Leadership

Fear and loathing in shadow IT

Rather than continuing to fight shadow IT, consider taking a reasoned approach to understanding and adopting services that provide a compelling business benefit.

A great point of consternation in the IT press is the perceived threat of "shadow IT." By the sound of it, one might think this involves James Bond types discussing the overthrow of governments behind your server racks, but it refers to technology that is brought into the company without IT's approval, and generally without IT's knowledge. CIOs are admonished to embark on a crusade to eliminate shadow IT and are told of the grave security threats it presents (and conveniently offered a raft of vendor "solutions" to deal with the problem).

While shadow IT may sound like a threat to be mitigated, this cat is not only out of the bag, but it's your new competition. In many cases, shadow IT is everything that corporate IT is not: it's easy to use, universally and conveniently accessible, and highly customizable, and it encourages rapid collaboration and knowledge sharing. In the simplest case, employees using "shadow IT" might copy documents to personal computers at home for editing and reading, preferring their large monitors, familiar and current software, or a favorite keyboard. On a grander scale, companies spend millions developing internal employee directories laden with corporate features, but employees turn to Facebook or LinkedIn to keep track of their internal peers. So how do you deal with shadow IT? Most companies take one of three approaches:

The Arms Race

Like it or not, shadow IT tools are now your competition, and most employees have no qualms about shopping "outside the wall" for an application or tool that will fit their legitimate business needs. A sales rep who frequently shares documents might employ dropbox, or marketing may already be all over Twitter in violation of a universally ignored policy document. Home-based workers may have even abandoned the clunky, outdated laptop you issued and be working productively on a nonapproved, nonsecured, nonmanaged workstation. Oh, the humanity!

Some IT groups will attempt to develop competing tools internally, mandating their use and attempting to match their functionality in what becomes an unwinnable arms race of sorts. While I have worked with some amazing corporate IT teams, this approach is virtually impossible, even with an amazing team and copious budget. As users grow frustrated with the internal offerings, IT is often forced into the next approach.

The Great Wall

Many have heard of China's "Great Firewall," a series of technologies that keeps people inside China from visiting websites and services on the government's list of unsavory characters. Companies often take a similar approach in their attempts to combat shadow IT, locking down machines and blocking access to sites perceived as threatening. Unfortunately for IT, the dynamic is shifting such that unilateral decisions by IT to block services are no longer sacrosanct. Users are savvy enough to present compelling business cases that override IT's decision, despite howling cries about security, data integrity, and manageability. In short, the ability to get work done is trumping security and technical concerns that were once bulletproof.

This trend will only increase as the workforce grows increasingly tech-savvy, and this technique is likely not the best way to improve the image of an IT department that is already seen as incapable of providing valuable services. (Otherwise why would users be shopping "outside the walls"?)

Rational adoption

Those who have been around IT long enough may recall that the Internet was going to spell the end of the world as we knew it, with viruses, hackers, and lost productivity killing the modern corporation the moment an employee was connected. Even farther back, portable computers were going to lead to a raft of leaked corporate secrets, stolen intellectual property, and general chaos. We lived through both of those technology revolutions, and we'll likely live through a wholesale adoption of shadow IT. While the aforementioned changes certainly brought legitimate and quantifiable risks, most would agree the new capabilities afforded by connected, portable devices have far outweighed the risks.

Rather than continuing to fight shadow IT, consider taking a reasoned approach to understanding and adopting services that provide a compelling business benefit. Twitter, Facebook, and LinkedIn have become common inside companies and are even being used to complete legitimate and profitable work. Showing employees how to leverage these technologies and explaining the risks without resorting to unwieldy policy documents or treating employees like children will go far in making adoption relatively painless. Similarly, when IT is the go-to expert for knowledge and advice about these new tools, rather than the gatekeeper of the forbidden fruit, IT looks much more like a trusted partner and less like the "Internet police."

While attempting to compete with external tools and building walls to block them may seem like a natural reaction for CIOs concerned with security and other lurking evils in the world, taking a rational approach to looking at the business benefit provided by a tool, educating users in its use, and providing guidelines and assistance to minimize any risks is the smart approach. While Spy vs. Spy made for interesting childhood reading, playing "Spy vs. Spy" while lurking in the world of shadow IT is a battle that no CIO will ever win in the long term.

About

Patrick Gray works for a global Fortune 500 consulting and IT services company and is the author of Breakthrough IT: Supercharging Organizational Value through Technology as well as the companion e-book The Breakthrough CIO's Companion. He has spent ...

18 comments
jgm
jgm

I used to report to a director of a billion-dollar U.S. company who reported to a VP who was also CIO. Our existing internal software was so bad it seems my boss was hiring "shadow" employees with programming experience. I was a supply chain analyst who'd started out as a programmer. When I had an idea for a software improvement, he suggested I develop the software in secret and have its paper output mirror the original's - down to the mistakes I'd found - so IT wouldn't know we'd replaced it. I refused to produce software with bugs, despite his giving me a list of excuses I could use if found out. Other employees had Access development experience, and when they needed to ask IT people questions they were told "ask very general questions about very specific areas" to avoid raising suspicion. I was told he even raised a hand and said "Shh! Shh!" in a meeting that involved one of the stealth employees and IT. Apparently no software development, even Access, was supposed to be done without IT's hand in the pot - and they refused to give employees better than Access 97 in 2005. Whenever users wanted anything they were told "No, we don't support that" by IT - even if the Director ok'd the purchase. When I worked in support, what we had to support was whatever the employees used - not the other way around. I quit after six months because it had gotten to the point some of we shadow employees were greeting each other with secret handshakes and "The raven flies at midnight" to express our frustration. :-) I remember the CIO objecting to an idea I had because having shipping document data saved on an individual user's PC (despite their having access to it and passwords employed for both the PC and the database) would be compromising security. I didn't want to embarrass him by pointing out that the user looks up bills of lading on shipper websites all day, and the scanned JPGs are all being cached by IE on her hard drive so it's all there anyway. In addition, without going into the whys, the existing software prints out many bills of lading we don't need hard copies for and they get dumped into the recycle bin. Since we're not allowed post-it notes (!!!) everyone on the floor makes their own from paper in the recycle bin, and it's also used as scrap paper by visitors in meetings, so just about anyone has access to the data. Sigh. And the CIO and my boss were getting paid nice 6-digit salaries and at least one of them had an MBA.... and I wasn't allowed to change my windows task bar to "auto hide" for "security reasons".... :-( IMHO security is great EXCEPT when it reaches the point of diminishing productivity. At that point, security is hurting the company and costing it money, which is what it is supposed to prevent. No doctor would prescribe medicine with more harmful side effects than the illness and that's what IT needs to keep in mind as well.

mohillic
mohillic

Thanks for the read, really puts things in perspective.

nigel.rider
nigel.rider

The drift of users into the shadow zone is clear enough, but let's not forget that the trendy hardware and apparently "free" SAAS options are subject to arbitrary shifts in fashion as well as to unilateral financial and functional changes by suppliers. Some data is genuinely corporate and should be maintained indefinitely for approved access, some data is genuinely secret and must be protected and all data deserves to be archived for recall in the long term. Corporations do not police their own regulations properly, nor do they define practical regulations which reflect the real value of data. The lack of comprehension in senior management offices is par for the course - this is no reason for professional IT implementors to throw in the towel.

Neeva
Neeva

In my opinion this is not a topic that has a simple solution. Different environments have different variables to contend with. In our situation, Healthcare, we are under a great deal of outside regulation with significant monetary and civil penalties including possible jail time. I imagine a few of you have similar concerns. While I like to consider myself someone that truly tries to understand the user's needs and provide them with the best technology solution available and affordable I often find myself at odds with these regulatory agencies. A patient's data is absolutely sacrosanct. This is not just an opinion of the organization but a directive handed down from the government. So, therefore, I am required to take every reasonable measure to ensure it's protection. The difficulty is less what technology to throw at the problem of protecting it but how to determine how a potential government auditor might define "reasonable". The regulations are not always very clear and the organization is left to determine what it thinks is best. This tends to create a situation where we feel compelled to lock everything up very tightly. Personally, I try to explore new technologies and discuss them with users. I make an effort to stay "connected" with our users and see if things we deployed are actually working. I also seek their input into what new technologies to consider deploying in the future. Unfortunately, all too often, I find that even though I agree some new technology is really something that would streamline a particular process I cannot implement it because it comes to close to not meeting the regulations of some outside agency. I'm not sure how to solve this situation of "shadow IT" but I do know that there is more involved then some draconian IT department and it's policies. Originally posted in the wrong location. Sorry.

Neon Samurai
Neon Samurai

I've more often seen Shadow IT refering to techy staff not employed by the IT department; usually the most tech savvy in the department getting all the "how do I" questions. In my own case, if it could be fixed without admin credentials; I fixed it. If it needed admin login, I sent the staffer to the helpdesk phone number. In this case, real IT would take to long to response, wouldn't understand the question or simply identified it as a NOP issue (not our problem). It was an enterprise sized company so these are expected outcomes from a helpdesk call. Now from the other side of it as an admin, I'm looking for Shadow IT staff; those who are savvy enough to help others yet know when to come ask questions before breaking stuff.

jhinkle
jhinkle

A few thoughts on the idea of "Shadow IT". 1) Most employees don't know anything about computers. The ones who usually do are stopped from doing anything because they break everything they touch. I very rarely see users who are competent enough to make there own decisions on what they should be using. The ones who are competent are allowed to use what they wish so long as they notify IT about it. 2) I don't mind employees using Facebook. What I do mind is our Accounts Payable department getting the koobface virus and going through a series of angry meetings having to explain to the Board that her computer was hijacked and that's the reason we had to shut everything down, contact the bank, and change our passwords and security measures. I understand that employees want to mingle, that's what bars are for though, not work. 3) It's perfectly fine for users to have VPN installed on there home PC's to work from home. If they don't want company issued equipment that's there decision. But every time they call up and there computer doesn't work right I lock them out of the system and won't let them back in until it's been fixed, then brought to me for verification that it doesn't have anything on it. If they don't like it then they can use company equipment under company regulations. Despite what you think about IT it's not a democracy for the employees. There ability to use the system is a priveledge, not a right. 4) When you say Tech Savvy you're referring to a group of people who think shiny things are cool and have no understanding of how the technology actually works. Ask one of your tech savvy users how Wi-Fi works and I doubt a single person will be able to explain how packet headers, half duplex systems, and electormagnetic waves actually function. Just because someone knows a little bit more about clicking the right sequence of buttons doesn't mean they really know anything. 5) Taking the time to check and verify if software is useful for the business is always a good thing. If someone recommends software for whatever reason I see no reason to refuse them without checking it out first. Keeping a closed mind is never good, but you still can't forget that ultimately you're the one in charge and the users do what they're told. Not the other way around. For my final thought the idea of Shadow IT is like any other IT marketing term (think Cloud Computing). It's a bunch of BS to try and sell more useless products. In the world of IT, especially in a business, things are not a democracy. If users want to complain about the software that's been chosen for them they have the right to quit there job and go somewhere else. This isn't a democracy, especially not for the uninformed user. If you don't think that's right then ask yourself about the videos from the 2008 election of people on a beach screaming "Obama's cute, we're voting for him".

Dyalect
Dyalect

Main concern is privacy and security. Once you hit the cloud any company information / data becomes a concern.

Peter4499
Peter4499

I think too many IT departments forget that they're a corporate support service. I've worked with and for some of the best IT Teams I've also worked with some of the worst ones that were more interested in their sense of control then in what's best interest of the company and the employee. A user working from home one week-ends or evenings is NOT a privilege to the employee, it's a privilege to the company. Most managers do this in order to keep up with work. How is working from home plus Monday to Friday their privilege. Do you consider it a privilege that you can connect from home?

Neon Samurai
Neon Samurai

In my thinking, a "tech savvy" user who can't explain the basic safe management of wifi and why or similar displays of knowledge is not tech savvy. "tech savvy" also suggests and understanding of managing systems without breaking them. I don't think one has to enter into a discussion on radiology to be savvy. If the user understands the router settings, security options and safe management; they are savvy. If the user discusses wave propagation, frames and packets, affects of antenna shape and direction; they are probably into the expert range - a certified wireless network tech or licensed HAM perhaps?

info
info

...with #'s 1 and 4. How many times has a 'tech-savvy' employee attempted to 'fix' something in good faith, only to run out on the user after making things worse saying, "Call the IT guy," as they're on the way out the door? ;) We try to see things in the 'not a democracy' light, but it sounds like you're reasonably fair. Many IT department heads aren't, to the point that productivity and profits plummet because 'policy is more important than productivity'. With the recession, and the fact that a lot of business don't make armloads of money by just existing anymore, that outlook is changing a bit. I'm a one-man IT department for a fair-sized company where the users have way more say and power than I do. I just go with it. Things can go really well when you trust and help the employees. If things go south (someone steals data, etc.) then I'm on record on it not being my decision. ;)

MyopicOne
MyopicOne

How about instead of Shadow IT Apps and systems, shadow IT departments. I've not only seen it work badly and seen it work well, I even joined the dark side myself and am currently providing software and tehnology support for two small departments within a company. Why, you ask? Because in the nutshell IT and IT's Corporate Management is predominantly clueless about the amount of work their departments are doing, how they are doing it, and the work they should be doing. Because IT and Corporate Management is even more clueless about what the end users NEED to do their jobs, much less WANT. So it should come as no surprise that the users move around the seemingly arbitrary obstacles placed by IT. Hint for IT Management, 'good enough' from your perspective may really not be 'good enough'...

Jasonjb1222
Jasonjb1222

But is anyone reading through all those logs??!! I have seen, locked down machines, to the point of physical locks on the outside of workstation not allowing you to open one. Add on top of that, complete USB, Firewire, Bluetooth, etc. lockdown, via software. For the occasional one, where USB is tolerated, logging software to monitor everythign being copied. You go a step further by having logging proxies and firewalls in place to instill the fear of g-d about leaking corporate data onto the web. Finally, everyone pats themselves on the back and thinks all is locked down. A few months go by and you get slapped with a Lawsuit for leaking proprietary information, because you forgot, with all your efforts, Gmail or Hotmail was configured in Outlook clients, not being watched and data was leaking out anyway... What is it going to take to get people to understand? I want to work on this project at home, but evil IT won't let me... So I will jeopardize the jobs of a few hundred people, because MY keyboard at home is better than the one at the office...

Tony Hopkinson
Tony Hopkinson

I wouldn't call working from home a privilege either, doing it in a way that risks the overall business is ignorant or stupid though. IT cannot meet it's resposnsibilities if someone can take down the entire system. One of us meeting our dealine might be critical to us, our son downloading a BritneySpearsNaked.exe on the same PC, could easily make our efforts irrelevant.....

Cmd_Line_Dino
Cmd_Line_Dino

Radiology is medical specialty that employs the use of imaging to both diagnose and treat disease visualized within the human body

maclovin
maclovin

I find that it's the direct superiors to these individuals that define WHAT they should have access to, and provide that list to IT in turn. So, this is a two sided issue, actually, nah, it's the fault of BUSINESS unit's management to not provide the proper list of tools NEEDED to perform a job function as EFFICIENTLY as possible. The problem isn't access, it's efficiency of the individual, and if they have access to things they don't NEED, then they spend time playing around on things they really don't....well....NEED to be playing around with. Simple Solution: DEFINE what your employee needs...and they will be given access to it. Why would an Accountant NEED access to Facebook to perform his/her job? Why would an "Office Manager" NEED it? Give me 5 concrete, PRACTICAL EXAMPLES, and I'll get off the case of Facebook in the workplace.

info
info

It's a similar thing with work-hours. People over-reach or go beyond the 'corporate-approved' boundaries to get things done, and it works! Since things are working, nothing appears wrong to management, so no changes are mandated. Indeed, some cutbacks might be planned to try to 'milk more out of the system'. Sometimes you have to adhere to policies and report failures and such up the chain. When they SEE the problem in a report (operational or, better yet, financial), THAT'S when things get done. It just takes a bit longer than most people have the patience for.

info
info

Most can't see the big picture, and most of them can't think much beyond their own desktop let alone company-wide. It's a selfish society. Few IT departments have the time to sift through logs proactively, although it's a great idea. They tend to be more 'after the horse has left the corral', so to speak. More for investigating after the fact, and to cover their a$$ legally. "We took every reasonable precaution..."

Neon Samurai
Neon Samurai

Yeah, "radiology" was a bit of word bending that could have been avoided. My mention of "wave propogation" later in the comment actually addressed what I meant by "radiology". Still, I think the point being made was obvious even with the misuse of the term. If one is calling another "tech savvy" while observing the other being obviously unsavvy; is it not the first person's definition of "tech savvy" at fault not the second person's lack of knowledge?

Editor's Picks