What Can Be Done About Rogue IT?

Securing a customers information is critical, and Kelly McGowan, the Senior Director of Information Technologies at American Securities, tells us about how they are helping clients start those conversations.

Rogue IT happens when company IT fails

[gestalt_n_pepper]

In every company I've ever seen, IT is underfunded and under resourced. Networks fail. Security becomes heavy handed and unreasonable (i.e. My job's not done until you can't do yours). IT is forced to centralize and standardize everything in a world where a cookie cutter approach is doomed to failure from the beginning.

What happens? Employees, who are bonused on getting actual work done, take matters into their own hands, figure out different ways of accessing company networks when the official VPN fails, figure out ways of connecting phones and pads to the network without official sanction, start sharing logins and passwords... All just to keep working day to day.

Unfortunately, this is all easy to hide from clueless CFOs/CEOs and upper management, who really don't care anyway until there's a major data breach, at which point they can only dance around in circles and yell, "Fix it!"

The problems are fixable. Plan IT from scratch. Spend realistic amounts of money on the system. Solicit user feedback continuously to pinpoint trouble spots. Force IT management to communicate relevant issues with users and system administrators.

Re:Rogue IT happens when company IT fails

[allquixotic]

Not only that, but get rid of all the security theater nonsense, the general paranoia and fear of the unknown, and make the central IT accountable if they are unable to deliver a solution to satisfy a business need within the expected time frame.

Companies that don't hold IT accountable for failing to serve their customers (i.e., the people who get actual work done and make sales for the company) have no right to complain about shadow IT cropping up here and there. If central IT won't do it, and shadow IT isn't allowed, then things simply won't get done. The existing staff will get fired, and their replacements will come in, and after realizing that they need to do something to keep their job, will go shadow IT *anyway* as a means of getting shit done. Then they'll get major kudos and pats on the back from their managers because they were the only people who had enough backbone to actually solve a problem.

If Central IT then wants to step in and say "you can't do that", fuck them. Having an organization within a company whose primary job function is to tell other people what they can't do, without actually enabling them to do anything that will help them accomplish their work, does a lot more harm than good.

And, no, Central IT "program managers", the best solution is *not* to always spend multiple millions of dollars on an all-encompassing software system that implements the entire world, just to enable one teensy tiny little piece of workflow. That's like asking for a driveway and getting the Hoover Dam. That's the other problem with Central IT. They never have any concept of what it means to deliver only what was asked, and no more. They'd rather spend 5 years and millions of dollars to "roll out" a huge, organization-changing system that solves the original problem plus a thousand others, but creates ten thousand more questions and problems in its wake, like: how do you integrate this into other systems the organization is already using? When should you use one system or the other? What about those people in Colorado who aren't connected to our network? Oh, and if you're looking to spend another few million dollars and a couple more years to dig an interstate highway under the city, we'd like you to fix the leaky faucet in the bathroom, thanks.