Comments
Shadow IT Is An Opportunity, Not A Problem
Newest First  |  Oldest First  |  Threaded View
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
7/16/2014 | 10:59:03 AM
Re: Old news, off target. People will choose to go rogue until they hit a wall and need help. Which is very costly to your organization.
I think you both hit on an important point: the culture of the organization. I think part of what Steve is trying to do in his organization is demonstrate that IT can be responsive to its users needs. That helps to build a culture where sometimes IT can say "No," as Steve mentioned in the example of an HR or payment system. It's kind of facile, but I think if you can give a little, you can get a little in return. But you have to work hard to build the kind of culture where users are willing to toe the line in some cases if you can give them some freedom elsewhere, and articulate clearly and frequently why sometimes there have to be lines in the first place.
Wstr
50%
50%
Wstr,
User Rank: Apprentice
7/10/2014 | 5:46:49 PM
Re: Old news, off target. People will choose to go rogue until they hit a wall and need help. Which is very costly to your organization.
Agreed. When the culture of the organization is to find solutions working together, and communicate needs/goals up front, everything is smoother. Part of my viewpoint on this is that it is not IT-specific, but we perhaps tend to see the impact more or differently. It is easy to see a room is too warm, do a Google search for an air conditioning vendor, and place a order with them - but the Facilities Manager will have a major issue with that person when they see the result.

I definitely hate that many people see the IT department as the place that says No, and we can frequently do better in how we answer questions. But there is definitely that big cultural aspect you hit on - it has to be demonstrated from top down that you go to IT looking for a solution, before IT can even offer the solution(s).

Just recently I had a slightly strange experience that was the opposite. They did come to first - although late, with a deadline hanging over them - to have large paper RFQ responses scanned in and published to a specific group of people external to our organization. In this case, they had the tools to do it themselves: they have the high-speed scanner on-site, and I offered them the opportunity to use a Google Site as we had used such a 3rd party "cloud" service for another need recently. Instead of seizing the opportunity, they went back to our help desk where the request swirled around until it came back to me specifically as a request to setup an FTP site on the fly, on our own servers but available externally. I did as they asked, but ironic that they turned down the "shadow IT" opportunity for them to do it themselves. We'll see what happens next time. As noted, at least they are coming and expressing needs and looking for solutions.

 

Thanks for the reply.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
7/10/2014 | 4:18:48 PM
Re: Old news, off target. People will choose to go rogue until they hit a wall and need help. Which is very costly to your organization.
You bring up a lot of very good points, @Wstr. Years ago, though, people might have wanted to do certain tasks by themselves but couldn't usually do so unless they had training. Nowadays, when your smartphone has so much processing power and access to hundreds of (often free) apps, it's a whole lot easier to find at least a BandAid solution for today's problem -- even if it causes hundreds of problems a typical end-user can't see down the road.

One of the best governance/risk/security execs I've ever spoken to managed to instill a real culture of risk-averseness throughout his organization through constant education and communication. HCSC's Ray Biondo has been CISO for nine years and has a whole strategy he's developed, as I wrote in an April story. As I recall, he cited other examples that i didn't include that further demonstrated the buy-in, from top to bottom, that prevents employees from 'going rogue,' so to speak. I think they believe in the company, recognize the importance of mandates and their impact, and know why all the rules are in place.
Wstr
50%
50%
Wstr,
User Rank: Apprentice
7/10/2014 | 2:46:10 PM
Old news, off target. People will choose to go rogue until they hit a wall and need help. Which is very costly to your organization.
We've been hearing this for years. It is not a new issue, no matter what you name it - "shadow IT", or just "people doing what they want to". There are standards and policiies for reasons, and people can always find an excuse for doing things differently - going all the way back decades to the infamous "it is easier to ask forgiveness than permission" and "the end justifies the means". To that, I have simple comparisons to offer: can you violate your company's travel policy because it was easier for you? Violate purchasing rules because it was quicker and easier? Use your personal cell phone in a call center environment where all calls are recorded for regulatory reasons, because it was better for you?

 

People don't like some rules. They always say they didn't talk to the right person first because it would take time and they might hear a "no". But after 25 years working in this field in all different kinds of environments, the people that use that excuse are not interested in a collaboration. This author thinks that if you just offer solutions instead of saying No, people will start working with IT? Not so. The problem with "shadow IT", self-empowered users, etc. is simple: most of them don't know what the impact is of what they are doing. They waste time themselves implementing poor solutions, and frequently put sensitive data at risk in the process. Then later when the solution really doesn't fit the need, and they want to expand it, or they suddenly realized it isn't secure enough, they call in the IT department to fix their mess. And cleaning up a mess is a lot more difficult than doing it correctly the first time. Training everyone would be a big help, but the truth is you need upper management to push using IT as your solutions provider, or it will just keep running amock. It is not a new problem - it started with the intro of the PC, DBase and Access, etc. and never stopped.

 

And by the way, everone is in a regulated environment at this point: publicly traded company? Then you have a 100 controls in place via COBIT or COSO to satisfy Sarbanes-Oxley. Health care? Welcome to HIPAA. Government? Welcome to a whole raft of different requirements depending on your function. Process payment information? Welcome to PCI. All have audit requirements. All have penalties. If your company doesn't control your data, it is not a matter of if you will get in (massive) trouble, but when.

 

Empowering people, giving them mobility, etc. is all possible - but only if IT is allowed to do the research, have a plan, test it out and support it. It can be done securely and still give a better overall compromise of usability and security (and support!) than random solutions (i.e. chaos).

 

 
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
7/9/2014 | 11:14:41 AM
Would This Work For You?
I'm curious to know what other IT pros think of this. Would it work in your environment? Is it already happening? And where would you draw the line?


Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of December 7, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program!
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.