At the beginning of my IT career, I witnessed a number of
decisions and project management practices which, at the time, just didn’t seem
to make sense. But I was young, and I often thought to myself that the people
involved must have some other reasoning, some justification for their actions
that I was just not privy to.

In short, I remained quiet when I should have
spoken up. What two decades of experience has taught me is that there is rarely
reasoning or justification behind actions that, at a gut-level, are clearly bad
IT practices. We inherently recognize when common sense has taken a back seat.

There is most definitely a dark side to BYOD. For
the most part, I am an advocate for the consumerization of IT (using
non-standard apps and tools as a way to increase end user engagement and
productivity) and support the bring-your-own-device model.

However, as a
seasoned manager and IT operations leader, I recognize the risks that come with
the model if organizations do not properly plan out their strategies, putting
sufficient protections and governance practices in place to manage the
potential risks that could come from these unsupported devices and
applications. End users often want what’s NEW, but there are valid reasons for
imposing and enforcing safeguards when giving mobile business users access to
your otherwise secure, scalable, and compliant systems.

Some people equate governance with bureaucracy
and hierarchical systems, but those perceptions often come from a lack of
appreciation for the potential risks involved. Governance is about checks and
balances — supporting the tools and systems your end users want, but in a way
that is manageable and which follows defined protocols.

Examples of rogue IT practices

recent uSamp survey found
that 41% of US mobile business users have used unsanctioned
services to share or sync files, despite 87% saying they are aware that their
company has a document sharing policy that prohibits this practice.  And,
27% of mobile business users who “went rogue”, reported immediate and direct
repercussions, from lost business to expensive lawsuits and financial penalties
that cost $2 billion. 

While most IT professionals understand these risks
viscerally, some business users need to crash and burn before they are willing
to adjust their risky behaviors, which is not a message your employer wants to
hear. Luckily, there is another way: learning from the mistakes of others.
This month, I am one of six mobile security and IT experts judging a “Rogue IT” contest.  We’re collecting anonymous stories from the community about mobile and
cloud-based app failures caused by business and IT users who disregard
corporate governance practices. These real-world horror stories are great
examples of the prevalence of rogue IT behaviors at work, and the very real
risks they bring.

For example, within a $500 million health and wellness
company, a consultant was hired to audit their IT systems to ensure their
systems and practices were compliant with industry regulations and best
practices. It was very quickly identified that end users were sharing sensitive
customer data (credit card numbers, bank routing numbers) using public email
channels (Hotmail, Gmail) and through consumer instant messaging platforms (AOL
Messenger, Yahoo Messenger, MSN Messenger), despite approved and documented
communications processes.

Because the consultant was required to report the violations,
the CFO immediately took steps to lock down all unauthorized collaboration
tools, and instituted immediate policy changes. The company was given just days
to comply, with hefty fines for each violation identified plus more fines for
each day their systems were found to be non-compliant.

In another example, a European company was getting an increasing
number of requests from its users to connect personal iPads and smartphones to
company systems. While IT resisted these requests for several months, the
company finally decided to open up its email systems to a “select number of
executives” and shared the necessary passwords. Six weeks later, IT ran an
audit on the system and found ten-times the number of employees connected into
the corporate back end environment as had been approved. The passwords had
apparently been shared across the organization.

And at a large non-profit, the security team found out that
several teams using Dropbox without IT authorization had recently been hacked.
To understand how their system had been compromised, they contacted the popular
cloud-storage vendor, telling the person over the phone that they wanted to
know more about how their organization had been using the platform. The phone
rep volunteered more data than they had expected, telling them “We have a
list of 1600 user names and their email addresses. Would you like that
list?” The cloud-storage vendor was clearly interested in moving to them
to the enterprise version, and was willing to share a customer list without
even authenticating the person who called!

Proactive governance

There are similar traits that run through each of these
real-world examples. For one, individuals subverting established processes and
informed IT leaders with the goal of “getting work done faster.” On the
flip side, many IT organizations are not listening to the needs of their employees,
causing some to feel that they have no other choice but to “go
around” IT so that they can get their jobs accomplished.

In each case, the
lack of clearly documented — and transparent — change management practices
may be at the root cause of the problem; practices that provide a more open
dialog between IT and end users about what is needed, and how some
consumer-driven tools and practices may not be the best fit for an enterprise.

Governance should not be feared or ignored, but looked at by
both management and end users as an important aspect of the change management
model. Organization make governance and change management a priority are able
to more quickly recognize new requests as they come in, validate requirements
to make sure requests are aligned with business activities, and ensure that all
new tools and apps meet the standards and regulations, reducing the risks of
data meltdowns and unintentional-but-potentially-significant losses.

Christian Buckley is the Chief Evangelist at Metalogix. Keep an eye out here for more coverage from Christian’s stint as judge at the “Rogue IT” contest.