The battle over who controls work tools and enterprise technology is as old as computing itself. From the introduction of VisiCalc and Microsoft Access to today’s smartphones and apps, conflicts between workers and IT overseers have continually simmered.
“It’s an ongoing point of tension for organizations, observes Scott Buchholz, chief technology officer in the Government and Public Services Practice at Deloitte consulting. “Struggles over the introduction of new technology, and the balance between centralization, control, and efficiency are a common theme.”
Now, as CIOs look to tap a wider range of digital tools and break down silos, the stakes are growing. After several years of control drifting toward the individual and “bring your own technology (BYOT),” some tech leaders are rethinking things — and in some cases –recalibrating away from a more democratized or federated model in favor of centralized controls.
Although every organization and situation is different, experts warn that significantly shifting the boundaries is a tricky proposition, and any change should be examined closely. “The line of thinking that IT is the enabler and caretaker of technology — and everything can be contained in a box — is no longer valid,” says Dan Wilson, a senior director and analyst for Gartner.
Out of Controls
The growing complexity of IT frameworks is startling. A typical enterprise has upwards of 1,200 cloud services and hundreds of applications running at any given moment. On top of that, employees have their own smartphones, and many use their own routers and laptops. Meanwhile, various departments and groups — marketing, finance, HR and others — subscribe to specialized cloud services.
The difficulties continue to pile up — particularly as CIOs look to build out more advanced data and AI frameworks. McKinsey & Company found that between 10% and 20% of IT budgets are devoted to adding more technology in an attempt to modernize the enterprise and pay down technical debt. Yet, part of the problem, it noted, is “undue complexity” and a lack of standards, particularly at large companies that stretch across regions and countries.
In many cases, orphaned and balkanized systems, data sprawl, data silos, and complex device management requirements follow. For CIOs seeking simplification and tighter security, the knee-jerk reaction is often to clamp down on choices and options. “It’s a lot easier for a CIO to adopt a centralized approach to IT,” says Corey Kirkendoll, CEO of 5K Technical Services, a Plano, Texas managed service provider.
However, reduced flexibility often comes at a cost. Workers who can’t access a needed app or cloud service can wind up feeling frustrated — and even unable to do their work effectively. That, in turn, can ripple out to customers. It might also lead to workarounds and the use of illicit apps. “When people are unable to accomplish tasks, they turn to shadow IT and alternative methods to accomplish tasks. This is viewed as the enemy of the state but it’s really just a cry for help,” Wilson explains.
One issue that frequently flies below the radar for CIOs is that as applications change — for example, SaaS replaces older legacy tools — the administration and security framework doesn’t change with it. This can result in old policies and procedures superimposed over current systems, including SharePoint directories. “The controls can wind up being overbearing.” The goal, Wilson says, is to achieve a sense of balance. “Organizations that try to rein in complexity by going to full centralization typically fail. There are better ways to address the challenge.”
Adds Kirkendoll: “There’s no one-size-fits-all approach. It’s important to understand when and where centralized controls are needed and when they are a hindrance. Organizations that adopt the right policies and procedures make things more manageable for everyone.”
Rules, Roles, and Regulation
An understanding of what different groups and workers require to do their work effectively is at the heart of a modern IT management framework. “The best CIOs and tech leaders spend time with business groups, and they understand that they are there to serve their needs,” Buchholz says. Tossing out general policies, procedures, and controls to simplify IT is a recipe for problems.
Connecting policies and controls to specific roles is crucial. A software developer or marketing manager almost certainly requires greater autonomy and IT flexibility than a call center employee, for example. As a result, an organization might allow the former group to use their own devices — or issue a company laptop — but require some controls and adequate security protections. For others, the need to create a uniform environment could lead to a desktop-as-a-service (DaaS) solution with centralized controls.
Another option, Buchholz says, is to give certain workers the choice to customize their computing space — but with strings attached. If an employee uses an organization’s pre-configured stack — what he calls an “easy button” — there’s little or no review process. However, if the same person opts to bring his or her own technology or make modifications to a computing space, a more detailed review process ensues. In some cases, this person might also be responsible for IT support.
Rethinking the role and structure of IT is also vital, Kirkendoll points out. For instance, an enterprise might assign an IT representative to smaller groups and teams — based on specific jobs, roles, and tasks. That way, the IT person is more closely aligned with the technology and he or she is trained to deal with specific applications, tools, services, and microservices the group uses.
Improved visibility can also help reduce complexity — and aid in establishing the right guardrails. The result can be fewer conflicts about technology. “When organizations use ‘fact-based’ tools they have a far more realistic view of where problems reside,” Wilson says. “Rather than developing policies and procedures based solely on fears and possibilities, they have actual insights into people and devices.”
Suddenly, it’s possible to identify a person who is using a corporate email address as a username for a Zoom or Dropbox account — and possibly sharing or storing confidential documents. It’s possible to spot devices and people that are still on the network when they should have been deprovisioned weeks or even months ago. Vendors, such as Oomnitza, Open IT, BMC, and Lakeside Software, offer tools that deliver deeper visibility and insight across a broad IT estate.
In fact, when this level of insight is combined with a zero-trust security model, including strong identity management and authentication practices such as single sign on (SSO) and multi-factor authentication (MFA), many of the questions and concerns about whether to adopt a federated, centralized or decentralized IT administration model fade away, Kirkendoll says. “They are no longer relevant.”
At that point, it’s possible to develop a framework that delivers appropriate controls and protection — without veering into the category of undermining productivity. It’s also possible to deploy the right technology in the right place, whether it’s a DaaS solution, a company-issued laptop or a BYOT framework for a department or person. In addition, shadow IT and unauthorized practices diminish or disappear.
“The governance model isn’t as important as the underlying framework used to manage and protect assets,” Kirkendoll explains. “Ideally, you deploy whatever approach works best for a given group or situation.”
Concludes Wilson: “Successful technology leaders understand that collaboration and trust is crucial. IT is ultimately a partnership. There’s a need to build out an IT environment that works for everyone.”