People go to great lengths to explain how cloud computing is democratizing IT and enabling the end-users of technology to make some decisions themselves about what they use, how they use it and how quickly they can get set up. A plethora of enterprise vendors have got their start in life, and built their momentum, by providing this vector for so called “Rogue IT”. Companies like Yammer, Box and even Salesforce in its early days all took advantage of the real frustration felt by business units who simply wanted to achieve an outcome and felt blocked at every turn by enterprise IT that isn’t exactly known for being flexible and proactive when it comes to rolling out new stuff.
Of course this sort of rogue IT isn’t ideal – it means that a huge number of different solutions are in use within the organization, that costs can spiral out of control and that no due-diligence has occurred as to the security, reliability and robustness of the solutions being used. But what is a business to do? Historically, getting servers deployed takes weeks because of interminable processes. Software evaluations may take a few days from the business end but then get bogged down in weeks of security and compliance checks by IT. It doesn’t meet the needs of the business who every day are being pressured to do more, for less.
But let’s look at it from IT’s perspective for a moment. They’re tasked with ensuring that all the various pieces of technology within an organization work within some security constraints. They’re responsible for ensuring that data, the most valuable thing an organization has, stays in its rightful place, and finally they’re busy making sure the organization gets the best bang for its buck – having dozens of individual business units sign up for different cloud services is, in their mind at least, risky, expensive and tantamount to an invitation to data loss.
Perhaps the time has come to not look at this as such a binary conversation – after all these two groups, IT and the business, aren’t exactly at war. IT wants to enable the business to meet its objectives. True it can be a little abrasive in its approach (hey, IT staff tend to be generalized as not having a high degree of social skills after all) but fundamentally it aims to deliver the solutions the business needs, to help the business achieve its strategic outcomes and all the while deliver these solutions in a way that doesn’t put the business at risk. IT is about safety first, and deliver second.
The business shares many of these objectives. After all no business unit wants to do anything that puts the organization at risk, they don’t want to introduce a vector for data loss, nor do they want to increase the cost burden on their organization. What they do want to do is achieve their business aims as quickly, and easily, as possible. If we had to characterize them as a class, we’d say that the business unit is all about delivery first, and safety second.
Building a Bridge
So how would it look if we took these two groups – IT with it’s security first and delivery second approach – and the business unit, with its delivery first and security second approach, and gave them solutions that allowed both of them to meet their objectives, but in a way that also delivered the priority seen as most important to the group on the other side of the chasm. In other words, how do we enable IT to deliver solutions in an agile manner, happy in the knowledge that they are inherently secure? And how do we enable the business to choose inherently secure solutions, happy in the knowledge that they’ll be delivered in an agile way?
Of course the industry is partially to blame for the existence of this chasm between the two groups. Traditional vendors, those selling directly to IT, have been quick to articulate at great length and in no uncertain terms just how much of a threat this new generation of cloud tools poses to the organization. The traditional diet of fear, uncertainty and doubt has consisted of a million and one thinly veiled messages telling enterprise that by enabling business unit self-provisioning they open themselves up to mass risk.
And the new breed of vendors have also had some guilt to shoulder. Rather than encourage a positive relationship between IT and the business, they have been quick to pour scorn on IT’s very ability to deliver, its awareness of how social, mobile and cloud are fundamentally changing the needs the business has. These new vendors, in an effort to encourage the very rogue IT that corporate IT is worried about, have presented a black and white choice where businesses have little option but to acquire solutions by subterfuge in order to achieve their aims.
A Third Way
There is, however, light at the end of the tunnel. A new generation of vendors are coming on line who realize that in order to build viable and sustainable businesses they need to find a message and a delivery mechanism that allows both sides of the debate – IT and the business – to achieve its objectives without undermining the objectives of the other side. Vendors who realize that business self-service can happen in a way that is sympathetic to IT’s need for governance, security, visibility over cost and integration with legacy systems. Vendors who understand that IT-centric tools can also be built in such a way as to enable the business to gain a degree of autonomy over their day to day operations.
Some good examples exist – companies like enStratus are allowing enterprise IT to deliver their businesses a self-service portal to manage their cloud infrastructure. This is done with the buy-in and approval of IT, who are happy that their important requirements around governance and control are maintained. Cloudability are helping enterprises to gain insight into their overall cloud spend so that the financial and budgetary requirements of the organization can be met without reducing business units’ ability to self-determine. And here at Appsecute we’re creating a bridge whereby individual developers and teams of developers have the autonomy to use the tools that best suit their particular objectives, but to do so in a way that gives central IT visibility and audit control over what they’re doing.
The future has to be one in which the massive tensions that exist between IT and the business unit are resolved – companies that find ways to meet the needs of both sides of the divide help to move the discussion from one of risks, problems and barriers to one of rewards, benefits and outcomes.
The position of power tends to shift between IT and business decision-makers throughout the technology adoption cycle. The challenge to IT through cloud computing and BYOD are similar to the early PC days. And, yet, as you point out, there has been a tendency for vendors and IT departments to fall into the old patterns.
Marshall McLuhan suggested that technology would turn everything into a DIY world. We’ve seen this with consumer web where a touch of coding can go a long way.
My sense is that the pace of business change has been accelerating. More agile methodologies with protected infrastructure is needed in order to satisfy the business and still meet acceptable IT reliability, security, performance and quality objectives. Not necessary the “permanent beta”, but something more flexible to changing business conditions than what we see traditionally.
The trend is so very true and Ben brings the point very well. IT managers see urgent need of such tools such as Xervmon – where visibility into the Cloud Infra is tailored to upper management who make financial decisions while DevOps need to maintain the cloud servers and applications. Xervmon is Cloud Management and Spend Analytics product as SaaS offering used by more 100 customers worldwide.