It’s not Shadow IT, it’s Shadow Innovation

by Brian Katz on August 20, 2014 · 6 comments

We all hear about shadow IT. It’s a scary term, brought up in articles and conversations. It’s defined as people going around the rules and policies of IT or implementing technology outside of IT’s purview. It’s used by a lot of vendors to point out what can be going wrong in a company. Normally they have a tool that allows you to track down shadow IT and get it under control. Anything going on that IT can’t see can’t be good for the company, or so they say. Yet, they couldn’t be more wrong.

The ShadowIT has historically operated from a point of control. They needed to be able to control all technology and were kings of the castle, although, more recently it has been an effort to control the budget as well. Ostensibly it was to insure that all data was secure and to make sure that they could keep everything running well. It started in the era of mainframes and has now moved to data centers in its inexorable march towards the cloud. Yet, the issue with IT being the only one in control is projects tended to move slowly. Servers would be requisitioned and take weeks or months to be installed and then setup up properly. A project might take months or even years from proof of concept through to production. The reigns that IT exerted its control through meant that your job was your location and policies dictated how you worked, regardless of what the business required. Using new technology was a luxury that was rarely afforded to the business. At the same time, it was not uncommon to see the IT folk themselves with the latest greatest hardware, obviously testing to make sure everyone else could use it.

This type of control is no longer viable as people have become more technologically savvy. The ITization of the consumer has given them better hardware at home then they might have in the office. They are using cloud services for their personal data and might even employ an online backup service. They’ve learnt that technology doesn’t need to march at a snail’s pace. They can spend less than $40 using their corporate American Express card to buy enough instances on the Amazon cloud to run POCs in days rather than months. They have the opportunity to fail fast and make tweaks to get their needs met faster.

They have been using smartphones and iPads to do stuff at home and they understand the mobile app economy. They refuse to use a crapplication for any of their personal stuff and they see no reason to have to use one for work. For every crapplication that work provides for them, they can find at least 10 alternatives in the iOS or Android app stores. These apps are designed around their needs and follow the FUN principle.

In most cases, shadow IT isn’t being enacted because people want to thumb their nose at IT. Instead, it’s really people just trying to get their job done in an easier/more efficient way. It can range from the user who installs an app like Dropbox on their mobile device to another user who buys some machines in the Amazon cloud. In the first case, the person just wanted to be able to work on a file while they weren’t sitting at their desk while in the second, it was faster and easier for the person to get a proof of concept started with a few dollars spent on some Amazon cloud instances. In both cases, there were no good alternatives offered by IT.

These choices are neither made nor intended to put the company at risk. Rather they are to help the users themselves to become more efficient and productive. They actually drive the business forward. The issue is that IT hasn’t embraced the change that modern technology has enabled. They are stuck in the era of control and live in a world where security FUD is thrown around faster than monkeys having a poop fight. When you are taught that shadow IT can only lead to security breaches and harm to the company that’s all you find.

That doesn’t mean that there aren’t malicious people out there. As Tom Kaneshige points out in his article on the BYOD Mobile Security Threat, there are bad actors out there. The issue with bad actors is that they were causing problems long before BYOD and they will always find a way. That doesn’t change the fact that most people aren’t trying to be malicious, they just want to get their work done and go home, or if they’re mobile back to watching their kid’s soccer game.

IT shouldn’t be worrying about shadow IT but rather embracing shadow innovation. They should seek out the solutions that their users have felt the need to enact and find a way to incorporate them into their own bag of tricks. It’s not about tearing Dropbox out of people’s hands but giving them a way to securely store their work files in the cloud, so they can access and work on them easily. The goal isn’t to pull the POC servers from the Amazon cloud but rather offer to help set them up and make sure they have secure communication with work and the data is protected if it needs to be.

Shadow innovation is an opportunity for IT to become more relevant. They learn to follow the FUN principle (focus on the user needs) and enable their users and yet they take the precautions to do it securely. They remove the burden of being a hurdle and get seen as a partner and a collaborator, enabling the business to move forward. Instead of finding a security threat under every rock, they find an innovator working to make the company more successful. Their only job is to embrace shadow innovation and bring it into the light.

{ 1 comment… read it below or add one }

Nik Frengle November 4, 2014 at 9:08 am

I couldn’t agree more. There was a case of a security operations head in one of the top mobile phone carriers in the UK famously saying ‘no’ to absolutely everything. I think that if someone did a forensic analysis of the damage he did, it is no exaggeration to say that the additional costs to projects, in wasted time (time that felt like torture, trying to convince the most unreasonable and stubbornly hostile to change person that a project was really needed, and further that every reasonable precaution had been taken, despite him providing very little constructive input as to what would constitute a secure application, and/or suggestions on improving security), and in lost chances for innovation, would be in the 100 millions sterling, perhaps even billions. Witch hunts for shadow IT instances and applications are similar in their control freakery. Rather than writing me up for a security violation for having PuTty on my PC, provide me with a place to download it, and a whole host of other open source apps that may be absolutely essential to doing my job. And, give me a mechanism for quickly, easily, and trackably nominating new apps for this.


Leave a Comment

{ 5 trackbacks }

Previous post:

Next post: