How should CIOs deal with third-party cloud apps?

There has been a huge shift of power in corporations. CIOs are no longer in control of technology purchases, apart from those that are strategic infrastructure or core platform decisions. Instead, heads of departments are in the driver's seat.

How should CIOs and department heads cope with this change? They both have to tread carefully so that the CIOs don't stifle innovation and agility and the department heads don't allow systems to be compromised. First, I'll go into specifics about this sea change, and then I'll explain how you can deal with it effectively.

Gartner Market Guide for AIOps Platforms

The business is now in control: Here's the issue with that

In many cases, the CIO isn't able to be responsive enough in delivering the infrastructure and applications that employees feel they must have to be competitive. This raises a major issue for CIOs, who often have very little visibility into the usage of cloud apps inside their own organizations.

Business users today have strong views on what the UX should look like and what applications should be capable of doing. What the business user fails to appreciate is that many cloud apps are just a pretty face. These apps often have a narrow scope. They are not easily integrated into the corporate IT architecture. And they probably fall short of corporate IT infrastructure, compliance, and security standards. It's a huge cyberthreat.

Business users, oblivious to these issues, are now implementing cloud apps at scale and taking advantage of the freemium and trial-pricing models offered by cloud vendors. Their purchasing decisions are made based on short-term ROI and often a superficial view of the functionality. “Try before you buy” has become “Deploy, then buy.”

Little or no consideration is made by business users of how the apps will fit into the IT architecture, and there is no technical due diligence of the company behind the app. “We are running on AWS” is not a universal stamp of approval. It does not give any indication of the level of backup and disaster recovery support that the vendor has put in place. For some industries, data location is critically important. “It's in the cloud” is not an acceptable answer.

Business users are now in the driver's seat when it comes to adopting cloud technology. The immediate gratification of getting started within minutes of registering, intuitive functionality, and low pricing make it compelling. For all of this, business users are happy to make compromises, such as multiple log-ons and integration workarounds.

How should CIOs respond to apps under their radar?

CIOs recognize that they cannot stand as gatekeeper. With the cloud, it is too easy for business users to fly under IT’s radar and start using cloud apps without the permission, support, or knowledge of the CIO.

A public data breach used to be the CIO’s nightmare. But the shift to cloud computing driven by business users is actually worse. Having hundreds (or thousands) of unmanaged and undocumented apps in the cloud that are being used to deliver operational processes and modify core data exposes the company to security, regulatory, and reputational risks.

A REAL-LIFE EXAMPLE: A major multinational organization with 250,000 users in 100 countries has strong, central CIO control. This organization has four core global apps supporting the 30-plus business units. Recently the CIO confided that the pressure has built over the past two years and now he can’t hold back the tide of cloud apps. He estimates that there are now over 800 cloud apps delivering core operational capability, few of which have his sign-off and approval. This has dramatically changed his role and his relationship with the business units and the board. Where once he had control, he now must cajole.

'CIO' doesn't stand for 'Career Is Over' anymore

The standard joke used to be that "CIO" stood for “Career Is Over.” Then mobile was going to kill the CIO, and later big data was going to kill the CIO, and now the cloud is going to kill the CIO.

As Mark Twain said, “The reports of my death have been greatly exaggerated.” The CIO is not dead, despite widespread rumors. The “reinvented” CIO has a very different set of priorities and a profoundly new role split across four dimensions:

  • Creators of a new cultural outlook with aggressive possibilities, new products and services, and new capabilities
  • Evangelists for cloud computing and its transformative potential, social business, data-driven decision-making, and for digital-first thinking throughout the organization
  • Transformers of corporate culture as IT pivots from reactive responder to aggressive innovator; from “You’ll take what we give you” to “We’ll accelerate and enhance your initiatives”; and from analog, paper-based processes to digital workflows and collaborative approaches driven by data
  • Accelerators of product development, procurement, decision-making, and deployment of resources

CIOs are taking a more significant role in cloud purchasing

Innovative business units were the first to explore cloud apps, and now cloud apps are the first things businesses look at for solutions. CIOs are trying to take a more significant role in cloud purchasing decisions. More than 62 percent of enterprise respondents report that a majority of cloud purchase decisions are made by the CIO. So this is moving in the right direction.

Central IT and business units in the enterprise still have widely different views about the role that central IT should play. In 2015, 40 percent of business unit respondents agreed that central IT should act as the broker for cloud services, more than double the 18 percent that agreed in 2014. This is a huge shift, but it is not enough. Central IT also needs to come out of its silo.

How business units can use cloud apps transparently

The CIO is embracing the cloud for major core apps (Salesforce.com, Workday, etc.) and investing in cloud development environments. However, the issue still remains that huge numbers of small, unregulated cloud apps are being used for critical processes in organizations. This leaves the organization open to security, regulatory, and compliance risk. And while these narrow-scope apps give departments a tactical agility, their deployment can negatively impact overall organizational agility. So the CIO needs strategies to try to engage business users in a way that does not drive the use of cloud apps into stealth mode.

The solution to this problem comes from the most unlikely of places: the Italian kitchen and PASTA.

P: Policy. What is the corporate policy for cloud computing? Remember, “It is banned” and “IT is the cloud broker” are not acceptable answers. That will drive the cloud further underground. What types of applications can be in the cloud? Should you be providing cloud platforms such as Salesforce.com for users? What are the minimum validation criteria? Policy needs to be pragmatic if it is going to be adhered to.

A: Amnesty. You need to find out what business users are doing, but human nature means you will get nowhere if they believe that they will suffer in terms of their career or being prevented from using the app. The amnesty period needs to be less than a month to drive urgency, and it needs to very clearly and widely communicated. For example, after the amnesty end date, any use of the cloud app in question outside the policy should be a disciplinary issue.

S: Support. What can the CIO provide in terms of support in exchange for the information users give during the amnesty? IT needs to support them using their apps — no matter how flaky the CIO believes (or knows) the app to be. This will be very hard and require some self-control.

T: Technology evaluation. This is a full evaluation, both technical and commercial, of the cloud apps being used. Don’t underestimate how large a task this is based on the huge number of apps that are being used. This evaluation could be a great job for a set of interns, or it could be outsourced.

A: Adoption. Which apps will form your cloud architecture? There are probably some great apps that the business has discovered alongside the core app you have selected. The CIO will need to persuade the business users that migrating from their chosen application to the corporate standard is in the best interest of the business.  Then you need to work hard to drive up the adoption of the chosen apps. This is the new role of the CIO: building bridges and engaging the business.

How CIOs can get ahead of the curve

CIOs need to sprint to get ahead of the curve on the policy, amnesty, and support phases. Only then do CIOs have some level of control so that they can evaluate the true risk to the business. After that, the technology and adoption phases will take some time.

With or without the CIO's blessing, cloud apps will start to be deployed in companies of all sizes. This is an opportunity for the CIO to leverage cloud technology to build bridges with the business, reduce the backlog of business projects, and be perceived as more responsive. By following these steps, the CIO could look like a rock star in the eyes of the business user.

[ Upcoming Webinar (Oct. 23): Simplify Discovery and Change Management for Cloud and Container Environments ]