Don’t Be Afraid of Your Shadow IT

I had a conversation with a peer who is a Director of IT, recently, where the conversation turned to Shadow IT.  We discussed the challenges of an IT Department dealing with this group and their specific struggles with getting leadership to listen to them about the risks of having a rogue band running through the halls. For those not familiar with Shadow IT, it is the group of technology services and personnel outside the direct control of the Information Technology department.  Traditionally beginning with the Marketing department, it will usually leach into Finance before too long, among others.  For many senior IT leaders, it is the bane of their existence and a constant threat of a diminished role in the organization.  The reality is that Shadow IT is a necessity in many large organizations.  Most of my peers will have likely dropped their jaw at that comment, since the general consensus is to eradicate Shadow IT.  Unfortunately, its existence is nearly always due to a lack of customer service. 

 I have talked about the importance of customer service in the past. The manner in which technology is accepted is proportional to the manner in which that technology is delivered and supported.  So, how can we effectively measure the success or failure of our service?  A shadow technology presence is not an indication of the technology team’s efficiency or their capabilities.  A shadow team is an indication of how individual departments believe their needs are being met. 

 Most likely, other departments feel deprived of service in one of two categories, speed and agility.  As I noted earlier, the two departments most likely to build their own IT spinoff are Marketing and Finance.  In the case of Finance, the issue is likely speed.  Your DBA is tasked with so many projects and demand management is FIFO. When Finance comes asking for a customized report or needs a change to one of their applications, what is the response from the IT department? Usually, it is push back with the explanation that they are too busy working another project.  We all know IT departments are constantly being downsized and expected to do more with less.  The problem, however, is that business goes on.  The needs of the Finance department are real and directly impacts the success of the business as a whole.  With the demands that Finance faces (requests for improved and more current reports, simpler streamlined processes, executive requests for details on the financial strength of the company), they require immediate action.  It is easier for Finance to employ their own DBA or SQL guru to get the responsiveness they require than to fight it out with IT. 

With Marketing, it is agility.  Hopefully by now, most IT departments have implemented a Change Management (CM) program.  CM provides the stability an IT department requires to ensure constant operations; however, by its nature, a CM program impacts the department’s ability to react as quickly as other departments would want, like Marketing. The requests from Marketing are usually around new applications or making significant changes to existing software.  Simply look at the explosion of the use of Social Media.  Implementing APIs for Facebook, Twitter, Pinterest and the myriad other applications that keep emerging is taxing on the IT staff from the perspective of compliance with applicable policies.  It challenges the CC process in testing, verification, rollback and every other step to ensure that a specific program does not negatively affect the firm desktop PC image. Like Finance, however, Marketing can’t wait for IT to vet applications one at a time.  In their field, they need to keep pace with the competition in order to maintain a competitive edge.  So, rather than argue with the IT department, Marketing will find their own system administrators, web programmers, application developers, etc. Now there is no need to check with IT for changes, as they make them on their own.  But when things go wrong, who do they call?

The key to dealing with a shadow IT group is not to challenge it or attempt to dismantle it, but to embrace it.  Like Michael Corleone said “Keep your friends close and your enemies closer” (Okay, it was really Machiavelli, but who doesn’t love a “Godfather” reference).  Of course, that doesn’t mean you should look at them as adversaries either.  The key here is to accept that other departments have specific needs that the formal IT department will not be able to provide for one or more reasons under the PM trifecta be it time, money or resources.  Instead of trying to control every aspect of your organization’s technology, accept it.  More importantly, work with the other departments to establish ground rules for their techs.  Just because Marketing as a SysAdmin doesn’t mean they will have domain admin rights; but they will need full rights to their servers.  Similarly, Finance’s DBA doesn’t need access to the entire data warehouse; full SQL rights on their DB server will do just fine.  This establishes IT in a support role, which may be hard for some IT teams, but then again, you weren’t supporting them in the first place (and isn’t that how we got here?). More importantly, those technicians do not fall under IT’s headcount.  The projects the shadow groups work on? They don’t fall under IT’s budget.  The operational upkeep, however, is likely to fall to your group, so working with them gets you in the game instead of standing on the sideline, watching.  

Be careful, though. With these agreements and concessions comes the potential for a mentality swing in the opposite direction.  It is easy for the IT to fall into the “well, if you are going to install it then you can support it” thought.  Nothing could be further from the truth.  Remember, you are IT.  Anything that plugs in and turns on falls into your domain whether you like it or not. When Marketing’s webmaster hoses the webserver, they will be calling you to restore a former instance of the server.  When Finance’s DBA deletes a table, guess who gets a call.  Trying to stick by the “I told you so” stance will fall flat in a heartbeat.  Remember, IT is a department in the business, not the other way around. 

Research In Motion at a Cross Roads

Once upon a time there was a behemoth in the smartphone industry.  Research In Motion (RIM) and the Blackberry set the standard that all other devices and services were measured against.  In recent time, however, RIM’s market share has declined to a level that has made the blackberry nearly irrelevant to financial markets.  Recently, RIM reported its first loss in corporate history, which was surprising in that it was their first since the iPhone was released, and all indications point to a divestiture of RIM’s assets consisting of its Patents, Hardware, Software and their greatest holding, the immense private network used to interconnect every Blackberry device across 90 countries securely and reliably.  Unless they can shift their business model to and be accepted by a consumer market, the outlook appears inevitable.

How could a technology leader fall so quickly, in such a short time span?  The simple response is that RIM created their demise with their own technology and a lack of understanding the consumer.  With the initial deployment of the Blackberry product, centralized administration of technology was a building trend among IT personnel.  The Blackberry Exchange Server allowed for a single point of control with fine granularity from all users or to an individual device.   The ability to secure communications added to the interest in the Blackberry platform.  System administrators slept well at night knowing that their devices, and the data on them, were secure. 

Unfortunately, this focus on the administration of the device, while the key factor in its adoption, is the root cause of the failing long term sustainability of the platform.  By focusing on the Enterprise, RIM forsook the “consumerization” of their target demographic and the rise of the Bring Your Own Device (BYOD) movement.  They believed endorsements by the Government and large corporate dominance would sustain RIM through that pesky flash-in-the-pan, the iPhone.  Now, the iPhone is the new standard all other devices are compared and Android devices, while not considered equal to the iPhone’s capability depending on who you talk to, are taking over market share, the Blackberry is a distant third in market.  The Blackberry has become the Oldsmobile of the smartphone industry. 

The single saving grace that RIM has had in its steady decline has been its private network.  This is the infrastructure by which all Blackberry devices are connected and provides the secure connectivity capabilities that RIM has touted over other devices’ use of ActiveSync.  Several consumer groups in Europe and Asia have kept the Blackberry alive due to the Blackberry Network.  Each Blackberry has a PIN identifier.  Knowing the PIN for a particular individual allows a Blackberry user, utilizing Blackberry Messenger (BBM), to send SMS type messages that are extremely secure and  for free. On top of that, you can group participants in BBM, which creates a powerful communications tool as observed during a London riot last year. 

Now Microsoft has entered the ring after several mediocre attempts.  Windows Phone has matured to a competitive level and, along with its Metro platform tying into Windows 8 and truly linking the mobile and desktop experience, there is debate on the ability of Windows Phone being a realistic challenger to iPhone and android as the standard.  Additionally, Microsoft has announced that their new Windows Phone 8 devices will include Trusted Platform Modules (TPM).  The TPM is a hardware component that is the DNA of a device.  It takes all of the components of the whole device and creates a Hash value or checksum that represents it.  Should someone make a change to the hardware or break the integrity of the system, the Hash value would change and easily be identified as compromised.  Using TPM, an organization can securely link its devices together with confidence.  Also, this takes the human factor out of the security aspect of platform administration.  Instead of the user entering their user-name and password, which is regularly simple to guess or get through with brute force, the TPM is registered with the data center and the user credentials are a second keyset in a two-factor authentication.  This additional hardware component will mimic the ability of Blackberry to encrypt the device, ensure secure connectivity to services and establish secured data links across the open internet.   The significance here is the merging of secure hardware with network encryption and a platform that consumers will adopt.  Could this be the last nail for RIM?

Make no mistake; RIM has revolutionized mobile access technology.  The technology has driven productivity and advanced business capabilities beyond the desktop.  Without the Blackberry, some would say there would be no iPhone, iPad, Android, or what comes next.  The world has moved on from the centralized archetype from 15 years ago.  Perhaps, the Blackberry will find new life in Blackberry 10.  Until that proves true, Apple, Google and Microsoft will continue to widen the gap through a clear understanding of the consumer market and allowing the consumers to drive the BYOD movement.

Customer Service and the IT Department

What is the importance of customer service in IT? I mean, seriously, we just provide access to the internet, we set a PC on a desk, we do a bunch of stuff that amazes our moms and dads.  But, do we provide a service in the same sense as we perceive service delivery by a restaurant, doctor or hotel?

So often, I observe geeks demonstrating the very traits that our customers loath about IT.  We speak in acronyms and assume everyone understands what we are saying, including the obscure Star Wars reference.  We assume our customers will follow our every direction on what application to use, how to use it, or what equipment we need. We restart servers in the middle of the day without consideration for those using them.  We make changes without documenting them.  Is this service?  Is this how we would want to be treated in our favorite restaurant?  More importantly, what value do we bring? How do we contribute to the business this way?

The truth is we don't!  The IT department is, first and foremost, a service organization, much to the chagrin of the geeks.  Most see the Help Desk (or Service Desk) as the “Public Face” of IT when the entire department must be service oriented.  Unfortunately, the majority of techs are introverts with little patience for the interpersonal dealings with end-users.  Most techs project the problems of system adoption or product acceptance on to their customers, demonstrated in a response to a typical discussion board question:

“It's more of the fact that a lot computer users are the "illiterate" ones, causing a lot of problems and issues, like not running anti-virus, proper firewalls, etc. That can be easily proven by reading the questions (and repeat questions) here [on Yahoo Answers].”

Our customers use our products and services nearly every moment of every work day.  Yet, how often do we really consider the user experience?  Is the problem that the end-user is “illiterate” or is the IT team isolating themselves by their own actions?  In an ideal world, a new program or device has been tested in the field, the tech or programmer has met with those that will be using the technology to determine needs and requirements, and enough research into “what the business need is” to identify issues that would impact the end-user.  The reality, however, is that this rarely happens.  Traditionally, the concerns of the IT folks are compatibility with other applications, equipment, and the rolling out process with little concern for the day to day operations of the organization.  While the systems administration aspect of IT is very important in terms of security, reliability and interoperability, it is often accomplished to the detriment of their relationship with their customers and the success of the business. 

This isolation from the business is exactly why senior leadership consistently overlooks IT as a strategic benefit.  This paradigm holds many organizations from the very benefits that technology has to offer, such as driving growth and reducing costs.  In a time when businesses need to differentiate themselves, technology offers the competitive edge needed. 

The quickest way to accomplish this is through delivering outstanding customer service.  Think of the immediate and satisfying experience you have when you receive great service.  We should strive to delivering such an experience to the end-user.  This involves clearly and concisely communicating what we are doing, listening to our users (both audibly and visually) to determine their needs, and acting responsibly by accepting ownership of issues and being accountable to the organization.  If you are walking around like Nick Burns, you may have fixed a problem; but, did you really provide a service?

Is The Customer Really Always Right?

I am a huge advocate of customer service. My ethic focuses on providing the level of service that is expected by my customers (end-users) and nothing frustrates me more than failing to offer a quality of service that I know I am capable of delivering. I have high expectations of myself, my co-workers, and those around me; often to their consternation.

To be delivering such service, at times you have to be accommodating. You have to go above and beyond. You have to understand your customer and anticipate needs. The question is, however, how you do that without compromising your integrity or the integrity of your organization.

I work for a law firm. I am sure there are other industries out there with demanding users; however, I am going to put the needs of an attorney toe to toe with any other professional. We are dealing with trained arguers. These are "A" type personalities that live for the chance to demonstrate exactly how they would dismantle you down to a quivering bowl of jello, should they have the opportunity to put you on a stand. Needless to say, being confronted by an angry lawyer is a significantly unnerving experience not to for the weak of heart and often their tactics will result in intimidation that leads to what they want.

So does that mean we give in to every demand? "I need this software installed", "I want you to give me access to this website", "unlock those permissions", "I want the admin password so I don't have to call you all the time". Of course not. My responsibility to the firm is to protect the firm. Sometimes that means that I have to protect the users from themselves. At the most, I have about 5-7 minutes to state my case when talking to an attorney. Anything more than that and I am wasting their time. Do they know what I am talking about when I try to explain that opening a specific port on a firewall will put the firm at risk because the likelihood of a hacker port scanning our network could allow a potential DMZ infiltration? Seriously? I lost them when I drew breath to start the explanation. That isn't to knock them; I would be just as lost about three sentences into one of their pleadings.

Much like the service the attorney provides to their clients as an adviser and a counselor, the IT department should provide the same type of guidance whether it is overtly or indirectly. From time to time, in the attorney's eye, we install software that is considered an impedance to productivity, our processes are a burden, and we drive users crazy with updates and patches. While many times our end-users will not appreciate what we do, it is satisfying knowing that we have done what is right and what needed to be done to protect the organization. Sure, an update may inconvenience the end-user for a short time while a login script runs. Luckily, the users will never know the potentially catastrophic loss of time that has been avoided by blocking a reported security hole with that update. Would I prefer to be able to deliver unfettered service with complete freedom? Sure, but in the real world, how long would it be before our systems are rendered useless due to viruses, malware, hackers and numerous other un-pleasantries.

When I am receiving a blistering litany of colorful adjectives mixed in with specific suggestions towards where I can place my latest system update, I take solace in knowing my stubbornness is for the greater good. I politely apologize and sympathize with the individual and try to explain why we will not install the "weatherbug" plug-in or allow access to that bit torrent site. Usually, it does me no good; however, once in a while, I will get a frustrated, yet understanding sigh. To all the people that I support, I'm sorry I cannot give you what you want, but whether you know it or not, in that instance I have helped you.

Are Law Firms Ready To Give Up Control To a Non-Attorney?

I recently read an interesting article on the blog the [non]billable hour that references the choice by the Henry Ford Health System to select a non medical professional as the president of one of their system hospitals. The slant is towards the concept being adopted by law firms and the potential benefits. While the concept of placing specific departmental or business leaders in to a role outside of their formal discipline, i.e. an accountant appointed CIO or a marketing professional in finance is not new, the top spot in a law firm has been consistently secured by a lawyer.

The interesting rub with Matt Homann's post is the optimistic hope that a law firm would shun the stodgy paradigm and allow itself to be run at the top of the ranks by a non-attorney. It's an interesting concept. Would the attorney population be able to let go of the idea that someone without a JD can run a law firm?

Personally, I say "why not?" A law firm is primarily a business and most firms would be well suited by the process and policy constraints that bind a corporate enterprise. Why not bring in leadership focused at the customer service level? An operations expert or marketing/PR executive would provide a different outward face for the firm focused on the client without the pressures of having to still bill hours. They would be able to speak the same language as the client and build a culture at a firm that is consistent with the clients they serve.

The main issue would be, would a law firm be able to handle those same processes and policies that a corporation holds so dear? There is no doubt that there are tremendous opportunities for savings and streamlined performance through standardization and procedural controls. Unfortunately, anyone that has worked for a law firm knows how implausible this would be. Imagine telling a senior partner that they cannot have a certain application or widget because it isn't the firm standard or they didn't fill out a form.

I am interested to see if a large firm takes on such a revolutionary concept. It would be a bold exercise to say the least, with a successful firm redefining the industry.

Shaping the Firm of the Future

Cloud computing, server and desktop virtualization, MPLS, VoIP, Online Collaboration—all examples of technology that has been commoditized beyond the point of our need to maintain many production applications on a day to day basis. The question becomes, not “Will IT Survive”, but “Will IT Evolve”. These changes in paradigms will lead IT to prioritize on solutions, not products. As Mr. Koulopoulos states in his article for ILTA's Peer to Peer, the difference between surviving and succeeding depends on the ability of the IT department to be able to evolve to a state of consultancy. What is most important, however, is enabling your team to grow and take on that role.

The Service of Technology

We all know Law Firms bring a different dynamic than the corporate world. Other verticals that experience our unique world are accounting, architectural, medical, etc. We serve the billable hour. Isn’t it time that IT consider it’s time billable to the attorney? Now, I’m not saying we charge our attorneys for our time. I am suggesting, however, that we take the concept of “aligning with the business” to a new level.

Today, most firms stagnate in a reactionary role. How many times a day are you putting out fires or responding to the frantic cries of another “Do you know how much this firm is losing because I can’t work” incident? We find ourselves beleaguered with expectations by our end-users set far higher than realistically capable of providing. Nevertheless, we find ourselves mired in a repetitive process where, next thing we know, we’re six revisions back on a critical application, our infrastructure is latency poor, and we are addressing symptoms, not root causes. It is time to focus on the service of technology and move away from the products of technology. This is where the commodity of technology frees us.

Free from Mediocrity

How do we make this jump? How do we position IT to fill a role that the attorney’s identify as a resource and not a liability? Easily done, just align yourself with the business, right? Well, that’s a start. First, we need free ourselves as suggested by “The Compatibility Curve”. Once your network is up and running, why would you need a CCNP or even a CCIE on staff? And do you really want to allow your folks to tweak and play with the infrastructure as “professional development”? Isn’t this where we get ourselves in trouble? So, outsource the design. Get a contractor for the heavy lifting. Your department is probably understaffed, anyway. Instead of your engineer learning through trial and error, the knowledge exchange with the consultant is real-world and strikes a deeper chord with your staff.

Innovate and Align

So, you streamlined and tossed off the mundane tasks to contractors, now what? Ideally, we partner with the professional staff. This is facilitating innovation that Mr. Koulopoulos mentions. It’s not enough to bring the most current revision of a critical app or the coolest next gadget. We have to be aware of the strategic aims of the firm and how the consumer market will leverage the firm. Yes, I said "consumer market". Get over it, like it or not Skymall is in our lives.

Our technology leaders must gain a seat at the table with the managing partners and executive staff to determine where we can assist. This is the difference between choosing between software or hardware products and identifying a need by the end-user and crafting a solution to complete it. Once IT has the prominence of the other departments from an Operations and Strategy role, we will begin to see the benefits of what Technology has to offer.

When we become intimate with how the attorney practices law, what the stress points are for her, and why she believes her concerns are not being met, we can begin to anticipate those needs. By being proactive and freely collaborative with the professional staff, we ascend beyond the stereotypical "IT Guy" and reach into the future of IT. Technology should be an extension of the attorney's hand in their practice of law, not a hindrance to it.Align

Let's face it. Technology is easy. It has evolved beyond the days of needing a technician to set the clock on a VCR. Technology has grown into services and clouds that require little maintenance or PMI to keep them going. The mystique is gone and the days of Star Trek are upon us, where technology is taken for granted and we are more amazed that something doesn't work instead that it does. Everyday we hear about attorneys that are setting up servers or establishing subscription services for applications and services that would have taken an IT department weeks of planning and integration to roll out. Align

Does all this spell the end of IT? Not at all. This is, however, a Darwinian moment. The weaker species will fall behind either due to hubris or lack of an ability to change. Many (hopefully most) will make that evolutionary leap to bringing the value we have all felt we were and are capable of providing. Our strengths will transcend technology and reach into the business to tie it all together. IT will survive and thrive in this new and exciting time, provided you are prepared to change. -AJC

--This article was first published in ILTA’s June 2011 issue of Peer to Peer titled “Law2020TM: One Year In” and is reprinted here with permission. For more information about ILTA, visit their website at www.iltanet.org.