Shadow IT Is An Opportunity, Not A Problem - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud // Software as a Service
12:00 AM
Connect Directly

Shadow IT Is An Opportunity, Not A Problem

Shadow IT isn't a scourge. It's an opportunity for IT to engage the business and add value, says CBS Interactive's Steve Comstock.

Shadow IT tends to have negative connotations for technology professionals. But what if the use of unauthorized applications and services is an opportunity for IT to start a discussion with the business rather than drop the hammer?

Stephen Comstock, VP of Site and IT Infrastructure for CBS Interactive, says business users don’t think of outside applications and services as “shadow IT.” They think of it as trying to do their jobs.

“It’s an enabler for the business to find tools they need to streamline or provide efficiencies, get products deployed faster, be more agile,” said Comstock in an interview.

Rather than stamp out these tools, Comstock says IT should learn why users find them valuable, and what IT can do to help.

“It lets IT get involved,” he said. “You talk to the business unit and find out what problem they’re trying to solve rather than trying to control the software.”

Comstock, who oversees an IT team of about 60 people and is responsible for both customer-facing Web and mobile products as well as back-office operations and security, knows there are things IT is really good at: product management, implementing complex systems, budgeting, security, and so on.

“But there are things I’m horrible at,” he said. “I don’t necessarily understand the sales process. But my salespeople do, and they know how to find tools to fill out their pipelines, find qualified leads, and so on. So why would the IT guy pick the sales product?”

“If they find something that helps them bring in more revenue, why not make that an opportunity to talk to the head of sales to say ‘How can we as IT help you more? What are the key performance indicators that help you get more dollars?’”

A common complaint from IT is that the organization doesn’t have a seat at the business table. Comstock says these kinds of conversations are one way to get that seat.

“It’s right in front of us. Just call people up and say ‘I see you’re doing this. How is it helping you?’”

[Get cutting-edge content and real-world insight from business leaders on the intersection of business and technology in the Business of IT track at Interop New York.]

These conversations allow Comstock and his team to engage with his internal customers and find out how IT can make things better for the business.

“The more you do it like that, your customers will start to come to you, and shadow IT starts to become collaborative IT,” said Comstock.

But embracing shadow IT doesn’t mean a free-for-all within the organization. “I wouldn’t let someone kick up a new instance of an HR system without IT being involved and helping guide to make sure we interface properly with our payroll systems,” he said.

“And anything around HIPAA, or things that might cause heartburn with an auditor, I’d prefer we’re part of the conversation from the beginning.”

But when it comes to productivity tools, he’s willing to let folks try. Then his job is to figure out which tools to standardize on. “It doesn’t have to be just one solution, but it’s shouldn’t be 40 either. The control comes in where we narrow it down to two or three vendors.”

That’s also the point at which IT gets more involved with the contracts, price negotiation, and the need for things such as encryption for confidential data. “These are the things we think about that people don’t.”

Comstock also notes that it’s important to have a baseline set of controls in place, including a single sign-on system that allows IT to revoke access to outside services in case an employee leaves.

He’s also aware that shadow IT can be a problem in highly regulated environments—but it’s still not a deal-breaker. “It would be more difficult in a regulated world, but not impossible. Not everything in a regulated world is regulated.”

Comstock says that his opinions might not work for every business, but IT leaders who are willing to change their frame of mind might find opportunities to demonstrate IT’s value to the business.

“If IT can be a partner and help our business move the needle even a little, why wouldn’t you want that? I might be the liberal IT guy, but I think about risk, I think about data at rest. I don’t want people to think I have no idea how to run IT. I think about those things, and I balance it out.”

Comstock notes that if IT can demonstrate how it facilitates the business in bringing in more revenue, that’s a win for IT.

“Making more money is a better motivator than saving,” he said. “If I can make money, I’m going to get more attention. I’m not going to go out and close a sale, but maybe I can help streamline the process for the person who’s going to.”

“When you become more valuable to the business,” said Comstock, “the conversation starts to change.”

Drew is formerly editor of Network Computing and currently director of content and community for Interop. View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
Drew Conry-Murray
Drew Conry-Murray,
User Rank: Ninja
7/9/2014 | 11:14:41 AM
Would This Work For You?
I'm curious to know what other IT pros think of this. Would it work in your environment? Is it already happening? And where would you draw the line?
User Rank: Apprentice
7/10/2014 | 2:46:10 PM
Old news, off target. People will choose to go rogue until they hit a wall and need help. Which is very costly to your organization.
We've been hearing this for years. It is not a new issue, no matter what you name it - "shadow IT", or just "people doing what they want to". There are standards and policiies for reasons, and people can always find an excuse for doing things differently - going all the way back decades to the infamous "it is easier to ask forgiveness than permission" and "the end justifies the means". To that, I have simple comparisons to offer: can you violate your company's travel policy because it was easier for you? Violate purchasing rules because it was quicker and easier? Use your personal cell phone in a call center environment where all calls are recorded for regulatory reasons, because it was better for you?


People don't like some rules. They always say they didn't talk to the right person first because it would take time and they might hear a "no". But after 25 years working in this field in all different kinds of environments, the people that use that excuse are not interested in a collaboration. This author thinks that if you just offer solutions instead of saying No, people will start working with IT? Not so. The problem with "shadow IT", self-empowered users, etc. is simple: most of them don't know what the impact is of what they are doing. They waste time themselves implementing poor solutions, and frequently put sensitive data at risk in the process. Then later when the solution really doesn't fit the need, and they want to expand it, or they suddenly realized it isn't secure enough, they call in the IT department to fix their mess. And cleaning up a mess is a lot more difficult than doing it correctly the first time. Training everyone would be a big help, but the truth is you need upper management to push using IT as your solutions provider, or it will just keep running amock. It is not a new problem - it started with the intro of the PC, DBase and Access, etc. and never stopped.


And by the way, everone is in a regulated environment at this point: publicly traded company? Then you have a 100 controls in place via COBIT or COSO to satisfy Sarbanes-Oxley. Health care? Welcome to HIPAA. Government? Welcome to a whole raft of different requirements depending on your function. Process payment information? Welcome to PCI. All have audit requirements. All have penalties. If your company doesn't control your data, it is not a matter of if you will get in (massive) trouble, but when.


Empowering people, giving them mobility, etc. is all possible - but only if IT is allowed to do the research, have a plan, test it out and support it. It can be done securely and still give a better overall compromise of usability and security (and support!) than random solutions (i.e. chaos).


User Rank: Author
7/10/2014 | 4:18:48 PM
Re: Old news, off target. People will choose to go rogue until they hit a wall and need help. Which is very costly to your organization.
You bring up a lot of very good points, @Wstr. Years ago, though, people might have wanted to do certain tasks by themselves but couldn't usually do so unless they had training. Nowadays, when your smartphone has so much processing power and access to hundreds of (often free) apps, it's a whole lot easier to find at least a BandAid solution for today's problem -- even if it causes hundreds of problems a typical end-user can't see down the road.

One of the best governance/risk/security execs I've ever spoken to managed to instill a real culture of risk-averseness throughout his organization through constant education and communication. HCSC's Ray Biondo has been CISO for nine years and has a whole strategy he's developed, as I wrote in an April story. As I recall, he cited other examples that i didn't include that further demonstrated the buy-in, from top to bottom, that prevents employees from 'going rogue,' so to speak. I think they believe in the company, recognize the importance of mandates and their impact, and know why all the rules are in place.
User Rank: Apprentice
7/10/2014 | 5:46:49 PM
Re: Old news, off target. People will choose to go rogue until they hit a wall and need help. Which is very costly to your organization.
Agreed. When the culture of the organization is to find solutions working together, and communicate needs/goals up front, everything is smoother. Part of my viewpoint on this is that it is not IT-specific, but we perhaps tend to see the impact more or differently. It is easy to see a room is too warm, do a Google search for an air conditioning vendor, and place a order with them - but the Facilities Manager will have a major issue with that person when they see the result.

I definitely hate that many people see the IT department as the place that says No, and we can frequently do better in how we answer questions. But there is definitely that big cultural aspect you hit on - it has to be demonstrated from top down that you go to IT looking for a solution, before IT can even offer the solution(s).

Just recently I had a slightly strange experience that was the opposite. They did come to first - although late, with a deadline hanging over them - to have large paper RFQ responses scanned in and published to a specific group of people external to our organization. In this case, they had the tools to do it themselves: they have the high-speed scanner on-site, and I offered them the opportunity to use a Google Site as we had used such a 3rd party "cloud" service for another need recently. Instead of seizing the opportunity, they went back to our help desk where the request swirled around until it came back to me specifically as a request to setup an FTP site on the fly, on our own servers but available externally. I did as they asked, but ironic that they turned down the "shadow IT" opportunity for them to do it themselves. We'll see what happens next time. As noted, at least they are coming and expressing needs and looking for solutions.


Thanks for the reply.
Drew Conry-Murray
Drew Conry-Murray,
User Rank: Ninja
7/16/2014 | 10:59:03 AM
Re: Old news, off target. People will choose to go rogue until they hit a wall and need help. Which is very costly to your organization.
I think you both hit on an important point: the culture of the organization. I think part of what Steve is trying to do in his organization is demonstrate that IT can be responsive to its users needs. That helps to build a culture where sometimes IT can say "No," as Steve mentioned in the example of an HR or payment system. It's kind of facile, but I think if you can give a little, you can get a little in return. But you have to work hard to build the kind of culture where users are willing to toe the line in some cases if you can give them some freedom elsewhere, and articulate clearly and frequently why sometimes there have to be lines in the first place.
2021 Outlook: Tackling Cloud Transformation Choices
Joao-Pierre S. Ruth, Senior Writer,  1/4/2021
Enterprise IT Leaders Face Two Paths to AI
Jessica Davis, Senior Editor, Enterprise Apps,  12/23/2020
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll