Rogue IT: Sad truths and unfortunate stories

Rogue IT: Sad truths and unfortunate stories

Summary: A contest on BYOD, and similar, failures in the enterprise exposes rifts and missed expectations between users and IT.

SHARE:
TOPICS: CXO, Consumerization
10

Although much has been written about "bring your own device" (BYOD) and the "consumerization of IT," it is easy to forget the practical dangers that arise when business users feel ignored by technology professionals.

Rogue IT stories

It's a huge problem, so I was hardly surprised when mobile document management vendor, harmon.ie, announced a contest on "Rogue IT" horror stories. The company invited six analysts, including me, to judge the entries.

Also read:
BYOD: The new battleground for CIO value

These horror stories are absurd, ironic, and outrageous; here are a few examples taken verbatim from the contest page:

  • "A new MacBook owner was frustrated by the lack of Wi-Fi in his office and so invested in a wireless router. The router was so simple to setup – it did not require configuration of wireless or security settings! All was fine, until a few days later, the executive noticed his internet was running slower than usual. Thinking it was just his ISP he ignored it, but after a few days with no improvement he called in a security expert to assess the situation. The expert discovered that someone was sitting in on the local network and had captured, “sniffed”, all of the wireless traffic from the portable router – including all the passwords to the company’s accounting and file server, which were being sent to a server in Asia! There was no trail, and to this day our executive isn’t sure what was taken and by whom."
  • "The Marketing Manager used Gmail to send files home to work on it. The company email only allowed 5 MB attachments and many of the PowerPoint decks were much larger than that."
  • "Sales staff in a financial services firm would frequently use box.net to send themselves customer information because the backend system wasn't fully mobile enabled. However, when sales staff would leave there was no method to retrieve customer information that walked out the door."
  • "A company user downloaded a sensitive high IP design document from company's SharePoint site using his mobile device while he was connected to the company's Wi-Fi network. He accidently copied and stored this sensitive document into a Dropbox location from his mobile device, sharing it with people outside of the company who shouldn't access this document."
  • "Federal employees brought Wi-Fi access points into their office – two were Cisco and two were Netgear. In each case, the secure secret password was left at the default setting – Tsunami. Directly across the street was an Embassy Suites hotel that apparently had bad Wi-Fi, and many of the hotel guests connected to the rogue boxes sitting inside the government networks. The issue was discovered when one hotel guest started poking around the federal network and triggered several security alarms."

Many of these situations reflect disaffected users trying to be more efficient in the face of unresponsive IT policies and governance. In every case, I am sure IT had valid reasons for denying users' requests, but these stories highlight just how bad things can get when communication breaks down between IT and business users.

Too often, debates about BYOD ignore a fundamental point: users bypass IT when their needs are not met. When I spoke with Kim Stevenson, the CIO of Intel, she explained that shadow IT can reflect a positive or negative relationship between users and IT:

The business units make those decisions because they are trying to accomplish their objectives in the way that they think is the most efficient. If they are not choosing you, there is a reason.

I never bash shadow IT because they are fulfilling a need that ultimately IT could not fulfill. Once you get your head around that principle, then you can start working to figure out how we can best fulfill it for the company.

Joanna Young, CIO at the University of New Hampshire, echoes the importance of embracing a responsive attitude toward business stakeholders and users:

Building and retaining IT relevance requires being “deeply in touch with your customers, what they are demanding, and what the value proposition is for them.”

Expert reactions. Responding to the contest, several experts tweeted their views and comments about rogue IT. Ben Haines, CIO of file-sharing company Box, highlighted the gap between IT and business users while raising a question about IT's role and accountabililty:

Does this reflect poorly on IT?
A symptom of out of touch IT?

A related exchange among analyst Frank Scavo, Appirio co-founder Narinder Singh, and IT executive Peter Kretzman dissected the crucial need to balance governance (control) against responsiveness (flexibility). Given the nature of Twitter, these tweets present a series of connected points rather than a linear argument:

Rogue IT Sad truths and unfortunate stories

Technologies such as cloud and mobile have eliminated the natural monopoly that IT once held over hardware and software in the enterprise. Despite the humorous quality of these rogue IT stories, determining the balance between risk/efficiency and flexibility/responsiveness is one of the key technology issues facing every major enterprise today.

Disclosure: harmon.ie is an advisory consulting client

Topics: CXO, Consumerization

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

10 comments
Log in or register to join the discussion
  • Rogue IT: a dangerous dream

    'Rogue IT' should at the very least, notify a central department within a company, about what it is doing. If you have a set of people who are certified to manage a company's IT resources, and these people are being bypassed, this sounds like a recipe for disaster. The more impactful the projects 'Rogue IT' is trying to pursue, the greater potential there is for disaster. This is akin to ordinary folks deciding they can run portions of a clinic or hospital, without the need for certification.

    I can empathize with rouge IT, but IT is by nature complex, requiring careful analyses of the impact of various parts of a new project. I believe rouge IT needs to get together with traditional IT within a company, and try to form an infrastructure in which projects can be rapidly deployed in a manner where the two parties are happy. This dream of rouge IT deployment efforts, is just that: a dream - and a dangerous one at that. Because of IT's complex nature, and the constant possibility that things will go wrong, qualified / certified IT personnel must be kept in the loop. (This is coming from a developer, not a sys admin.)
    P. Douglas
    • Real Issue

      The real issue is IT policies that do not reflect the needs of the organization but the desires of the IT department for empire building and complete control. This fight has been going on for at least 50 years. The first rebellion was with mini-computers, then with PC's, now with tablets and mobile computing. Either the IT department gets ahead of the curve and tries to anticipate user needs by doing something heretical like talking and more importantly listening to the users about their needs not what IT wants.
      Linux_Lurker
      • Restructure the IT department's compensation

        Do something like subject the IT department to a rating system by employees, where a sizeable portion of IT staff compensation, is based on their rating. If IT staff wants to make the maximum income, then they have to innovate over the way they serve the rest of the company.
        P. Douglas
      • Real Issue..

        Rubbish. The real issue is the disconnect between senior management not enabling and resourcing IT such that is can respond quicker to users needs. The policies that people so often want to bypass are most often in place because that is what is required to satisfy the company risk profile and budgets IT is charged to manage. This year alone I have had to deal with serious data breaches at several large organisations brought about by uncontrolled use of cloud services. You could argue that IT has not provided services the users (claim) they require however in every case I dealt with it is not IT stopping this - it is management who have deemed that it is an unacceptable business risk. What we need is a better communication channel from users through IT into senior management so these types or requirements can get management eyes on and be properly evaluated in a timely manor.
        tim@...
        • Good rebuttal

          You took the words out of my mouth.

          To the credit of P. Douglas, I can say that there is a good amount of IT people who feel the need to be controlling. I get that and this largely feeds a negative perception of IT. I see it often as an IT Manager. But.....There are many of us though that have to remain informed about security, compliance, risk and ROI and these are the things that influence our decisions. The better among us do try to balance this with the needs of the user base but at the end of the day, keeping the data secure is our number 1 priority.

          The average end user is not informed about these things and end up with a very myopic approach their problem, often times creating challenges to security, compliance and risk. ROI, or lack thereof, comes into play when IT has to deal with the data breaches caused by this behavior.

          The rest of our problem was adequately described by you in regards to the willingness of the C-Level to invest. Going through that now, which is why, despite the insane number of man-hours we have put into our analysis, we still do not have a good DR plan. Only more requests for information in what is looking like a delay tactic.
          djmik
          • Edit

            Edit: I gave credit to P Douglas when I was referring to Linux_Lurker's assertions about the perception of IT.
            djmik
  • Let's switch this up a bit...

    Say its the marketing department that some employee's think are not enabling them to do their jobs in sales. They decide to make up their own marketing, branding, buy their own ads, etc. Sound like the recipe for disaster? It is.

    This is not a technical issue, it is a management issue. Managing employee's actions. Managing communications to other departments as to needs. Etc.
    Rann Xeroxx
    • Another example

      IT's "needs" are not being met by HR, so they "innovate" and "repurpose" some of their budget to give themselves raises, and performance bonuses to match those given to the executive suite ...

      These perceived "needs" that IT is not meeting are often false flags setup by sales reps for the rogue IT provider. When push comes to shove, often even the provider's technical people cannot provide the smoke and mirrors features that some fast talking salesman sold to an unsuspecting non-IT manager.

      If you want IT to be innovative, GREAT. We in IT would like to be that way too. We would rather work on "nifty" client servers or virtualized systems rather than clunky main frames, but we don't have that options. But if you have innovative IT, then the company must be prepared to put up with more failed, more late and over budget projects. Not all innovations work the first time, meaning you have to backup and redo parts of the project, or even accept that a whole project is simply not possible with available technology. The same non-IT manager who tries to use rogue IT providers will then turn to in-house IT and tell them to "make it work", when the rogue provider can't. WTF!

      Managers who use rogue IT for "production" purposes should be severely censured or even fired if the expenditure is large enough! Sure, use rogue IT for proof-of-concept trials and project that you can take back to IT, but not for work that the company business depends on unless you can prove that this new system is secure, backed up and
      Ron_007
  • Give users the tools not the devices

    Users bypass IT when their needs are not met is exactly the issue here.

    Organization shouldn't be so concerned with the intricacies behind easing into a BYOD policy due to time or resource constraints. CIOs need simply need to accept that employees will always find new ways to access and share files... but the issue is that these means need to be authorized.

    It's not necessarily about provisioning devices either, it's more about provisioning the tools that make them safe.

    Another study I read claimed that something like only 28% of IT departments are allow BYOD, which means the vast majority of employees are going behind their backs. The full report is here - http://bit.ly/1dG2gWL definitely worth a read.
    JD777
    • This is the balance

      I agree. This is the balance that IT can strike while still addressing their needs for security and compliance.

      You mentioned "Tools". I would like to change that to a term we use more often here, "Services". We should be building a catalog of service offerings, platform agnostic, secure and still under IT's control. The users chose which services to employ to do their job and they can do so in which ever comfortable format they choose. Everyone wins.
      djmik