CIO Decisions

Rogue technology: What lies beneath


Manage Learn to apply best practices and optimize your operations.

CIO advice for wrangling rogue IT in the consumerization age

Not all rogue IT is bad for business. Here, we look at how CIOs keep tabs of the tech outside of IT and handling risk.

The first part of this two-part story looked at the role of rogue IT in today's enterprise organizations and how CIOs are reacting to either head it off or make it an acceptable part of their IT strategy. University of Michigan CIO Laura Patterson and CareWorks CIO/CTO Bart Murphy each gave their take on rogue IT in the enterprise today, from making sure it's not necessary to guiding it back to central IT. The second half of the story presents advice for determining what rogue IT is helpful and what rogue IT is harmful as well as the evolving question of who owns technology risk.

Separating the good rogue IT from the dangerous

Shining light on rogue IT

If IT organizations can't be there at every turn, there's always "spying." Speaking on a panel at the 2013 Gartner Symposium/ITxpo, Mike Kail, vice president of IT operations at Netflix Inc., extolled the virtues of software that enables IT to monitor use of cloud applications and set policy around them. As an IT leader at the streaming-video service, Kail said the role of CIO should be providing services for the entire company while also having good visibility into market trends.

Peering into what's happening throughout the company with a tool such as Netskope, Netflix's product of choice, provides a look at what services IT ought to be providing. It's not so much about weeding things out, but seeing what works best, Kail said.

"I don't really think about it as eliminating shadow IT as much as understanding and getting insight into it: what services you should be providing, how to wrap those up with identity and some level of access and auditability is the key to enabling the business," he said. -- K.G.

Laura Patterson's and Bart Murphy's attitudes toward rogue IT would get a thumbs-up from Gartner analyst David Cappuccio. Blogging on the topic of rogue IT, he said that if CIOs are going to successfully adapt to the consumerization of IT era, they must partner closely with business partners, including on innovation projects.

"Innovation labs can become the integration point where IT experience and business innovation can come together," Cappuccio wrote. In these innovation experiments, however, IT must see itself as "an enabler of change" not the "control point," and there should be a "clear understanding on both sides of the aisle of what the potential cascade effects will be on both the business and on IT." To start getting a handle on rogue IT, CEB's Horne said CIOs need to recognize the difference between "healthy" and "unhealthy" shadow or rogue IT.  Unhealthy rogue IT is what would traditionally be regarded as wasteful, duplicative or risky -- for example a technology that requires heavy integration with a back-end system like ERP. Healthy rogue IT is experimental, innovative and unlikely to cause harm. In a January 2014 analysis, Getting to Healthier Shadow IT, CEB discussed how to separate the two:

Ways to identify healthy rogue IT

  • Productivity enablement -- Technologies employees use to drive productivity
  • Customer engagement -- Technologies used to engage customers in new and innovative ways
  • Customer insight – Technologies that generate new customer insights from data

Ways to identify unhealthy rogue IT

  • Integration-dependent -- Technologies that should be integrated into central IT systems
  • High support burden -- Technologies that need support from dedicated in-house technologists
  • Commodities technologies -- Technologies that can be obtained more economically through enterprise contracts

Reassigning risk and changing attitudes

More on IT enabling the business and dealing with risk

CIO advice on enabling business agility and competitive advantage

Practical advice on presenting risk management plans to the board

Cloud-first philosophy meets range of needs at U of Miami

Another important thing for CIOs to understand, according to Horne, is that rogue IT isn't necessarily a judgment on IT's performance; rather, it's a signal that business leaders more fully grasp that they can't function without technology.  That said, the old command and control rules of engagement between IT and the business have changed.

"It may mean standing back and letting the experiments happen," Horne said, while at the same time "standing ready to take on board the successful experiments and scale them fast."

That tweak to the traditional CIO role also calls for changes in responsibility. Traditionally, when technology has gone wrong, no matter where or how, the blame would land at feet of the CIO as the technology leader.

"This underscores the importance of good relationships, open communication and shared values and strategies between business units and central IT.

Laura Patterson, CIO, University of Michigan

Despite the shifts in IT and technology, there's still a kernel of truth to this, U of Michigan's Patterson said. The business still expects the CIO to be in the know about all IT, including the ad hoc deployments within the business units. "This underscores the importance of good relationships, open communication and shared values and strategies between business units and central IT," in Patterson's view.

But the expectation that the CIO bears the brunt of all technology decisions, sanctioned or not, also needs to change Horne said. As business leaders take on technology decisions, it needs to be clear that they're also taking on the associated risks.

"Ultimately, risk is a business decision, and the role of the CIO or chief security officer should be to facilitate and inform that decision, not make it themselves," he said.

This change in attitudes must also carry through to the IT department itself. According to Horne -- while many CIOs generally seem accepting of the idea of aiding what would be considered rogue IT -- their teams often are less accepting. Rogue IT is still viewed as a major threat. To keep the peace -- and business humming -- it's up to CIOs to communicate and instill a cooperative outlook.

"The CIO has to say, 'Look, the business partners are gradually becoming better at making technology decisions. They're more knowledgeable [and] it's more important to them; we need to adjust and work with them to help this happen,'" Horne said. "IT cannot be seen as a roadblock in the process."

Let us know what you think about the story; email Karen Goulart, senior features writer.

Article 5 of 8

Dig Deeper on Cloud computing for business

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Should business units share or own the risk for rogue IT?

Get More CIO Decisions

Access to all of our back issues View All