How should IT address line of business users that build their own applications?

Home Forums Technology How should IT address line of business users that build their own applications?

This topic contains 32 replies, has 15 voices, and was last updated by  Peter Sperry 8 years, 11 months ago.

  • Author
  • #148168

    Steve Ressler

    Any suggestions on how IT should deal with business units that build their own applications (like a VS Basic or Sharepoint workflow app) themselves rather than go through CIO?

    Do people see this happening more with SaaS technologies?

  • #148232

    Peter Sperry

    Get out of their way and leave them alone. They are actually getting work done as compared to getting obgged down in over budget behind schedule development projects which accomplish little more than filling out an SF-53 or 300.

  • #148230


    We don’t want to always be the C-I-No, so it’s important to provide and be supportive of the self-help tools for our LOB owners. I believe a key part of our job is to ensure that our customers understand we’re here to support, guide, and help. Encourage transparency so we remain cognizant of the homegrowers out there and, when/if we see duplication, dive in and investigate any opportunity to expand and create an enterprise tool.

  • #148228

    Greg Walther

    Support them. Business users understand their needs and are addressing real problems. Central IT works best as a provider of standards, platforms and guidance, rather than as a preemptor of initiative. Most of the arguments against non-IT development come down to the cost and time of IT going in and taking over a project it did not start — basically, IT does not want the headache. But this is prioritizing the cost to IT over the value to the business. IT would do better to facilitate an environment where business could develop applications meeting common standards. IT could do this by providing training, frameworks and API’s.

  • #148226

    Neil McEvoy

    It’s the right dynamic to support for sure, but it’s the how that’s critically important.

    End user organizations that take to developing “mickey mouse” software will create a problem that they eventually come back to IT to fix. Think of all those MS Access databases littered everywhere. It’s easy to write software, it’s not easy to write scalable, enterprise-class software, and when it all goes wrong IT is left to bear the associated workload costs etc.

    Therefore your ideal balance is that the OCIO should proactively meet this need – They should identify the correct overall enterprise architecture & platform that empowers users to create the new process systems they need, but from a platform designed to do this on an enterprise-wide scale, so that it is also supportable.

  • #148224

    Glenn Batuyong

    Neil has it right. “Shadow systems” are a nightmare for IT, not only because it creates havoc among the team to allocate resources to processes never documented, but also because IT gets left with a bad reputation if they are perceived to be obstructive to adoption.

    What’s an enterprise technology group to do? The best approach would first involve understanding the organization’s technology portfolio from top to bottom. Once IT has a good grip of the capability of the tools it has on its official bench, then it should see what shadow systems and “mickey mouse” software are out in the field. If such systems are discovered among users, a collaborative dialogue should occur where IT and the usergroup can compare capabilities and deliverables of the enterprise version (if it exists) and the self-built solution.

    Many times, the frustration lies in usability problems or inflexibility of the enterprise application. Sometimes no such application exists to assist the user. In these cases, most users understand that tailoring some enterprise software to the groups’ needs is a time-consuming and expensive project. Shadow systems then appear because (1) they’re easily built, (2) they’re faster to deploy, and (3) easy to customize.

    Most agile IT groups are able to identify the sophisticated users of the bunch and work closely with them to synergize their workflow ideas with existing enterprise software or create connectors between the shadow system and the enterprise application (hopefully well-documented APIs exist). Creative and resources CIOs and their teams should also be able to spot best-of-breed off-the-shelf/SaaS systems similar to the users’ solutions and use those instead —those tend to have flexible UIs and a wealth of enterprise APIs.

    if If there is no resolution, the group’s issues may need to be taken to a higher level as these may be symptoms of a bigger workflow problem that is hindering productivity.

  • #148222

    Just a Guy.

    I think that the lack of focus on hardware within our current agencies is causing a fundamental lack of change.

    With the cloud, we don’t need hardware. We don’t need $20 million dollar licensed and supported software systems that really just break down when implemented agency-wide.

    We only need developers in this scenario. A server, just like any car, loses value the second we drive it off the lot. I have $700 DL380 G5’s in my basement that are 6 times more powerful than what I use in my current position at times.

    I currently have 3 servers in the cloud under my control. They cost me $9 a month. They provide database services for 3 different non-profit projects. Some of them are locked down by firewall, so that only they can get access, some by the nature of the system requirements are not.

    I can spin up more resources in a flash if necessary, and I can tear down servers in the same timeframe.

    Data Centers are safe in private industry. We generally contract out for our own security needs. At those data centers they keep those assets on site, and permanently hired.

    Why the hold up? Shadow systems are not the problem. It is use of budgetary resources that cause us to have our problems. Every new release of Oracle, every new release of this or that. We have people migrating databases that are working just fine. Why not just regard hardware as a service? With the kind of money our budgets could throw at it, we could get rid of these old servers.. broken platforms and just code. The discounts thrown our way would be immense. The owner of the resource then updates their platform, updates their services, and lowers their own cost as hardware becomes cheaper every year.

  • #148220

    Dennis Snyder

    The typical business line has multiple public-facing units. If one unit develops a tool they rarely consider the others. If the resulting logic or math is wrong or presents an incomplete picture, and it frequently does, then the LOB and CIO is left to do damage control. Its not like CIO’s have nothing to do but say “no”. Quite the contrary, CIO’s are empowered to say yes if the LOB can articulate its needs. The real problem is funding shortfalls and windfalls with short turnaround time that genetrate failed projects and inarticulate requests, and that’s what frustrates the public-facing units left to cope with managing their affairs alone.

    To answer your question IT and the LOB’s need to maintain a constant dialogue to help LOB’s express their needs, so when funding unexpectedly arrives the project only needs minor refinement, if any, and action can be taken. This can be done with RFI’s and regular meetings to maintain a current vision and strategy. Open communications are also helpful when funding is removed so the needs are clearly understood for UFR prioritization. Anyone who has taken a COTR class heard about effective communications on the first day.

  • #148218

    Faye Newsham

    I see this as a lack of communication, change management, and advertising.

    No one seems to know what IT is supposed to do, the average non-IT person assumes IT fixes stuff in either a heartbeat (because it is all mysteriously simple and they are hiding something) or in months and months at huge expense and problems (caused because IT has no idea how to do business – our way). IT, on the other hand, knows what their own budget for the year is and has already allocated most if not all of it to groups who have requested their assistance previously. The struggle begins with these groups to define what it is they do and what they want (do you map out every aspect of your job, with and without a tool? Few groups have their internal processes well documented and without individual hero knowledge). The Johnny-come-lately has already failed at least once, is under the gun, and still hasn’t defined what they want but are sure they are because now they are stuck on their own vision of their failed tool. Neither team fully understands the complexity and importance of the other.

    Communication is key. I would propose that IT begin an advertising campaign and effort to inform everyone they serve (in simple terms and clear fashions) what they can do, in what amount of time, and what to bring to the table to make that happen long before the planning and financing takes place. As the business use cases begin to be satisfied, continue change management by talking to folks prior to and during the annual funding and planning phases or even drum up business with teams that come with funding! Make sure that successes are shared with all the teams – how can this be extended or reused for my team?

    Assuring a team of experts that you can build a tool for them only with their skill and expertise can actually go a long way to assuring they put that effort into perspective. I’m all for agile and continuing IT but it is the clear communication that will allow it to happen. You’ll never satisfy a customer with a pretty tool that doesn’t make their jobs easier.

    We don’t want the users to feel like my mother does, that “all programmers belong on a choke chain.” Her experience was formed over years of working with IT teams who know they know databases and programming way better than she does… without realizing that as a Librarian she’s the best person there is to talk to about the actual data, what a real user is looking for on the front-end, and how to do the data entry – what really works. They continued to build beautiful but useless databases that didn’t do what her team needed. A continuing failure of communication on both her part and theirs’. She was unable to adapt her thoughts to IT-speak and they were dismissive of her expertise. Both assumed the other was either intentionally recalcitrant or simple incapable. Neither was right.

    Don’t let past experience or current problems color what you do right now. Sit down and think about how to communicate your needs better. What are you trying to do, who is best positioned to help? The answer is most likely your OCIO IT group. They in turn should be focusing on how to get the needs you are thinking about on paper and into a plan and a functional tool to make your job easier.

  • #148216

    David Kuehn

    Does anyone have experience with this question in a research environment? Much of the coding work is built on MATLAB as part of the research process to test hypotheses, collect data, or provide a proof of concept. It is not intended to scale to other organizational units and would need to be reworked on other platforms if the research suggest an application that could develop and become commercialized or broadly adopted. In some cases the coding is for specific labortory instruments so has no enterprise application though it could be of benefit to other laboratories with the same equipment conducting simular research.

  • #148214

    Steve Ressler

    Good answer from @chrisj_moore CIO, City of Edmonton

    it’s a new world Steve we r building a strong EA plan and also making room for built and bought apps – all can live 2gether

  • #148212

    Arijit Das

    At the Naval Postgraduate School, all MATLAB code developed by researchers is self maintained. Our IT group has no support for this.

  • #148210

    Arijit Das

    There are 2 sides —

    If one builds customs apps then it is assumed that they will maintain it without help from the IT folks.

    IT folks cannot always support every application as they may not have the experts on board, and with budget issues, it is more unlikely than likely.

    At our institution researchers have gone the custom route and the IT folks have taken their time to catch up.

  • #148208

    Alan Barta

    IT should do all that they can to support these users! The more that IT can assist them with rapidly building secure applications that meet their business needs the better. It would especially be helpful if IT would provide users with the platforms and developer tools needed for this to occur.

  • #148206

    Steve Ressler

    Great answer from Casey Coleman on Twitter – Longer than a tweet, but with PaaS, seems like business users & IT can partner on apps–IT maintains the platform, app standards..

  • #148204

    Steve Ressler

    Agree on the communication and advertising. As a support agency, OCIO (much like CHCO offices) need to advertise their services and communicate their value or business units will try to make an end round and go on their own

  • #148202

    Arijit Das

    Cloud is a great idea but sometimes DOD/GOV security issues have to be taken into account.

    Here is an interesting article on this —

  • #148200

    Just a Guy.

    It was the FBI, that was mentioned in the article. Which is DOJ.

    Also, it wasn’t any real issue other than the fact that Google had employees in Europe and EU law conflicted with US in the mandate for document signing by company staff. So Google couldn’t promise that an EU employee would sign the documents required or that it would be legally enforce-able within the EU.

    The real issue is that the FBI and numerous other organizations don’t build documents for their requirements that work in a globalized workforce. Frankly, all this tells me is that by yet another spectrum, government will be locked down into their own worlds and not adapt to future technologies purely because there is no money involved in their work. Companies are motivated by profits. If the CEO gets less money because some employee didn’t bother with due diligence, they axe the employee and get a go-getter. That’s the nature of the beast.

    In the way of contrast, our executives serve two year terms, make initiatives, and by the time groups get towards moving in on completing them, a new executive moves in. So the executive gets to mark down that they “started a bold new initiative”, but there is no real follow through, and the next guy might tack in a new direction depending on what industry the new executive was in previously.

    Without ownership on IT’s side, and their executives (longer than 2 year terms), which is what the original post was about (which I totally diverged from), there is no movement. Which is fine. I got my side projects for non-profits.

  • #148198

    Arijit Das

    I was trying to make this a case for broader GOV entities not just DOJ. What the LAPD/FBI observed is what we experience daily when we run DOD wide systems and also trying to be IA compliant.

    In addition we have classified networks and it’s own restrictions. It not a question of money or profits, it is a matter of national security and protecting our infrastructure.

    Private companies do not have these restrictions, atleast not that constrained. To quote another article, which shows how companies are so very globlal that they shift their cost structure to take advantage of tax laws world wide. This is not the GOV model of IT.

  • #148196

    Julie Chase

    Hello <meekly entering the room>. I, am the end user. I use and maintain a large Access database on shared drive with my organization. If anything happened to that database, we would be “toast”. Our local IT is aware of it. They don’t seem to be concerned about it. I used to back it up on a thumb drive every night, until DoD, banned thumb drives. I have a 1 TB external hard drive (which took mountains of paperwork and time to purchase) and I back it up on that. Do I have a problem with our local installation IT? No, not at all. They are as dumbfounded as I.

    These are the problems we are having:

    * we would like to go wireless, we were told NO, for security reasons

    * we “need” to go wireless as the software we use is headed in that direction, we were told too bad, NO

    I am not sure what you all mean by “shadow software” other than I think it means that organizations are buying software and putting on their machines (which we are not allowed to do) and when something goes awry, call IT and they have no idea what you are talking about.

    As and end user, my dream, my wish is:

    * a streamlined way to purchase, download and apply software needed for my organization without a mountain of paperwork and the approval of 20 people I do not know and know nothing about my organization or it’s mission

    * I would like to purchase hardware that doesn’t take 6 months to a year to get into my hands

    * I would like the paranoia of wireless applications to decrease dramatically especially if it has NOTHING to do with “classified” whatever

    * I would like a team approach with our local IT as we have with our Comptroller and Contracting Dept. A team is assigned to work with “our organization” and “knows” all about what we do, what we need and how to help us get there

    Is that so much to ask?

  • #148194

    Daniel Risacher

    I believe Enterprise IT should cherish these applications, and the people who build them. It is too easy for people in OCIO (or whatever you call it where you are) to forget the reason that IT exists – which is to support the business and operations.

    We don’t have computers and networks for their own sake. We have them because they are tools to help us accomplish whatever it is we do – fight wars, enforce law, care for veterans, educate, build roads, educate, etc. The reason there is a computer on your desk is based on a fundamental premise: that better information leads to better decisions, and better decisions lead to better outcomes. Too often IT folks forget this at their peril – and become the proverbial “self-licking ice-cream cone.” Putting a computer on someone’s desk is pointless if you then lock it down until it’s little more than a typewriter, calendar, and calculator.

    I believe this is a long term trend; as IT becomes more ubiquitous, the line between “user” and “developer” and “IT professional” becomes less meaningful. Someday soon, we will all be developers.

    Steve cross-posted this to the Open Source Software (OSS) group. OSS exists as a proven, collaborative model where anyone with talent can contribute to the creation of solutions in a generally merit-based way, which I offer as evidence that this trend is real.

    “Enterprise IT” needs to figure out how to collaborate with it’s customers to be effective. “Home Grown” apps are where business value comes from.

  • #148192

    Greg Walther

    This is a great answer all around. I would strongly second the point about how someday soon we will all be developers. Business users are already by necessity specialists in information management. The irony is that too often they are forbidden to use precisely the information management tools that would allow them to do their jobs efficiently. If you want to see productivity jump, train selected business users to use a basic scripting language. There is a whole class of business requirements involving the need to extract and filter data which is invisible to IT. These needs are ubiquitous and continuous — you cannot separate them into distinct projects. They quite frequently are also short-term — for example, a need to efficiently track a two week project. Central IT will never be able to address these types of projects — it does not have the resources to be everywhere at once and the cost of translating the requirements from business terms to IT terms for each of the multitude of tasks is not viable. The only “developers” who will ever be in a position to address these needs are the business users themselves. As a business user, I consider coding to be as basic a job skill as writing. If we cling to the notion that all programming is the preserve of a privileged group of people, as opposed to a basic, necessary tool to do our jobs, we will continue to see mounting costs and an inability to meet agency goals in an efficient manner.

  • #148190

    Neil McEvoy

    Hi Julie

    I do think out of this group of threads yours is the most finger on the pulse.

    Shadow software simply means that the organization has applications somewhere in there that they don’t ‘officially’ account for, ie. IT doesn’t recognize them, so they provide no support.

    It’s a specifically named topic because it’s so dangerous, for the huge alarm bell reason in the middle of your own situation description – “If anything happened to that database, we would be “toast”. Ie. you currently are in an agency who has mission-critical apps on fragile software with no support. That should be a red flag – Somewhere!

    So while I think every one sympathizes with you, and agrees IT should empower you with tools that are the modernized, Cloud equivalent of MS Access, I also agree there is a need to modernize the whole bureaucracy as that’s the rool root issue you also describe.

    The right investments in the right technologies, especially those around Cloud/PaaS (Platform as a Service) are key as they address the automation (reduce server orders from 6 months to 10 mins) as well as the common apps that users need (eg ‘MS Access in the Cloud’ kinda thing).

    Cheers, Neil.

  • #148188

    Steve Ressler

    Really good discussion on the CIO Forum about this same question and “Shadow IT”

    Is ‘Shadow IT’ a good thing for the organization?

    Shadow IT: “IT that wasn’t sanctioned by your IT department” Control is a big part of a typical IT strategy … but is it the right one? Yes, cloud is allowing many LOB execs to buy IT solutions outside of typical channels … often creating significant problems re: information security, data management and contracts. But it also is creating the oft talked about, but typically elusive IT agility. (note: ‘Shadow IT’ definition from Terence Ngai on Enterprise CIO Forum –

    Key questions:
    1.) Is ‘Shadow IT’ a good thing for the organization?
    2.) How are you channeling ‘Shadow IT’, say using the cloud or other technology?

  • #148186

    Steve Ressler

    I like Neil and Julie’s point which shows the issue with “shadow IT”. As a business owner who depends on that Access database, it is scary to trust that IT will really deliver a better solution in the time you need it. If there is confidence that was the case, there wouldn’t be an issue shutting it down. And Neil’s point is exactly right – the reason it should be replaced is if your office is completely depending on it and it’s not set up correctly one day you can walk in and it’s completely dead (or the main person leaves and you don’t know how to keep it up)

    In ideal world, you’d have a CIO you trust who could set you up with a newer version in parallel and one day walk in and say “here’s your new replacement” – kind of like trading in your car where there’s not a lag between cars

  • #148184

    Jerry Rhoads

    There needs to be a balance to mission needs and the CIO’s needs. These “shadow” systems fill a void and it was filled by the end-user rather than the CIO. There are many reasons for a end-user developed solution — usually the CIO’s budgets and available IT resources.

    Depending on the app and the type of data, stick it in the cloud. Slam dunk right? Well….not so fast, some data cannot live in the cloud and must exist internally. When it comes to the security of all the internal systems, the CIO is ultimately responsible –no matter who builds and operates the system (think FISMA scorecard)!

    So my two cents are: build a secure platform for end-users to develop on. Sharepoint, LAMP stacks, and Websphere come to mind. Provide them with some basic “rules the road” and let them build. It may not be a perfect fit with your SDLC, but at best it is secure.


  • #148182

    Steve Ressler

    Great answer from the discussion on our Linkedin Govloop group:

    My take on this issue would be that it really depends on who is responsible for the ongoing care and feeding of the application and it’s operating environment (ie: Sharepoint, VS Basic, …). I am going on the premise here that the operating environment is corporate ….

    I believe that I/T should notify the business unit that their application may or may not survive operating environment upgrade and maintenance activities and that they should be prepared to allot additional development or maintenance resources in support of their application.

    The bottom line for me is that I/T is a corporate resource for, at minimum, stable and agile computing platforms. The other pertinent given is that business units expect these platforms to be in place for them to run their applications. The co-dependencies between applications and their operating environments must be managed at a corporate level and anything that threatens the established balance MUST be very closely managed. There’s nothing like finding those mission critical applications that break only because they were not maintained during their operational life !!

  • #148180

    Julie Chase

    Thank you Neil and Gov Loop guy. You talk “to me” not at me. I rec’d the database when a former employee retired over 10 yrs ago. I didn’t know Access from Adams housecat, much less “how” to use it. Once I “learned” (on my own) how to enter the data, I wanted to know “how” it was built like it was. I went to an Access class at my installation to learn Access 2003 (we have 2007 now). Talk about Greek, I was lost. Our organization uses this database to record inventory (only for OUR organization). There were many discussions about utilizing Share Point for storage vs. a local shared “drive” (not on the NMCI or NGen network). In their infinate wisdom, Uncle Sams Misguided Children HQ computer gurus did not want Share Point clogged with things such as our database, which we are “required” to keep according to regulation/publication/directive XXXX 5, subpart 2, section 5 para. 10a. Everyone in the office has access to it, in case I get hit by a bus or something, but they don’t enter anything into it or pull reports out of it.

    I read about the Android’s (on NextGov) now albe to share/transmit gov data in DC, but here, we ask for wireless needed for our mission and we are told NO “security reasons”, and as for the “Cloud”, DoD is very wary of putting anything in/on the Cloud. Our organization doesn’t have “classified” computers or data, so I don’t see what the big deal is. Our software vendors are baffled and the “purchasing” people are aghast at “buying” software online and “downloading” it.

    I thought, “well, how about this, we transfer funds to IT, IT buys and downloads the software and gives us back the laptop. Oh NO, not happening. We have to “research” this, form a “committee” have a few meetings, talk to IA…….nah, just forget it, I don’t want to wait two years to get it done only find the software is now outdated. (and yes, that actually happened to us)

  • #148178

    Neil McEvoy

    sure Julie, you’re the human face to what is an intellectually interesting debate on a broader level. I went through the personal pains of MS Access maaany years ago but I can still sympathize! 🙂

    I’d say it’s a popular topic because it’s that curious paradox situation, a conundrum where you try and balance the opposing tensions of centralization for control vs decentralization for scalability and customization. The core tensions of politics at the core…

    In other words how could a central IT dept empower you, rather than try and control your behaviours, and what is the technology platform to make that possible… (it’s Cloud).

    Then as you also mentioned the other big issue that is due to culture is the bureaucracy – Taking 6 months to order servers, and as I have also experienced, this ‘funeral death march’ procedure they call the dreaded RFP procurement….

    The next big inflection point in IT will be the emergence of Cloud marketplaces, with automated ordering tools etc., so this last part will be tackled through this trend. As they learn of needs like yours then you’ll also see a faster responsiveness in new product innovations, eg ‘Access Backup for the Cloud’ or something…

    I do think Vivek Kundra’s Cloud First initiative fired the starting pistol and the wave will catch up with you guys soon too!


  • #148176

    Steve Ressler

    Good answer from Mark Forman, former US CIO

    Mark Formanthis requires leadership from OMB or the CIO Council working with the Dep Secs (aka the President’s Mgmt Council). We seem to have gone back to the future here with the Future First shared services initiatives relearning the E-gov/Lines of Business consolidations. It takes lots of aligned people working as a team with a good conops independent of agency parochialism, support (or at least willingness to cooperate from the Appropriators), a viable solution (based on a solid business case analysis), and people running it who understand data and technology migration. That’s a heavy lift in any environment. Is it cross-agency consolidation doable in today’s budget climate that is driving strong parochial defense of program budgets? Do you think the Appropriators will buy-in? Will the PMC? Will the Whitehouse exert business transformation leadershipship here?

  • #148174

    Peter Sperry

    If you beleive that IT exists to support business activities and the role of the CIO is to enhance end users ability to get work done using IT tools, thn the CIO should be as supportive of “shadow IT” including staying out of the way of user IT development as long as much as possible. If you beleive, as many ofIT people seem to, that business activities exist to justify the need for IT and the role of end users is primarily to implement the CIO’s “vision”; than shadow IT is a threat which must be strictly controlled when it is tolerated at all.

  • #148172

    Steve Ressler

    My buddy a federal CTO sent me this note:

    With SaaS products/tools, at least BUs are using prebuilt commercial products that are better than rearchitecting some crappy custom solution. One conversation topic I would kick out is the whole notion of control. Why does a sub department or a small office entity need control? It’s likely due to relevance or maintaining their domain. People want to feel like they own something and the result of that is crappy, singular custom solutions.

  • #148170

    Peter Sperry

    In my experience, shadow software more often reflects a lack of responsiveness from the OIT shop than a desire for control. I was in a meeting about a year ago where a very senior career executive described a web tool her group had developed to track and organize their work. She told the group that one of her junior staffers had developed and tested the tool in just under three months. We all expressed astonishment they had been able to get a new system through the vision, architecture, needs analysis, comparative analysis, tech analysis, vision refresh etc, etc that typically drag out development projects and not uncommonly take 3 to 5 years to complete. She immediately became very emphatic that “It’s a tool not a system! It may be written in HTML code and reside on one of the division’s servers but it is NOT an IT system!” We all laughed in sympathy and asked if the organizations CIO shared her judgement. To which she replied “OIT doesn’t need to know about every tool we use, only the systems.” Personally, I like her style. It is one of the reasons her group is so successful.

You must be logged in to reply to this topic.