Viva la Shadow IT

The Register almost gets it.  I don’t blame them, really.  You can’t change the world overnight and articles about IT engaging the business mostly reflect the IT world as it is.  It’s no surprise they fall short when it comes to the part about how things ought to be.  I do like the article because it does actually give the users some credit where due but it suffers from “IT is Important-itis”. To wit, in an expository on Infrastructure as Code:

“It’s a lovely idea, but only if you have guidelines in place to stop devs littering your infrastructure with zombie VMs and chewing their way through your storage capacity with poorly-thought-out API calls.”

Um, it’s not your storage capacity. It’s the Business’ storage, you’re just administering it, jackass.  Those littering devs are increasingly hired by the business directly.

“If you’re an Amazon Web Services house, you don’t necessarily want your developers spinning up services on the competing Microsoft Azure just because they have a preference for, or more experience with, that particular technology stack or service…”

Sure.  For example, we wouldn’t want our Marketing team to work in InDesign or Illustrator when MS Paint is so much cheaper for our shop. Some of the users prefer to have an Android phone; that makes no sense when we have so many flip phones lying around to distribute. And another thing…we just replaced all those expensive laptops with Chromebooks. The CEO’s assistant had the nerve to complain about it…can you believe that?

The sad part is that they get so much right with this gem of an article, especially early on in the setup:

Discipline in cloud-based resource procurement breaks down into three broad areas:

  • Making sure your users aren’t buying the wrong stuff

  • Making sure that you’re buying the right stuff

  • Giving people what they need in a controlled way (which may not mean giving them what they want).

As usual, it starts out great and tails off with another root cause fail.  It sounds roughly good without context but it’s a dishonest progression.  The whole point of shadow IT is that the business is finding solutions to problems IT is incapable of helping them resolve.  So by definition your users have already found the right stuff without you.  Now you get to play catch-up.  That second bullet should really be front and center because “making sure that you’re buying the right stuff” means requirements gathering and matching solutions to the actual needs.  Since we didn’t do that in the first place, the business went the shadow IT route.  Finally, isn’t “not giving them what they want” kind of the point the users were making?

The whole thing strikes me as another example of “oh no, we’re losing our historically total control over IT decisions because the users are getting smarter, how can we keep the Iron Throne” whinge.  At least there’s still some self awareness to be found:

“Discovering and understanding some of the unmet employee needs can help to reduce the risks associated with unsanctioned filesharing,” he said.

IT guys: that means talking to your users, or getting someone else more tolerant to do it, so that the IT department can understand why they are fleeing to third parties, and then give them something better.

When we can safely presume the folks in IT are incapable of having the most important conversations with the business, there’s not much hope for changing the state of affairs.  Viva la Shadow IT!


This entry was posted in Future of IT, Public Cloud and tagged , , , , . Bookmark the permalink.

9 Responses to Viva la Shadow IT

  1. Peter says:

    A couple of people have shared some thoughts privately (who may make a public appearance, but that remains to be seen) which I think make a follow-up necessary.

    First: that the general technology part of “IT” and specifically Information Security needs to remain the purview of IT because of the systemic risks to the business.

    Second: that Shadow IT is a natural outcropping of IT budget reductions a la the outsourcing fad of the last couple decades.

    I’ll wait a bit before expanding on this with my thoughts but at the highest level, I agree with the sentiment. The devil, however, is in the details.

  2. Kevin says:

    We are struggling with some of this but in a slightly different way.

    “The business” tells IT what specific technologies to implement. IT is offended because of course IT has talented people and they don’t want to be reduced to “order takers”. IT wants to know what business capabilities you are trying to implement/deliver, so that they can participate with the business in identifying/recommending/deploying a solution.

    Oh…and there are separate IT risk management and cyber teams that specify the rules by which IT and the business must abide to protect our data in this new cloud world. It’s not that IT is being a “gatekeeper” to protect their turff, but I think given the war on all things “cybersecurity”, I.T. MUST play some sort of a gatekeeper role to protect an organization’s information assets. There are far too many users that don’t think about the implications of cybersecurity and are more than happy to put an organization’s data anywhere – these are the same people that post pictures of their “junk” on social media and act surprised when someone sees it. Selecting an application is not a free for all, unless its on your personal device. But yes – IT could do a better job of listening and moving with the tide as long as it is safe.

    • James Thayer says:

      There are times when IT legitimately needs to step in to impose standards in order to meet corporate needs: security is one area and data retention is another. Data interchangeability may be a third.

      Ideally, IT will work hand-in-hand with individual departments to minimize the impact of these corporate requirements on the employees while still meeting the corporate requirements. (And it is in the best interests of IT to reach out and work with departments to find these solutions — the last thing that the corporation needs or wants is for employees to go behind IT and set up an insecure e-mail server in their bathroom…)

    • Peter says:

      First- if IT had services the business could consume, it wouldn’t be asked to deploy specific hardware/software to solve the problem- after a while. That won’t happen overnight but it is the point of IT as a Service. IT just doesn’t know how to build a proper service catalog. Amazon and MSFT don’t seem to suffer that problem.

      Second: I think your infosec point deserves a good hearing. I believe strongly that InfoSec and Risk Management should not live inside of IT. They should be separate groups with their own reporting structure to the CISO. I also believe strongly that InfoSec should set policy and be the agent holding end users accountable, NOT IT. End users are getting more sophisticated. Great. So you should be able to read a policy manual and put your job on the line for the freedom you think you deserve for being so “lettered” in IT. We won’t do that, though, because the business doesn’t have teeth when it comes to its own people. They should be firing the 1/5 of people who don’t know how to use e-mail properly and sanctioning idiots who move data to unapproved locales.

      I say that because you simply cannot stop someone from smuggling data outside its cage. Not possible. Easier to sanction them after the fact.

  3. James Thayer says:

    I was asked if I would share the following so here it is…

    Once upon a time, not so long ago, in a galaxy not so far away, there was a world-leading telecoms firm that decided, in order to save costs, it would centralize and outsource all IT services. This was a world-wide company with 10s of thousands of employees. There was no “economy of scale” that applied in a meaningful way. So how did an external for-profit company provide IT services at lower cost than an internal at-cost organization? Simple. By providing a lower quality of service. And how did the rest of the company (who still had to meet their own goals) react to the lower quality of service? By backstopping the official IT with shadow IT.

    Across the company, net result was in increase in total IT costs, however, the increase was now hidden and uncontrolled.

    • Kevin says:

      I don’t have the answers, but it is interesting to see how companies struggle with the chargeback, allocation, whatever you want to call it. A non-IT department can have seemingly unlimited funds to build their own IT solution, but the IT department – although technical part of the same company – is a different cost center and can’t get funding to deliver the new solutions (or continue to meet QoS on existing services) that the non-IT business department is asking for.

      • Peter says:

        Replying a bit out of order here, but the chargeback problem is one I’ve been wrestling for over a decade. There is no simple answer because the system needs to be blown up and rebuilt. Here’s why:

        The IT funding model has traditionally been “command and control” or project based accounting, particularly for Capital Expenditures. The labor assets and consumables then get “peanut buttered” across all the departments or allocated with some hamfisted weighting model. The “right” solution would have been to simply build out unit based cost allocation, but that breaks the funding model because IT has to acquire the assets well ahead of time. So the impasse continues, with IT building out more than they need and business units consuming more than they need because of perpetual resource shortages they ironically cause. If IT had a mandate to solve that problem…they could.

        Now enter public cloud. Those resources are consumed as Operational Expenditures and are written off in the current fiscal year. They’re easier to hide on the balance sheet and definitely contribute to the shadow IT morass but the business is okay with that accounting model. So why can’t we have nice things (chargeback, unit cost accounting, moving IT from a cost center to something else)?

        Because the common enemy is the finance department. It will require an alliance between the business unit, IT, AND finance to develop new rules for this approach. Only then can it be solved. In a perfect world (mine, anyway), IT is funded in part by its own activities. It isn’t up to IT to determine the appropriate level of consumption for the business, just like it’s not up to procurement to determine how much paper the office should use or how many marketing campaigns to run. IT and Procurement are just there to enable the business.

  4. Kevin says:

    Perfect example of Shadow IT:

    “…The utility, which uses VMware on-premises, had a business unit put workloads on AWS without telling IT…”

    Source article:

Leave a Reply

Your email address will not be published. Required fields are marked *