Monthly Archives: May 2014

Embrace Shadow Tech or Die

Shadow Tech‘ – we IT folk do enjoy our cool-sounding names don’t we?ShadowTech

The term Shadow Tech refers to the use of consumer technology by the workforce, usually in a way that is not sanctioned by ‘Corporate IT’.

Generally speaking the IT department does not like the  business to use any technology that they (IT) haven’t selected, procured and learned how to support. The instinct of your average IT team is to declare shadow tech verboten, often citing ‘security’ as the reason.

Today’s shadow tech manifests itself in the form of iOS and Android devices. Our employees have them at home, love them and can see how they will help at work – but the IT team says “No, it’s not safe“.

‘ICT as Denier’ is a dangerous role to adopt. I’ve already written about the battle with pernicious ‘security’ but when it comes to shadow tech the real threat is to the IT department – the threat of irrelevance.

We can illustrate the risk by casting our minds back to Shadow Tech 1.0. Less than 30 years ago the IT Dept. was about number crunching and centralised computing – the mainframe was still king. Then in the late 80s and early 90s the Personal Computer (PC) started appearing in people’s living rooms. “Wow!” the people thought “These PCs are great, I can see how this would really help me with my work.”   

The IT Department said “No – that’s not how we do it – if you want some computing doing come to us and we’ll sort it out for you”. So the business promptly ignored IT and went out and bought PCs.

Shadow Tech

PCs proliferated on desktops throughout the organisation and a person in each area would often adopt the mantle of ‘the guy who knows about computers’. Within a few years we had mini-IT Departments all over the place, less control at the centre and an uncoordinated ad hoc approach to technology exploitation.

Wind forwards 20 years and many organisations have now managed to wrest control of ICT back to the centre. The PC (laptop) is ubiquitous but that’s OK because it is now approved and controlled by the IT team. Meanwhile, in the data centre, the mainframes have gone and Windows servers hum away contentedly – all is well with the world.

But hark! Here comes Shadow Tech 2.0 the iPhone and iPad started appearing in people’s living rooms. “Wow!” the people thought “These mobile gadgets are great, I can see how this would really help me with my work.”   

The IT Department said “No – that’s not how we do it – they are not safe. If you want some computing doing come to us and we’ll give you a proper computer”. So the business promptly ignored IT and went out and bought iPads.

Shadow Tech

We know what happens next because we’ve been here before.

(There’s something here that needs exploring around the importance of ‘Institutional Memory‘ in helping us avoid repeating the mistakes of the past – but that’s a post for another day)

Again Corporate ICT loses control – but this time the stakes are far higher. Both the volumes of data and the sensitivity of the data in use are hugely increased compared with 25 years ago. If the end users succeed in bypassing the IT Department then there’s a real risk of a security breach (and near certain compliance problems) – and the users will find a way to use these devices at work because people are clever.

The CIO’s role in this is to act as a trusted advisor to the business. IT should be a door-opener not a gate-keeper. The IT team need to get ahead of the curve and work out how to use these amazing new devices safely. Buy lots of different models and trial different management software then go back to your business users and say “Hey, look – we’ve worked out a way that you can use these things at work.”

But it doesn’t stop there – Shadow Tech 3.0 is already upon us and its name is Software as a nephoService (SaaS). I am a huge advocate of cloud computing and SaaS and I’ve written about this before. SaaS is so good (easy to use, cheap and easy to deploy) that your users will already by eyeing it/using it. Most SaaS tools require little more than a browser – your users are able to purchase their subscription and be up and running on the new application without IT ever knowing about it. This represents a serious threat to the organisation’s data as it is unlikely that the user will have checked that (e.g.) the data is being stored in the EEC.

The CIO’s job here is not to issue a diktat “Staff must not sign up to cloud based software tools.” rather we need to educate staff as to the risk and request that they run all such proposals past the ICT Governance Team so that they can do the due diligence/legwork around security. Sometimes there will be a genuine reason why a SaaS application should be blocked in the corporate world (e.g. DropBox *shudders*) – but usually this stuff is safe to use.

This is ICT adding value to the organisation and it’s a pointer towards ICT’s new role (the inexorable movement from the management of tin and wires to the management of data and risk).

So, be a door-opener not a gate-keeper because, guess what, Shadow Tech 4.0 will be along any day now…

Door-opener not gate-keeper

Door-opener not gate-keeper

 

Let the Information Flow

lifebloodInformation is the lifeblood of any organisation and, as is the case with actual blood, the consequences of the flow being blocked are just as serious as the consequences of some leaking out.

Clearly it’s essential that public sector organisations protect the data that they hold – that’s a given. None of us want to fall foul of the ICO and, much more importantly, we have a duty of care around our citizen’s data. Getting one’s data security house in order is key concern of any CIO.

But we have another duty – a duty to share information. Public sector organisations must share data internally and externally. Information is what we do – it’s our currency, our raw material, our tool and our product.

Back in 1999 Bill Gates wrote a book called ‘Business at the Speed of Thought‘ in which businesshe set out his vision of how technology could transform an organisation. The point that Gates made repeatedly is that the speed that we do business is largely dictated by the speed at which we exchange data.

We do business at the speed of information exchange – if the information flow is blocked then we are in big trouble.

We should view any change to the organisation which impedes information flow with suspicion. This includes changes which are made in the name of ‘security’.

One of my favorite quotes is:

“A ship is safe in the harbour, but that’s not what ships are for” 

(there is some debate about the origin of this quote but it seems likely that it was first used by John A. Shedd in 1928. I use this quote too often at work and at home – but it’s applicable to so many situations)

“Information is safe on a server, but that’s not what information is for” 

If you want your data to be completely secure you should put it on a server, locked in a data centre and pull out the network lead. But that’s not what data is for.

Over-zealous security measures will impede the flow of information and your organtisation will be less effective. Most of the controls in the PSN code of connection, for example, are very sensible – but a few are draconian/ill-conceived and they have been implemented to the detriment of organisational effectiveness.

A big part of the role of the modern CIO is to be organisational warfarin – an antidote to the coagulating effects of pernicious ‘security’. If a security measure seems over the top to you then you need to push back.

Information is the lifeblood of the organisation – let it flow freely.