Rogue IT also can present technology incompatibility problems. Cecere says he recently consulted for a global media corporation that had six rogue IT projects under way, each involving 10 to 30 people. The different divisions all had similar business needssales, marketing, procurement and so forthbut each rogue shop was devising its own technology solution. At this company, the integration of systems to track license fees and retail products was crucial to maintaining and reviving products' lifecycles, but the rogue shops made integration nearly impossible; data was chaotically distributed and stored in different projects hidden in different divisions. Cecere estimates it cost the company $1 million for each rogue system, but many times thatperhaps as much as five times moreto fix the problem with a successful, final integration. If that wasn't bad enough, "The rogue systems did not scale," Cecere says. "What they did was break, so add another few million dollars for repair and added maintenance."
Rogue IT also can cause a credibility gap between the CIO and the rest of the company. Cecere says rogue IT projects may fuel a perception that the corporate IT shop isn't good enough or fast enough to get the job done. Cecere recently consulted for a large finance company that had "at least two tiers of rogue shops" that gave lip service to corporate IT standards. "They were creating systems for business functions in the different units because they believed corporate IT was fiddling with silly things like architecture instead of helping run the business. 'To heck with standards, we have to get checks processed,' was the rogue shop's attitude," Cecere says.
Besides hurting cost control and credibility, ghost IT haunts security initiatives. Ever since Sept. 11, says CGE&Y's Smith, corporate executives have been "becoming more concerned with unauthorized IT projects not under the control or accountability of the CIO, and worry that they might pose a security threat to the entire organization."
Just in case you are sleeping too well, think about how rogue 802.11 wireless LAN projects can proliferate through the corporate sales force. Cheap and convenient, a shadow-IT project taken up by a sales team could broadcast your organization's most valuable data into the local Starbucks, an open door to road warriors and rival corporations. Still not convinced? Ask Best Buy Inc.last year, a customer stole transaction data from two of the electronics store's cash registers, taking a Wi-Fi card he had just bought inside to his car in the company's own parking lot, where he used it to crack into Best Buy's unsecured wireless LAN. Rogue IT projects often skirt around corporate best practices: In this case, a more secure VPN could have helped to keep predators out.
What to do? First, don't hide from the problem. Learn from it and start working to minimize ghost IT with new governance policies and strategies. Centralizing IT spending and security policies is one way to start. Good IT management these days, says Unisys CIO Carrow, involves "resource control. You can speed up or slow a project if you have control of your resources."
But when an organization gives discretionary funds to business units, such as sales or marketing, these groups can afford to end-run corporate IT. They might hire an outsourcer who feels no allegiance to any central IT governance, for example. Without a central IT governance group backed by senior business executives, expect business units to begin to commission independent IT projects. Putting an end to ghost IT demands strategic CIO leadership, says Gold, and a dialogue with business units seeking to go their own way, so as to help ease the risk of costly missteps later. In addition, CIOs who can negotiate for more power over the purse stringsas well as a seat at the executive tableare finding their efforts can help limit runaway projects.