Mobile // Mobile Business
Commentary
6/9/2014
01:03 PM
Eric Zeman
Eric Zeman
Commentary
Connect Directly
RSS
E-Mail
50%
50%

In Praise Of Shadow IT

80% of those employed by enterprises larger than 1,000 people circumvent IT to use cloud-based tools, new research says. I say let them.

8 Gadgets For The High-Tech Home
8 Gadgets For The High-Tech Home
(Click image for larger view and slideshow.)

When it comes to technology, I don't like to play by the rules. In fact, I'd be happy to pay for my own gear and my own software if it means I have total freedom to choose how I get my job done on a day-to-day basis. While I understand and respect the rules of the IT department for protecting the company and its assets, I often find myself suffocated by the lack of options and flexibility.

Call me a rebel, but it turns out there may be a positive side to rogue employees' distaste for submitting to corporate controls. Allowing key employees to find their own productivity tools might make for a healthier, more competitive organization. With the bulk of respondents to a recent survey suggesting they'd buy their own software in order to do their jobs better, the question for IT becomes less about security and more about not missing the next big thing.

According to a Frost & Sullivan poll, 80% of those employed by enterprises larger than 1,000 people said they circumvent the IT department to use cloud-based tools. Sometimes these employees even pay for such services out of their own pocket. Rather than punish these employees, Christopher Mims of The Wall Street Journal suggested letting them run free.

[Does your enterprise have an effective BYOD plan? Read BYOD: Build A Policy That Works.]

Mims interviewed a number of businesses that provide cloud services to the Fortune 500, even though those businesses did not formally sell their services to the larger firms. "Most companies are playing whack-a-mole when it comes to 'unauthorized' software like cloud-storage services and productivity software," Mims wrote. "As soon as one group is banned from using a useful tool like Dropbox, someone somewhere else starts using it. Employees just want to do their jobs, and if corporate IT isn't moving as fast as they are, well, whose fault is that?"

Much of the issue, it seems, boils down to file access. Large corporations often restrict access to files, forcing employees to load them from within the corporation's four walls directly, or through a VPN when remote. These strictures can have a negative impact on productivity. They give mobile workers plenty of impetus to put the files into places where they can be accessed more easily from a wider range of devices and apps. The number of cloud-storage solutions is vast, and competitors to OneDrive, Google Drive, DropBox, Box, and others appear every day. Some of them are actually quite good.

Mims' basic tenet is that the employees who are most apt to break the rules may also be the best at finding new tools that can scale to the entire enterprise -- a concept known as Shadow IT, Rogue IT, Bring Your Own X, and other terms. It goes far beyond the notion of BYOD to something much more organic.

"Once a shadow IT service is sufficiently popular, whoever is in charge usually conducts a formal analysis of the provider's security measures and compliance with appropriate regulations," Mims said. "As long as everything checks out, what started as an employee end-run around their own IT staff becomes institutionalized."

Giving some employees this type of freedom is not without risk, of course. Other employees may find out and adopt an "If they can, why can't I?" attitude. Further, large corporations can't put the company and its data at risk simply to satisfy the rebellious attitude of its workers. The key, as with everything, is striking the right balance.

What do you think? Should some employees be given freedoms not enjoyed by all as long as it means they eventually contribute to the greater good? Do the benefits outweigh the risks? Please add your own thoughts in the comments below.

Mobile, cloud, and BYOD blur the lines between work and home, forcing IT to envision a new identity and access management strategy. Also in the The Future Of Identity issue of InformationWeek: Threats to smart grids are far worse than generally believed, but tools and resources are available to protect them. (Free registration required.)

Eric is a freelance writer for InformationWeek specializing in mobile technologies. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
GAProgrammer
100%
0%
GAProgrammer,
User Rank: Ninja
6/20/2014 | 10:23:25 AM
Re: What's the debate here?
I have to disagree here. While I agree that IT should not always say "No" immediately, to say that "IT MUST give users corporate-approved, cloud-based file storage alternatives that are easy to use -- and defensible on the security, regulatory, and compliance fronts. That's not optional anymore" is very short sighted. Sure, cloud based storage and could based tools are used in tech journalism. It is even used in some (and by some, I mean a minority of businesses) instances. But it is far from mandatory and far from being used in a majority of companies these days.

I realize that tech journalists read about this stuff all the time. But let's be real - in a year you might read about 500 companies on the leading edge of tech. That is such a small peice of the pie that it's a bad idea to extrapolate a few early adopters and cool, innovative implementations as the de facto standard for how a business really runs in 2014. Those are the exceptions, not the rule. Isay this as someone who fights this fight on a weekly basis.

Not to mention that finding "corporate-approved, cloud-based file storage alternatives that are easy to use -- and defensible on the security, regulatory, and compliance fronts" takes a lot of time, testing and money and can't just be approved in a week's time. Especially in countries and/or highly regulated industries.
GAProgrammer
50%
50%
GAProgrammer,
User Rank: Ninja
6/20/2014 | 10:12:45 AM
Re: Speed of moving and IT budget
And that's part of the point. At $100 a user for a 1,000 user company, you are talking $100k/year just for that feature.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Author
6/10/2014 | 4:17:39 PM
Re: What's the debate here?
IT should also strive not to be the organization the defaults to "no." The pace of work today doesn't fit with foot-dragging or unncessary barriers.
peteraltschuler
100%
0%
peteraltschuler,
User Rank: Apprentice
6/10/2014 | 11:15:52 AM
Re: Speed of moving and IT budget
This is where newer technologies provide a distinct advantage -- in cost. There are several firms, such as Webalo, Catavolt, and Capriza, that make it possible to access enterprise resources (securely) for a fraction of traditional costs. For something as basic as reports, a mobile version can be created automatically in seconds (and modifications can be made manually), but the cost is incremental. That's because the subscription fee structure is under $100 per user for an entire year... no matter how many enterprise-to-mobile configurations are created.

In a situation like that -- with access to the files and data that people rely on to do their jobs -- IT provides secure access (either through the technologies' encryption or through the organizations' mobility management tools) and employees can function without the need for third-party, cloud-based alternatives.
Laurianne
50%
50%
Laurianne,
User Rank: Author
6/10/2014 | 11:10:10 AM
Re: What's the debate here?
IT must give users corporate-approved, cloud-based file storage alternatives that are easy to use -- and defensible on the security, regulatory, and compliance fronts. That's not optional anymore.
bleylock
100%
0%
bleylock,
User Rank: Apprentice
6/10/2014 | 9:25:08 AM
What's the debate here?
I'm sure everyone agrees companies need to have rules, processes and technology in place to protect their critical data. I'm also fairly sure folks would agree that it is not possible for IT shops, especially in large organizations, to keep up with the plethora of cloud offerings that come out daily. However, I fail to see how that is a reasonable excuse to simply allow anyone to put the company data at risk with any tool they happen to read about on the plane.

Corporations have a vested, often regulatory-based, interest in controlling their data and folks that willy-nilly elect to bypass these controls are not acting in the best interest of their employers, no matter what they might think. IF they are chafing under some rules or restrictions they find constraining to productivity, the proper course of action is to escalate the perceived problem up the management chain until a decision is reached.

The real culprit here, if there is one, are bad InfoSec teams. The security team that reflexively says "No!" to all such requests is a bad one. Instead, InfoSec should be partners with those seeking change and work to do things securely and within the regulartory controls they legitimately need to enforce. Using a cloud service is a means to an end, not an objective to itself. If Shadow IT and InfoSec can come to an agreement on how to meet their ultimate objectives securely, everyone wins whether the Cloud is used or not.
Curt Franklin
50%
50%
Curt Franklin,
User Rank: Strategist
6/10/2014 | 9:17:45 AM
Re: Nail, meet head
@SaneIT, I think one of the critical points is being able to come up with policies that use hard "set points" of behavior and allow tremendous flexibility around those points. The policies should spell out quite precisely who's responsible for data (and access to applications) at each step of the way. Looked at another way, the policies should focus on "outcomes" or goals, rather than methods and technologies.

It's going to be rough sledding for a while because this goes against the way in which IT has thought of its own governance for most of its history. The result, though, can be a more robust, more responsive IT structure that still maintains the standards for corporate behavior.
SaneIT
IW Pick
100%
0%
SaneIT,
User Rank: Ninja
6/10/2014 | 7:32:24 AM
Re: Nail, meet head
" resourcing it to be able to keep up"

Here's the catch, if you enable your employees to do a little Shadow IT and bring their own solutions, when something goes horribly wrong who is on the hook for data loss?  Who is called in to explain why employees are going around corporate resources and storing their files on a server seized by the CIA?  Who has to pay when a crypto locker virus hits your corporate network because an employee is using their own un-protected laptop in the office?  IT is there for a reason, if a company and its employees feel like the company is not advancing quickly enough technologically then they need to stop treating their IT staff like the enemy and equip them to get out ahead of the technology curve.  Too often IT is treated the same way a company treats the lawn service that keeps up the property around your office building. As long as everything looks OK then they ignore them but when a patch of grass dies or some weeds pop up all of a sudden people get excited about how the job is being done, or not done.
asksqn
50%
50%
asksqn,
User Rank: Ninja
6/10/2014 | 3:50:56 AM
Job security for law firms
It will be fascinating how this buy your own software/bring your own device/do your own thing plays out with regard to manner of work performed and devices provided since the definitions of these services indicates whether employees are considered W-2 or 1099 independent contractors.  I predict an uptick in work for labor-employment legal professionals. 
zerox203
50%
50%
zerox203,
User Rank: Ninja
6/9/2014 | 8:23:30 PM
Re: In Praise Of Shadow IT
I certainly agree with you, Eric. If nothing else, the ultimate lesson here is that you can't stop employees from doing what they want to do - the expression 'rules are made to be broken' was not created by people who loved compliance and corporate security. When it comes to technology compliance, the proof is on the table that your employees are only going to follow your rules up to a point. However, you're also right to suggest that there's an opportunity here to leverage this to your benefit. You can save yourself time, money, and headaches if you sit down and evaluate whether you really want to be that iron-fisted after all.


On the other hand, we ought to bear in mind that these policies do exist in the first place for a reason. We wouldn't say 'well if employees just want to sneak in through the window instead of using their keycards, whose fault is that?'. Maybe if everyone was doing it, there's some consideration that your check-in policy is a little too cumbersome, but 9/10 times, you're just going to fire those employees. Maybe in the year 2014, IT security does need a closer look, though - are people really trying to steal your marketing plans for next quarter? probably not. Compliance and Security rules certainly ought to be enforced, but it's worth taking a look back and making sure you're actually asking your employees to comply with something you still care about.
Page 1 / 2   >   >>
InformationWeek Elite 100
InformationWeek Elite 100
Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 23, 2014
Intrigued by the concept of a converged infrastructure but worry you lack the expertise to DIY? Dell, HP, IBM, VMware, and other vendors want to help.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.