Shadow IT Is An Opportunity, Not A Problem - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

CIO Insights & Innovation
Security & Risk Strategy
Team Building & Staffing
IT Strategy
Digital Business
Project Management
Programming Languages
Dr. Dobb's
Enterprise Applications
Operating Systems
Productivity/Collaboration Apps
Network Security
Careers & People
Threat Intelligence
IoT
Attacks & Breaches
Application Security
Cloud Security
Endpoint Security
Mobile Security
Perimeter Security
Risk Management
Operations Security
Analytics
Vulnerabilities & Threats
Security & Risk Strategy
Infrastructure as a Service
Platform as a Service
Software as a Service
Cloud Storage
Data Centers
Mobile Applications
Mobile Devices
Mobile Business
Enterprise Mobility Management
AI/Machine Learning
Big Data Analytics
Hardware/Architectures
Software Platforms
IoT
Networking
Wireless Infrastructure
Data Centers
Cloud Infrastructure
Careers and Certifications
Network Security
Government
Healthcare
Wall Street & Technology
Bank Systems & Technology
Insurance & Technology
Industries
Government
Healthcare
Wall Street & Technology
Bank Systems & Technology
Insurance & Technology
IT Life
Careers
Mobile
Mobile Applications
Mobile Devices
Mobile Business
Enterprise Mobility Management
Software
Enterprise Applications
Operating Systems
Productivity/Collaboration Apps
Comments
Shadow IT Is An Opportunity, Not A Problem
Threaded  |  Newest First  |  Oldest First
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
 User Rank: Ninja
7/9/2014 | 11:14:41 AM
Would This Work For You?
I'm curious to know what other IT pros think of this. Would it work in your environment? Is it already happening? And where would you draw the line?
Wstr
50%
50%
Wstr,
 User Rank: Apprentice
7/10/2014 | 2:46:10 PM
Old news, off target. People will choose to go rogue until they hit a wall and need help. Which is very costly to your organization.
We've been hearing this for years. It is not a new issue, no matter what you name it - "shadow IT", or just "people doing what they want to". There are standards and policiies for reasons, and people can always find an excuse for doing things differently - going all the way back decades to the infamous "it is easier to ask forgiveness than permission" and "the end justifies the means". To that, I have simple comparisons to offer: can you violate your company's travel policy because it was easier for you? Violate purchasing rules because it was quicker and easier? Use your personal cell phone in a call center environment where all calls are recorded for regulatory reasons, because it was better for you?

 

People don't like some rules. They always say they didn't talk to the right person first because it would take time and they might hear a "no". But after 25 years working in this field in all different kinds of environments, the people that use that excuse are not interested in a collaboration. This author thinks that if you just offer solutions instead of saying No, people will start working with IT? Not so. The problem with "shadow IT", self-empowered users, etc. is simple: most of them don't know what the impact is of what they are doing. They waste time themselves implementing poor solutions, and frequently put sensitive data at risk in the process. Then later when the solution really doesn't fit the need, and they want to expand it, or they suddenly realized it isn't secure enough, they call in the IT department to fix their mess. And cleaning up a mess is a lot more difficult than doing it correctly the first time. Training everyone would be a big help, but the truth is you need upper management to push using IT as your solutions provider, or it will just keep running amock. It is not a new problem - it started with the intro of the PC, DBase and Access, etc. and never stopped.

 

And by the way, everone is in a regulated environment at this point: publicly traded company? Then you have a 100 controls in place via COBIT or COSO to satisfy Sarbanes-Oxley. Health care? Welcome to HIPAA. Government? Welcome to a whole raft of different requirements depending on your function. Process payment information? Welcome to PCI. All have audit requirements. All have penalties. If your company doesn't control your data, it is not a matter of if you will get in (massive) trouble, but when.

 

Empowering people, giving them mobility, etc. is all possible - but only if IT is allowed to do the research, have a plan, test it out and support it. It can be done securely and still give a better overall compromise of usability and security (and support!) than random solutions (i.e. chaos).

 

 
Alison_Diana
50%
50%
Alison_Diana,
 User Rank: Author
7/10/2014 | 4:18:48 PM
Re: Old news, off target. People will choose to go rogue until they hit a wall and need help. Which is very costly to your organization.
You bring up a lot of very good points, @Wstr. Years ago, though, people might have wanted to do certain tasks by themselves but couldn't usually do so unless they had training. Nowadays, when your smartphone has so much processing power and access to hundreds of (often free) apps, it's a whole lot easier to find at least a BandAid solution for today's problem -- even if it causes hundreds of problems a typical end-user can't see down the road.

One of the best governance/risk/security execs I've ever spoken to managed to instill a real culture of risk-averseness throughout his organization through constant education and communication. HCSC's Ray Biondo has been CISO for nine years and has a whole strategy he's developed, as I wrote in an April story. As I recall, he cited other examples that i didn't include that further demonstrated the buy-in, from top to bottom, that prevents employees from 'going rogue,' so to speak. I think they believe in the company, recognize the importance of mandates and their impact, and know why all the rules are in place.
Wstr
50%
50%
Wstr,
 User Rank: Apprentice
7/10/2014 | 5:46:49 PM
Re: Old news, off target. People will choose to go rogue until they hit a wall and need help. Which is very costly to your organization.
Agreed. When the culture of the organization is to find solutions working together, and communicate needs/goals up front, everything is smoother. Part of my viewpoint on this is that it is not IT-specific, but we perhaps tend to see the impact more or differently. It is easy to see a room is too warm, do a Google search for an air conditioning vendor, and place a order with them - but the Facilities Manager will have a major issue with that person when they see the result.

I definitely hate that many people see the IT department as the place that says No, and we can frequently do better in how we answer questions. But there is definitely that big cultural aspect you hit on - it has to be demonstrated from top down that you go to IT looking for a solution, before IT can even offer the solution(s).

Just recently I had a slightly strange experience that was the opposite. They did come to first - although late, with a deadline hanging over them - to have large paper RFQ responses scanned in and published to a specific group of people external to our organization. In this case, they had the tools to do it themselves: they have the high-speed scanner on-site, and I offered them the opportunity to use a Google Site as we had used such a 3rd party "cloud" service for another need recently. Instead of seizing the opportunity, they went back to our help desk where the request swirled around until it came back to me specifically as a request to setup an FTP site on the fly, on our own servers but available externally. I did as they asked, but ironic that they turned down the "shadow IT" opportunity for them to do it themselves. We'll see what happens next time. As noted, at least they are coming and expressing needs and looking for solutions.

 

Thanks for the reply.
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
 User Rank: Ninja
7/16/2014 | 10:59:03 AM
Re: Old news, off target. People will choose to go rogue until they hit a wall and need help. Which is very costly to your organization.
I think you both hit on an important point: the culture of the organization. I think part of what Steve is trying to do in his organization is demonstrate that IT can be responsive to its users needs. That helps to build a culture where sometimes IT can say "No," as Steve mentioned in the example of an HR or payment system. It's kind of facile, but I think if you can give a little, you can get a little in return. But you have to work hard to build the kind of culture where users are willing to toe the line in some cases if you can give them some freedom elsewhere, and articulate clearly and frequently why sometimes there have to be lines in the first place.


The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Download Now!
Editors' Choice
News
How GIS Data Can Help Fix Vaccine Distribution
Jessica Davis, Senior Editor, Enterprise Apps,  2/17/2021
Commentary
Graph-Based AI Enters the Enterprise Mainstream
James Kobielus, Tech Analyst, Consultant and Author,  2/16/2021
Slideshows
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
Register for InformationWeek Newsletters
Video
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Download This Issue!
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll