured, “sniffed”, all of the wireless traffic from the portable router – including all the passwords to the company’s accounting and file server, which were being sent to a server in Asia! There was no trail, and to this day our executive isn’t sure what was taken and by whom."
- "The Marketing Manager used Gmail to send files home to work on it. The company email only allowed 5 MB attachments and many of the PowerPoint decks were much larger than that."
- "Sales staff in a financial services firm would frequently use box.net to send themselves customer information because the backend system wasn't fully mobile enabled. However, when sales staff would leave there was no method to retrieve customer information that walked out the door."
- "A company user downloaded a sensitive high IP design document from company's SharePoint site using his mobile device while he was connected to the company's Wi-Fi network. He accidently copied and stored this sensitive document into a Dropbox location from his mobile device, sharing it with people outside of the company who shouldn't access this document."
- "Federal employees brought Wi-Fi access points into their office – two were Cisco and two were Netgear. In each case, the secure secret password was left at the default setting – Tsunami. Directly across the street was an Embassy Suites hotel that apparently had bad Wi-Fi, and many of the hotel guests connected to the rogue boxes sitting inside the government networks. The issue was discovered when one hotel guest started poking around the federal network and triggered several security alarms."
Many of these situations reflect disaffected users trying to be more efficient in the face of unresponsive IT policies and governance. In every case, I am sure IT had valid reasons for denying users' requests, but these stories highlight just how bad things can get when communication breaks down between IT and business users.
Too often, debates about BYOD ignore a fundamental point: users bypass IT when their needs are not met. When I spoke with Kim Stevenson, the CIO of Intel, she explained that shadow IT can reflect a positive or negative relationship between users and IT:
The business units make those decisions because they are trying to accomplish their objectives in the way that they think is the most efficient. If they are not choosing you, there is a reason.
I never bash shadow IT because they are fulfilling a need that ultimately IT could not fulfill. Once you get your head around that principle, then you can start working to figure out how we can best fulfill it for the company.
Joanna Young, CIO at the University of New Hampshire, echoes the importance of embracing a responsive attitude toward business stakeholders and users:
Building and retaining IT relevance requires being “deeply in touch with your customers, what they are demanding, and what the value proposition is for them.”
Expert reactions. Responding to the contest, several experts tweeted their views and comments about rogue IT. Ben Haines, CIO of file-sharing company Box, highlighted the gap between IT and business users while raising a question about IT's role and accountabililty:
A related exchange among analyst Frank Scavo, Appirio co-founder Narinder Singh, and IT executive Peter Kretzman dissected the crucial need to balance governance (control) against responsiveness (flexibility). Given the nature of Twitter, these tweets present a series of connected points rather than a linear argument:
Technologies such as cloud and mobile have eliminated the natural monopoly that IT once held over hardware and software in the enterprise. Despite the humorous quality of these rogue IT stories, determining the balance between risk/efficiency and flexibility/responsiveness is one of the key technology issues facing every major enterprise today.
Disclosure: harmon.ie is an advisory consulting client