CIOs fighting uphill battle against renegade apps

By Linda Tucci, Senior News Writer 24 May 2006 | SearchCIO.com

Digg This!     StumbleUpon     Del.icio.us

"I don't think it's a battle. It's more like being part of a group of independent explorers," Ace said. "The trick is to find the right balance that allows you to reasonably manage risks, while encouraging innovative problem solving."

I don't think it's a battle. It's more like being part of a group of independent explorers. Frank J. Ace CIO, Wisconsin Department of Justice

One of his department's most significant applications came in through the back door, in fact. In mid-1990 a business division in the Wisconsin Department of Justice began experimenting with a primitive electronic bulletin board for its customers, the state's law enforcement officers. The bulletin board was launched on a private network using outside IT help and tools that were nonstandard. Voices from IT and the business side called for its demise.

"Luckily, the foresight of some of the business leaders, along with the increasing presence of the Internet, turned the early bulletin board system into an infant Web site called WILENET, the Wisconsin Law Enforcement Network," Ace said. Today, WILENET is considered a critical system for the Wisconsin Department of Justice.

As employees become more versed in technology, they are developing and downloading applications that are potentially problematic to the business, raising legitimate concerns about network security, compliance, bandwidth, interoperability, storage and productivity. The practice is unlikely to stop, say experts.

Instant messaging, Skype, impromptu Web conferences and peer-to-peer file sharing like Kazaa, LimeWire or BearShare downloads are making inroads into American business, introducing access points for malware, spyware, viruses and Trojans. A 2005 survey of CIOs by San Francisco-based market research firm NewDiligence showed that 93% of workplace computers have at least one of these renegade applications.

The question is what to do about it.

"Don't try to stop it -- you will fail," is the advice from Gartner Inc. Citing a trend it calls "the consumerization of IT," the Stamford, Conn.-based consultancy predicts that between 2007 and 2012, the majority of new information technologies that companies adopt will have their roots in the consumer market -- in other words, outside the purview of IT.

"We're not saying let anybody do anything they want with anything they want to. What we're saying to CIOs is they need to get out in front of this trend, understand why people are doing it and accommodate it to some extent," said Gartner fellow David Smith, author of "Gartner to Enterprises: Don't Be Afraid of Consumer-Oriented Technologies."

More on applications IM too critical a business app to ban  Interoperability fuels workplace IM debate

Robert Fort, director of IT at Los-Angeles based Virgin Entertainment Group Inc., said unsanctioned applications tend to proliferate when IT budgets are constrained. For instance, the business unit has an operational problem it needs to solve, but IT has been given strategic projects that take higher priority.

"The business unit takes the renegade approach and the first IT hears about is in conversation or when your file shares start growing or when something breaks," said Fort, adding that the root cause is often a lack of communication.

"My view is that IT [isn't the only group] in our company with ideas about how to apply technology to solve problems. But business may not know what's required for storage space, backups, controls and business continuity. There has to be collaboration," Fort said.

Employees often go around corporate systems because they can't get the corporate system to give them what they need to do their jobs, Smith agreed. The classic example is corporate e-mail systems that impose very small storage limitations. Employees set up alternate e-mail systems, such as Gmail, that gives them much larger storage systems.

"As a result of your trying to lock things down in the name of security or compliance or whatever, you are encouraging people to go around the system to get their work done and, in the process, maybe opening up a bigger security hole," Smith said.

Smith believes IT people use security and compliance as excuses for doing what they want to do -- or not doing what users ask. "There's always ways around things if you try hard enough," he said.

Gartner suggests businesses create "experimentation zones" where IT staff and other users can become familiar with consumer technology and identify applications where the technology can improve collaboration, communication and efficiency.

A different strategy is offered by FaceTime Communications Inc., an IM security vendor that counts many large U.S. banks as customers. FaceTime helps companies come to grips with the realties of nonstandard technology. Frank Cabri, vice president of marketing for the Foster, City, Calif., vendor, says users are not only more savvy about technology, but they're also insisting on real-time applications, including Skype, an increasingly popular communications tool.

"Employees feel they have a right to download these applications because they are using them in a way that is productive to business. At the same time, the IT department and the business own these assets and have the right to know what is going on with them," Cabri said.

CIOs have done a lot to keep the bad stuff from coming into the network through antivirus software, firewalls and other preventive measures, Cabri said. "What we tell CIOs is to swivel your chair and look within your organization. Know what is being used by employees, put tools in place to audit what is being used and let that information drive your policy."

FaceTime sells services and software that are imbedded in an IT platform and based on company policy on the use of applications. "We're policy-neutral," Cabri said. Employees receive a written document spelling out what's allowed. FaceTime takes the document "out of the file cabinet" or off the intranet and embeds it real time into the network, monitoring infractions when they occur and alerting users.

IT should find out what applications various departments need to do their jobs. For larger organizations, it is not feasible to take a "one size fits all" approach to applications.

Howard Weiss, a field systems engineer at technology provider CDW Corp. in Vernon Hills, Ill., recommends that IT interview each of the departments to find out what kind of files they need access to, before setting a policy. "You might discover that marketing needs MP3s but maybe sales doesn't, so you block MP3s for sales," Weiss said.

When dealing with personal files, more and more companies Weiss deals with are OK with letting employees use their personal hard drives to store those files, but balk when those files start finding their way to storage servers and e-mail. "The trend I'm starting to see is that companies realize that employees should have some freedom. They shouldn't be locked down, but they shouldn't be using company resources for personal files," Weiss said.

Let us know what you think about the story; e-mail: Linda Tucci, Senior News Writer

Tags: Information security management for the midmarket,  Risk management for the midmarket,  Leadership and strategy for the midmarket,  IT and business alignment for the midmarket,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information security management for the midmarket Using key risk indicators to sell your information security program IT security spending a bright spot in '09, with more growth predicted Gartner: Vetting security of third-party partners in five steps Locking down security in the move to electronic medical records Security and risk management in the midmarket Identity and access management planning guide for the midmarket Information systems management for the midmarket CIOs share advice on doing more with less Get smart about patching security vulnerabilities A CIO's advice for implementing single sign-on solutions Risk management for the midmarket Using key risk indicators to sell your information security program Gartner: Vetting security of third-party partners in five steps Security and risk management in the midmarket Identity and access management planning guide for the midmarket Get smart about patching security vulnerabilities Log management tool saves big on network fixes, integrates with IPS Unified communications: Securing access to OCS Disaster recovery and business continuity planning: Know the risks Database security: Who should have access? San Francisco network lockup justifies CIO fears Leadership and strategy for the midmarket Midmarket CIO podcasts: Information technology and leadership news and tips A CIO shares his lessons learned in project and portfolio management Involving users in business intelligence strategy key for success IT insourcing trends: Weighing the pros and cons For a successful project manager, look for qualities of a good leader Data center outsourcing contract do's and don'ts From software prices to EHR security: The latest advice for CIOs As swine flu spreads, CIOs prepare business continuity plans, measures Val IT: A little-known IT governance framework that may save you money IRobot CIO dishes on virtualization, disaster recovery and compliance

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary