An aggressive bank vice-president commissions an outside company to develop a PC banking application. The renegade programmers create a snazzy interface, terrific functionality and a security hole a mile wide. One morning, the CEO picks up the newspaper and reads that his bank's records have been hacked. His first call? To the CIO's office -- "You're fired!" The CIO protests: "I didn't even know this project was under way!" But it doesn't matter, does it? The CIO is liable for every use of technology at the bank.

IS organisations are losing control of information technology because technology is no longer just a way to automate back-office processes or collect data; it has become part of every company's product, from the initial design stage to customer service. The Internet and its corporate cousin, the intranet, put meaningful technology power directly in the hands of employees, customers and business partners.

CIOs cannot and should not try to prevent the move to wider access and the Internet. Locking up corporate data and thereby letting critical business projects languish in an endlessly growing queue won't be tolerated. So how can companies balance technology innovation and manage business risks?Forrester Research says large companies must establish a "technology democracy", a change through which IS will guide technology use but business managers will have strategic control. In some companies, the magnitude of that change will be akin to a totalitarian dictatorship becoming a modern 20th century democracy: government guides, but the citizens have ultimate control.

The key to creating a successful technology democracy is an open partnership between IS and senior management.

Partners in governance

Together, the CIO and CEO will agree to pass laws, protect the national interest and engage in public works to promote the general welfare. Those three mandates will take different forms depending on whether IS is empowering company employees or helping business managers connect with external parties -- customers, partners and technology vendors.

Only rule of law can set broad guidelines that identify the IS group's responsibility and where the business units have discretion. Business managers and IS policy makers must define clearly a set of boundaries within which corporate citizens -- that is, users -- have freedom to experiment.

National security is everyone's concern. The CIO cannot be 100 per cent responsible for security; data belongs to the business, and managers must have the freedom to use it within the range of tolerable business risks. Even so, IS must provide clear procedures for limiting security exposure when using the Internet and solid recovery mechanisms when intranet data is lost or systems are overwhelmed.

As far as public works, for companies to take advantage of the Internet, managers must supply specific infrastructure and services, including a Web-based information backbone, useful tools and a distributed security architecture. The availability of such a self-service environment means IS must also take on a greater role as teacher and consultant to the rest of the enterprise.

IT freedoms

In a technology democracy, the contract between a governing IS department and its citizens is based on providing employees with IT to tackle new opportunities and solve business problems on their own. That philosophy shifts the role of governance from control to facilitation.

For example, IS cannot test every intranet application and edit every Web page -- nor should it. So business managers must take on the responsibility of making sure their employees use the intranet in a professional manner, not posting highly sensitive, inappropriate or lewd content. The freedoms of democracy require a responsible, educated citizenry. IS can help executives encourage user creativity while limiting potential risks by establishing ground rules to govern intranet behaviour, putting some safeguards in place and providing some end-user training. An example of each of those roles follows:LAW Obey software-licensing laws.

The Internet is full of tempting, free applications, but many of them require users to click on a licensing agreement page. In a technology democracy, employees must take responsibility for complying with copyright and distribution regulations.

PROTECTION Provide an escape hatch. Inevitably, users will disable desktops with Internet downloads or kill hard drives with megabytes of multimedia content. They will try tools like CyberMedia's Oil Change and Tune Up.com's PC TuneUp, that find new drivers and updated software versions on the Internet and upgrade desktops automatically, thus mucking about with their PCs' configurations. IS should offer users a panic button -- a set of network scripts that flush corrupted hard drives and restore PCs to the standard corporate configuration.

EDUCATION Create an Internet community college. To use the new technology effectively, staff and managers alike will need help. IS should staff a learning centre that offers a curriculum for workgroup Webmasters and classes for administrative assistants. IS-trained product managers from the Internet college can act as consultants to help executives plan, budget, staff, implement and support complex intranetsystems.

Good neighbours

To encourage creativity, internal systems need to be as open as possible; but when dealing with the outside world, the technology democracy must maximise the value of external connections while minimising business risk.

Smart technology governance will accomplish that with strategies such as business contracts, technology tools and support specialists. For example, if intranet information about inventory levels was to appear suddenly on the Internet, there would be only limited damage to the business. But if business partners' pre-patent designs appeared, there would be legal repercussions.

Because IS cannot be held responsible for security breaches beyond its own corporate walls, the best safeguards to protect shared intellectual property are contractual.

To monitor Internet and intranet traffic, however, a technological strategy is available. IS should provide business units with toolkits, such as those from Sequel Systems or Network General, that identify visitors and flag unusual activity. Security Dynamics and VeriSign offer tools that allow users to issue tokens or certificates to validate a user's identity. IS needs to make sure business units know how to use those solutions.

A support organisation that maximises relationships with the outside world is the third pillar of the democratic technology's foreign policy. Partners and customers with questions about the Web request system or the intranet inventory link will call sales, manufacturing or customer service -- not IS. Service experts need to be able to forward technical queries to help desk gurus with the single push of a button.

No CIO can effect the transformation from IS department to technology democracy alone. Critical success factors from the business include corporate willingness to take on risk, a company-wide culture of professionalism and a commitment to technology skill building.

With a few successes driven by the new culture of facilitation under IS's belt, business managers with Internet and intranet requests, and wallets open wide, will come running to IS.

Who else can combine an understanding of the business with knowledge of available resources at a price no outsourcer can meet?Waverly Deutsch, a director at Forrester Research Inc, can be reached at wdeutsch@forrester.com. To read "The Technology Democracy," register on the Web at www.forrester.com/