Fear and loathing in shadow IT

Rather than continuing to fight shadow IT, consider taking a reasoned approach to understanding and adopting services that provide a compelling business benefit.

A great point of consternation in the IT press is the perceived threat of "shadow IT." By the sound of it, one might think this involves James Bond types discussing the overthrow of governments behind your server racks, but it refers to technology that is brought into the company without IT's approval, and generally without IT's knowledge. CIOs are admonished to embark on a crusade to eliminate shadow IT and are told of the grave security threats it presents (and conveniently offered a raft of vendor "solutions" to deal with the problem).

While shadow IT may sound like a threat to be mitigated, this cat is not only out of the bag, but it's your new competition. In many cases, shadow IT is everything that corporate IT is not: it's easy to use, universally and conveniently accessible, and highly customizable, and it encourages rapid collaboration and knowledge sharing. In the simplest case, employees using "shadow IT" might copy documents to personal computers at home for editing and reading, preferring their large monitors, familiar and current software, or a favorite keyboard. On a grander scale, companies spend millions developing internal employee directories laden with corporate features, but employees turn to Facebook or LinkedIn to keep track of their internal peers. So how do you deal with shadow IT? Most companies take one of three approaches:

The Arms Race

Like it or not, shadow IT tools are now your competition, and most employees have no qualms about shopping "outside the wall" for an application or tool that will fit their legitimate business needs. A sales rep who frequently shares documents might employ dropbox, or marketing may already be all over Twitter in violation of a universally ignored policy document. Home-based workers may have even abandoned the clunky, outdated laptop you issued and be working productively on a nonapproved, nonsecured, nonmanaged workstation. Oh, the humanity!

Some IT groups will attempt to develop competing tools internally, mandating their use and attempting to match their functionality in what becomes an unwinnable arms race of sorts. While I have worked with some amazing corporate IT teams, this approach is virtually impossible, even with an amazing team and copious budget. As users grow frustrated with the internal offerings, IT is often forced into the next approach.

The Great Wall

Many have heard of China's "Great Firewall," a series of technologies that keeps people inside China from visiting websites and services on the government's list of unsavory characters. Companies often take a similar approach in their attempts to combat shadow IT, locking down machines and blocking access to sites perceived as threatening. Unfortunately for IT, the dynamic is shifting such that unilateral decisions by IT to block services are no longer sacrosanct. Users are savvy enough to present compelling business cases that override IT's decision, despite howling cries about security, data integrity, and manageability. In short, the ability to get work done is trumping security and technical concerns that were once bulletproof.

This trend will only increase as the workforce grows increasingly tech-savvy, and this technique is likely not the best way to improve the image of an IT department that is already seen as incapable of providing valuable services. (Otherwise why would users be shopping "outside the walls"?)

Rational adoption

Those who have been around IT long enough may recall that the Internet was going to spell the end of the world as we knew it, with viruses, hackers, and lost productivity killing the modern corporation the moment an employee was connected. Even farther back, portable computers were going to lead to a raft of leaked corporate secrets, stolen intellectual property, and general chaos. We lived through both of those technology revolutions, and we'll likely live through a wholesale adoption of shadow IT. While the aforementioned changes certainly brought legitimate and quantifiable risks, most would agree the new capabilities afforded by connected, portable devices have far outweighed the risks.

Rather than continuing to fight shadow IT, consider taking a reasoned approach to understanding and adopting services that provide a compelling business benefit. Twitter, Facebook, and LinkedIn have become common inside companies and are even being used to complete legitimate and profitable work. Showing employees how to leverage these technologies and explaining the risks without resorting to unwieldy policy documents or treating employees like children will go far in making adoption relatively painless. Similarly, when IT is the go-to expert for knowledge and advice about these new tools, rather than the gatekeeper of the forbidden fruit, IT looks much more like a trusted partner and less like the "Internet police."

While attempting to compete with external tools and building walls to block them may seem like a natural reaction for CIOs concerned with security and other lurking evils in the world, taking a rational approach to looking at the business benefit provided by a tool, educating users in its use, and providing guidelines and assistance to minimize any risks is the smart approach. While Spy vs. Spy made for interesting childhood reading, playing "Spy vs. Spy" while lurking in the world of shadow IT is a battle that no CIO will ever win in the long term.


Patrick Gray works for a global Fortune 500 consulting and IT services company and is the author of Breakthrough IT: Supercharging Organizational Value through Technology as well as the companion e-book The Breakthrough CIO's Companion. He has spent ...

Editor's Picks