Softpanorama
May the source be with you, but remember the KISS principle ;-)

Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Shadow IT

News Shadow IT Recommended Books Recommended Links E-books, Tutorials Admin Horror Stories
Bureaucracies Bureaucratic ritualism Bureaucratic Inertia Bureaucratic Collectivism Bureaucratic avoidance of responsibility Bureaucracy as a Political Coalition
Number of Servers per Sysadmin Unix flavors Tips History Humor Etc

Contents


Introduction

Shadow IT can be defined as software and hardware solutions as well as associated manpower used in organization that are neither approved not supported by the formal IT organization. Typically this is a reaction on excessive centralization and bureaucratization of IT, endemic for large corporations.

In the past few years, it's gone from being considered a problem to being consider something more or less tolerated because over-centralized IT is essentially unable to solve user problems. Helpdesk tickets are travelling two or more days in a bureaucratic maze before assigning to a specialist who can resolve them, laptops are unable to install patches and take 10 minutes to boot; Bluetooth stop working two years ago and nobody care why. Servers can be down for a week.  Sounds familiar. It is ;-)

At the same time IT management is unwilling to acknowledge that the strategy to save cost via over-centralization is dead-ended and quickly reaches the stage of unintended consequences or as they are often called "centralization blowback". So, as we mentioned above, shadow IT naturally develops and mature as a reaction to excessive bureaucratization of central IT typical for large corporations. As well as loss of flexibility of IT (fossilization) resulting in the inability of IT to serve user needs. When a simple helpdesk ticket travels to central helpdesk and then is lingering somewhere for two days and then is assigned to clueless outsourcer, the user community quickly adapt, creates its own experts (out of the most knowledgeable users who run complex home networks, are involved with home automation or robotics) and knowledge centers and start ignoring official IT functions and services.

The term "blowback" is richer then the term of "unintended consequences" and includes the elements of hidden revolt or at least active counteraction to the policies of central IT. (The Full Wiki) :

Blowback is the espionage term for the violent, unintended consequences of a covert operation that are suffered by the civil population of the aggressor government. To the civilians suffering it, the blowback typically manifests itself as “random” acts of political violence without a discernible, direct cause; because the public—in whose name the intelligence agency acted—are ignorant of the effected secret attacks that provoked revenge (counter-attack) against them. Specifically, blowback denotes the resultant, violent consequences — reported as news fact, by domestic and international mass communications media, when the actor intelligence agency hides its responsibility via media manipulation. Generally, blowback loosely denotes every consequence of every aspect of a secret attack operation, thus, it is synonymous with consequence—the attacked victims’ revenge against the civil populace of the aggressor country, because the responsible politico-military leaders are invulnerable.

Originally, blowback was CIA internal coinage denoting the unintended, harmful consequences—to friendly populations and military forces—when a given weapon is carelessly used. Examples include anti-Western religious fanatics who, in due course, attack foe and sponsor; right-wing counter-revolutionaries who sell drugs to their sponsor’s civil populace; and banana republic juntas who kill American reporters.

This is the situation when, unfortunately,  implicitly sending central IT to hell became politically correct in regional offices. But as everything it is important to remember Talleyrand advice to young diplomats "first and foremost, not too much zeal" ;-). 

Forms of Shadow IT

Shadow IT has several forms:

All-in-all rise of "Shadow IT" signify both loss of control and loss of influence that IT organizations experienced during the last decade. It is the most pronounced when due to over-centralization the quality of service became unacceptably low (despite Potemkin villages of official reporting with their excellent and completely fake "incident resolution time" metrics)

Major symptoms of the loss of flexibility and alienation of users

There are several major symptom of this loss of flexibility and alienation from user needs:

Like with any counterculture there are risks in using shadow IT. It you overstep your boundaries you can lose your job. But if everybody is suffering from the same problem attempt to find a solution outside normal IT channel usually is not punished severely. Typically such cases are just swiped under the rag. Often solution initiated as part of "shadow IT' later find its way into mainstream. In this sense it serves as internal innovation incubator.

Countermeasures to the removal of administrative privileges on laptops

Reagan citing old Russian proverb "Trust but verify" was right not only about international relations, but also about best policy for the user laptops. "Trust but verify" compliance is a better approach then "scan and block".

Removal of administrative privileges is essentially declaration from the central IT that the user lost the trust. And it rises the classic question "Who are the judges ?" Why often incompetent (in comparison with staff of engineering and research departments often having Ph.Ds among members) and detached from reality central IT staff should impose without consultation and consent from business departments measures that undermines productivity in those departments? After all central IT is a parasitic organization that spends money earned by business units. Why business units can't be consulted what that need and want and treated like children, who are just told what to do and what don't?

That's why users without administrator privileges on his/her laptops often rebel. Sometimes there is no direct removal, but severe restrictions are imposed via Active Directory (AD fascism). Restrictions that make doing useful work for certain tasks within the framework imposed by organization next to impossible. Again, this typically is not a problem in accounting department (which actually can squeeze overzealous IT jerks pretty easily ;-) but in research units and labs who have creative people able to smash those restrictions, and who understand some part of IT much better then central IT (especially people involved with such things like genome sequencing, molecular modeling, etc where community is generally extremely computer literate.)

At this point it is the central IT which is a loser as people are much more creative and often invent elegant tricks to bypass restrictions imposed by IT infrastructure and create more usable alternative. In other words shadow IT exists because the business unit(s) perceive that IT is not meeting their needs and using official tools is either unsuitably cumbersome and slow or is detrimental to the success of business.

The key performance indicator for IT is availability. But users satisfaction is equally important and disgruntled users represent much bigger danger to IT infrastructure. The danger that stupid and/or overzealous members of security group that invert those measure fail to understand... In other words instead of improving security such measures are undermining it.

Countermeasures by "deprived" members

Let's discuss countermeasures that "deprived" members of corporate units (and that typically includes some It members, for example Unix administrators) can use to restore status quo. There are several avenue for undermining this decision.

  1. Pressure on "power hungry". Typically such measures are introduced during new hardware deployment. As environment is not perfect especially during new laptop deployment period you can always claim that existing arrangement does not allow you to performs some important part of your job. Logging a couple of tickets and putting a negative evaluation for unresolved ticket can help to speed the sobering of "drunk with power" members of IT team, but this is a razor sharp weapon and should be used with extreme caution and only as a reaction to a real screw-ups. You just no longer need to swipe them under the floor. And you need to find and cultivate allies. There is strength in numbers.
  2. Switch to alternative hardware.
    1. Private tablets, Ultrabooks or Macbooks. They are not the expensive and can be used in additional to company granted laptop or in tandem with company granted laptop. Typically company policy is fuzzy about ultrabooks and, especially, tablets that user owns. Here Microsoft Surface Pro can be very handy in bypassing the "IT standards". You probably need to buy your own 4G internet access card and that can eliminate restrictions imposed by company proxy. Freedom has its price :-).
    2. Using some old laptop or desktop connected along with "standard" laptop via Linksys or similar internet gateway with the address translation and ability to emulate Mac address of your standard laptop. For this solution you should be somewhat knowledge in networking or have a friend who does. Of course nmap and similar tools will discover this substitution but usually this is pretty safe method that gives you both the possibility of using standard laptop and "alternative" laptop. You probably need to use additional non-routable address space for those two connections. For example if organization is using 10 network you can use 192.168 network on the segment that Linksys provides. Used Linksys gateway is approximately $10 on eBay so this is not a big expense.
    3. Some unused server can be used as you "surrogate desktop". If old, decommissioned hardware often is not discarded immediately and you are either in It of have a good contacts that can help you in this area this is a good avoidance maneuver. Windows server is not and as an alternative desktop. Linux is mainly suitable for those who have previous Unix experience. If you in IT but not very close to emperor (for example is in Unix group) and as such was selected for repressions, you have multiple opportunities in this area.
  3. Switch to alternative OSes. Current laptops are so over specified that they can curry multiple OSes.
    1. Dual boot. This is the simplest possibility, if you can do without company specific services (for example use you Blackberry for email). Both Linux and some older version of Windows can be installed. Using virtual machine is another. Guerilla installation of Windows 2003 server are also pretty nice countermeasure. Often you can create some fancy justification for such a "private" server and by definition is not controlled by the same group as desktop. So you get more degrees of freedom.
    2. Use a virtual machine. If company allow using VM players you externally are given a free pass for this solution. Microsoft also provides the ability to install VM with Windows 7. You just need to justify this which is not that difficult as many applications after transition has difficulties.
  4. Using "in the cloud" servers or services. Using alternative email is very common among company employees as using official email for private messages is one of the stupidest thing that you can do in the corporate environment.

Those points are of course raw and incomplete. But stupidity of official policy is the gasoline that fuels "shadow IT renaissance" and inventions of those who are affected. Creatively bypassing of those restrictions is a banner of real IT professional. Pleas note that this often puts company data on far less protected then a regular corporate PC environment. Excessive zeal in security often backfire in a very interesting ways.

In many instances, corporate IT policies and standardization efforts are simply stupid in the very exact meaning of this word. They are often created by a clueless bureaucrat that does not understand (and don't want to) understand the situation "in the trenches". That means that even parts of official IT staff can be engaged in "shadow IT" activities.

Creating shadow Web services

The existence of Shadow IT implies a failure on the part of IT to provide the services to meet the users need. As such this problem is a typical sign of the rotting of IT organizations ("fish rots from the head") -- a widespread phenomenon due to promotion of incompetent manages, outsourcing and other related phenomenon. IT is no longer young and losing IQ this is just one of the ailment of the old age.

Deployment of unreliable, slow, resource hungry systems like Lotus Notes, Lotus Sametime, Documentum and to a certain extent SAP/R3 (which often has very slow response that defeats the purpose and benefits of the centralization) also stimulate search for alternatives.

Like any counterculture creating your own Web services entails certain risks including security risks but it would be simplistic just to condemn it like many writers do. For example

The existence of Shadow IT within an organization is symptomatic of a lack of alignment between business units and IT and, possibly, even senior management and IT. Shadow IT is, at best, a shortsighted strategy that may work well for a given business unit, but be detrimental for the organization overall.

(see The Dangers that Lurk Behind Shadow IT — Datamation.com).  One precondition for creation of shadow Web services is the ability to run virtual mashine on you laptop desktop. Or on remote sites, availability of some local Linux expertise

Often Shadow IT is associated with Unix culture and open source software. Linux essentially started as countercultural phenomenon and only recently got corporate respectability. Firewall on Linux box can easily configured to exclude any outsiders. In with special non-routable network used  the service is not visible outside the particular site and it represents much lesser security risks.

Any modern desktop is extremely capable and powerful server in disguise, often superior to the "real" server from HP or Dell that is five years old.  If ti allow "dual boot" configuration you already has all the necessary infrastructure.

Also on remote sites there is always possibility to get "departmental" desktop and use it as departmental server. In case central IT goes nuts this is one path that might be considered. Using Internet ISPs and places like Amazon cloud is another possibility, but here the problem is that your data migrates outside of It infrastructure. This is a definite security risk and this way you might violate some corporate policy.  

Creation of shadow IT file servers

If using corporate file servers is too painful or the became too slow one extra laptop of desktop in the group can fill the void. A simple linux box with Samba is a decent and quick solution.

Creating of alternative email infrastructure

To a certain extent alternative email infrastructure existed as long as Web connectivity exist. Hotmail, Gmail and other Web-based mail applications automatically mean alternative email infrastructure. That only question if how widely it is used (it definitely should be used for all private emails). The fact that it is impossible to synchronize with corporate Blackberry or other smart phone works against shadow email infrastructure but many people have their own smart phones those days in additional to a corporate one.

Conclusions

Shadow IT is a reaction of users to the problem of fossilization and loss of efficiently and competence of over centralized IT organizations. As such it is just a symptom of the disease. In perverted world of corporate IT it is often serves to increase productivity and as such has the right for existence.

It is naive to think that an official edict can stop shadow IT from emerging in a typical large, bureaucratized IT organization with its multiple sites, multiple datacenters and multiple jerks, authoritarians ("kiss up, kick down" type), and psychopaths (especially dangerous are female psychopaths) at the top and middle levels of IT management.

Budgets cuts also stimulate looking for alternatives for officially supported IT products but not to the extent that bureaucratization and stagnation of "official" IT organizations.


Top updates

Bulletin Latest Past week Past month
Google Search


NEWS CONTENTS

Old News

[Feb 17, 2014] NetAppVoice Why You Can't Fight BYOD

Aug 05, 2013 | Forbes
The BYOD trend (bring your own device): There’s no use debating it. It’s here to stay. And it’ll get worse before it gets better.

You need to stop fighting it. Here’s why.

BYOD has plagued IT departments since the 1970s. Annoyance at the dawn of BYOD seems quaint when you consider the problems it causes today.

BYOD makes IT’s work more difficult, creates security and privacy liabilities and potentially causes a wide range of problems and risks for IT systems management—in fact, for the company as a whole.

Advice for fixing or preventing these BYOD problems is beyond the scope of this post. But I will say this: Doing nothing about BYOD is crazy talk.

Get Used To It

The reason BYOD is here to stay is psychological. It’s less about technology and more about culture—or even anthropology. It’s about a belief of what is “me” and what is “not me.”

[See also: BYOD: It's A Question Of Lust (And Trust)]

In the old days, the kinds of devices that could be connected inside the firewall were tools or office equipment.

Today, smartphones—and to a lesser extent, tablets and other devices—aren’t categorizable as tools, but instead are part of the employee.

When you hire an employee, you’re nowadays hiring an augmented human. There are things required for work that the employee pays for, and that enhance that employee’s mind and body. They are associated with that employee’s personal self-identity.

... ... ...

For many employees, smartphones are part of their brains, and also part of their identities. Even the simple act of scanning these devices for viruses feels to some employees like an outrageous violation of privacy. That will not change in our lifetimes.

What will change is that even more personal and more problematic BYOD gadgets will be flooding into the office, and soon.

... ... ...

It’s also important to remember that, even as technology advances, the biggest threat remains the lowest-tech threats, such as USB thumb drives and, most of all, employees themselves.

The strongest policy and the strongest password is useless if an employee is socially engineered into giving it away.

The Bottom Line

At the highest level, there are three important things to know about BYOD.

  1. It’s here to stay and will grow.
  2. The potential risks are real, so require mitigation.
  3. It can’t be ignored or wished away.

[Oct 21, 2013] Is BYOD the Problem By Simon Bain, Founder and CTO, Simplexo

03.05.2013 | Website Magazine

There is a great deal of talk about Bring Your Own Device (BYOD) and a lot of statistics suggesting that it is a huge phenomenon taking place across the corporate world. Redshift Research, in a report it delivered for Cisco, tells us that “95 percent of organizations allow employee-owned devices in some way, shape or form in the workplace” with 84 percent of these saying that they provide support for these devices.

However, most instances of BYOD currently relate to people’s use of their own smartphones to connect to the Internet or email to access company documents. Five years ago people simply had two mobile phones – one personal and one issued by work. Today, these two devices have merged into one.

However, remote access to office files using personal devices is not really the issue. What has really got IT decision-makers excited is their increasing difficulty to be able to track company data and understand what is happening to it outside of the enterprise environment.

BYOD is not the problem, cloud storage is. It is now very simple for employees to store documents, for free, using any number of file storage providers such as Dropbox or Google drive. There is also an increasing number of applications that can be downloaded that help with office work. Where data is stored and how securely within these applications is often a mystery. In either case, once out of the enterprise IT environment it becomes impossible for CIOs to know where company data is or who has access to it.

However, it is not just technology, but rather the changing relationship we are having with it as a society that is the real driver of change. For the first time, IT decision-makers are no longer in charge of how IT is used in organizations.

Very quickly, we have all got used to being able to easily choose from a limitless supply of applications in our personal lives, all at little or no cost. This is the antithesis to the corporate environment, which has deployed software and services in a top-down and inflexible manner, giving employees little or no choice. This new and growing consumer-based culture allows for IT services to grow organically to meet the ever-changing demands of the enterprise. So on one level this is all very good news. However, the result is that those entrusted with responsibility for IT have a growing lack of control over data and how it is used.

The fact is, IT departments are never going to be able to compete with the simplicity and ease-of-use that comes from having an instantly downloadable application. This needs to be accepted by enterprise organizations at the earliest possible opportunity as it is only in doing so that they will be able to change their own worldview and work with the new consumer-led culture of IT deployment that is growing at an ever-increasing pace.

I expect to see an explosion in enterprise-grade applications in the next 18 months as the market recognizes the growth in demand from enterprise organizations and IT decision-makers recognize that they need to give their staff a choice of technology within controlled environments.

We could well see, for example, enterprises partnering with third-party app stores that only allow applications that keep data in a recognized and controlled environment. Employees will benefit from having access to a shopping cart of applications to choose from and IT departments will know that they have tight service level agreements with providers detailing required security and data locations. Developers will have clear instructions as to what data security and other hoops that they need to jump through to have access to the market created by the third-party app provider. This is just one possible outcome of many in what is a rapidly changing and volatile market.

Such paradigm shifts will not be an easy process for many organizations. Staff will still complain that the tools they really want to use sit outside any secure environment and will be tempted to use them. The trick will be to have both sticks and carrots - firm and enforceable data control policies and a never-ending search for the best range of applications to meet changing demands.

Cloud computing has been spoken of as the most revolutionary thing to happen in IT for a generation. However, this is only true for the IT department. The most visible revolution is just around the corner as employees take full control of how they use technology to meet their daily needs in work. BYOD smartphones are just the tip of the iceberg.

About the Author: Simon Bain is the founder and CTO of Simplexo Ltd's software solutions

[Dec 02, 2011] The Other One Percent: Corporate Psychopaths and the Global Financial Crisis

Anyone who has ever worked in a large corporation has seen the empty suits that seem to inexplicably rise to positions of power. They talk a great game, possessing extraordinary verbal acuity, and often with an amazing ability to rise quickly without significant accomplishments to positions of great personal power, and often using it ruthlessly once it is achieved.
Their ruthless obsession with power and its visible rewards rises above the general level of narcissism and sycophancy that often plagues large organizations, especially those with an established franchise where performance is not as much of an issue as collecting their rents.
And anyone who has been on the inside of the national political process knows this is certainly nothing exclusive to the corporate world.
Dec 02, 2011 | Jesse's Café Américain

Anyone who has ever worked in a large corporation has seen the empty suits that seem to inexplicably rise to positions of power. They talk a great game, possessing extraordinary verbal acuity, and often with an amazing ability to rise quickly without significant accomplishments to positions of great ards rises above the general level of narcissism and sycophancy that often plagues large organizations, especially those with an established franchise where performance is not as much of an issue as collecting their rents.

And anyone who has been on the inside of the national political process knows this is certainly nothing exclusive to the corporate world.

Here is a paper recently published in the Journal of Business Ethics that hypothesizes along these lines. It is only a preliminary paper, lacking in full scholarship and a cycle of peer review.

But it raises a very important subject. Organizational theories such as the efficient markets hypothesis that assume rational behavior on the part of market participants tends to fall apart in the presence of the irrational and selfish short term focus of a significant minority of people who seek power, much less the top one percent of the psychologically ruthless.

Indeed, not only was previously unheard of behavior allowed, it became quite fashionable and desired in certain sections of American management where ruthless pursuit of profits at any cost was highly prized and rewarded. And if caught, well, only the little people must pay for their transgressions. The glass ceiling becomes a floor above which the ordinary rules do not apply.

If you wish to determine the character of a generation or a people, look to their heroes, leaders, and role models.

This is nothing new, but a lesson from history that has been unlearned. The entire system of checks and balances, of rule of law, of transparency in government, of accountability and personal honor, is based on the premise that one cannot always count on people to be naturally good and self-effacing. And further, that at times it seems that a relatively small group of corrupt people can rise to power, and harm the very fabric of a society.

‘When bad men combine, the good must associate; else they will fall one by one, an unpitied sacrifice in a contemptible struggle.’

Edmund Burke

'And remember, where you have a concentration of power in a few hands, all too frequently men with the mentality of gangsters get control. History has proven that.'

Lord Acton

These things tend to go in cycles. It will be interesting to see how this line of analysis progresses. I am sure we all have a few candidates we would like to submit for testing. No one is perfect or even perfectly average. But systems that assume as much are more dangerous than standing armies, since like finds like, and dishonesty and fraud can become epidemic in an organization and a corporate culture, finally undermining the very law and principle of stewardship itself.
'Our government...teaches the whole people by its example. If the government becomes the lawbreaker, it breeds contempt for law; it invites every man to become a law unto himself; it invites anarchy.'

Louis D. Brandeis

MF Global, and the reaction to it thus far, is one of the better examples of shocking behaviour that lately seems to be tolerated, ignored, and all too often met with weak excuses and lame promises to do better next time, while continuing on as before.
"These corporate collapses have gathered pace in recent years, especially in the western world, and have culminated in the Global Financial Crisis that we are now in.

In watching these events unfold it often appears that the senior directors involved walk away with a clean conscience and huge amounts of money. Further, they seem to be unaffected by the corporate collapses they have created. They present themselves as glibly unbothered by the chaos around them, unconcerned about those who have lost their jobs, savings, and investments, and as lacking any regrets about what they have done.

They cheerfully lie about their involvement in events are very persuasive in blaming others for what has happened and have no doubts about their own continued worth and value. They are happy to walk away from the economic disaster that they have managed to bring about, with huge payoffs and with new roles advising governments how to prevent such economic disasters.

Many of these people display several of the characteristics of psychopaths and some of them are undoubtedly true psychopaths. Psychopaths are the 1% of people who have no conscience or empathy and who do not care for anyone other than themselves.

Some psychopaths are violent and end up in jail, others forge careers in corporations. The latter group who forge successful corporate careers is called Corporate Psychopaths...

Psychologists have argued that Corporate Psychopaths within organizations may be singled out for rapid promotion because of their polish, charm, and cool decisiveness. Expert commentators on the rise of Corporate Psychopaths within modern corporations have also hypothesized that they are more likely to be found at the top of current organisations than at the bottom.

Further, that if this is the case, then this phenomenon will have dire consequences for the organisations concerned and for the societies in which those organisations are based. Since this prediction of dire consequences was made the Global Financial Crisis has come about.

Research by Babiak and Hare in the USA, Board and Fritzon in the UK and in Australia has shown that psychopaths are indeed to be found at greater levels of incidence at senior levels of organisations than they are at junior levels (Boddy et al., 2010a). There is also some evidence that they may tend to join some types of organisations rather than others and that, for example, large financial organisations may be attractive to them because of the potential rewards on offer in these organizations."

Clive R. Boddy, The Corporate Psychopaths Theory of the Global Financial Crisis, Journal of Business Ethics, 2011

[Nov 11, 2011] The Rise of Shadow IT By Hank Marquis

Sep 19, 2006 | CIO Update

The loss of competitive advantage from IT may not be entirely due to its commoditization. It is starting to become clear that at least some of the responsibility lies with business activities taking place outside of the control of IT. Today, business users and knowledge-workers create and modify their IT infrastructures using “plug-and-play” IT products. These commodity IT products are now so easy to use, cheap, and powerful that business users themselves can and do perform much of the work traditionally done by IT.

But without the planning and wider view into the ramifications of their actions provided by IT this often results in disastrous consequences. Forrester Research found 73% of respondents reported incidents and outages due to unplanned infrastructure modifications.

Welcome to the gritty reality of commodity IT. Aside from the opportunity costs and operational losses resulting from this uncontrolled plug-and-play free-for-all, many companies are missing out on the competitive advantage potential that harnessing commodity IT delivers.

Within this disturbing new reality lie both the seeds of competitive advantage and a viable model for 21st century IT. In the Summer 2006 issue of MIT Sloan Management Review , I proposed in “Finishing Off IT” that even though IT is now a commodity it can and does enable significant competitive advantage. Resource dependency creates complex relationships between consumers and providers.

Post a comment Email Article Print Article Share Articles Digg DZone Reddit Slashdot StumbleUpon del.icio.us Facebook FriendFeed FurlThese interdependent relationships in turn produce organizational problems that require organizational solutions. Offered as a solution was the notion that management and organizational structure, not technology, hold the promise of sustainable competitive advantage from IT, and that manufacturing process control techniques hold a viable model for the future of IT.

21st Century IT

To visualize how a 21st century IT organization could look, it helps to consider the production and consumption of IT services as a manufacturing micro-economy.

IT manufactures information processing, communication, and collaboration products that underpin nearly all business operations. Knowledge-workers consume these IT products in pursuit of business objectives using everything from simple emails to more complicated core activities like forecasts and audits.

A deeper exploration of what actually occurs within the IT micro-economy helps to further clarify the issue. Based on real events I documented between December 2005 and July 2006, the following dramatization presents a composite of the experiences reported by a number of mid-to-senior IT managers.

On the way to the office your Blackberry vibrates. It’s a message from your staff. Users on the east side have been tech-swapping again. You know how it goes: “I’ll trade you this color printer for your wide screen monitor.” You know this is going to raise flags with the auditors.

You get to your office and there is a note from the service desk about that system outage on the west side. It turns out the system went down because its users bought some high-resolution scanners and connected them to the system themselves.

You didn’t even know they had scanners until they called demanding support.

Downtown, a group of users decided that to improve performance they needed to regularly transfer gigabytes of video from the main conference room uptown to a storage area network (SAN) they built on their own. As you suspected, these transfers were responsible for slowing down a business-critical application that has managers all over the company grumbling.

An email from the PMO informs you of a new project that will require extra support staffing starting in two weeks; first you've heard of that. You look at the calendar and sigh—budget and staff reductions, increasing user counts, more audits, increased legal regulations, major new and unplanned applications, connectivity and collaboration requirements, and very powerful and unhappy customers to placate.

So much for delivering the IT projects you did know about on-time and on-budget.

This “bad behavior” by the business amplifies the already accelerating velocity of change facing IT whether in-sourced or out-sourced.

The true nature of today's average IT environment is not pretty, and it’s not something most senior executives have fully grasped. It may also turn out to be a critical factor in obtaining competitive advantage from commodity IT.

Rise of the Knowledge-Worker

Post a comment Email Article Print Article Share Articles Digg DZone Reddit Slashdot StumbleUpon del.icio.us Facebook FriendFeed FurlIT commoditization changes the balance of power between IT and the business, and within the business itself. Within the IT micro-economy of plug-and-play commodity IT, the consumer/supplier exchange relationship has shifted. This requires dramatic changes in thinking and management.

Traditional wisdom holds that the consumer for IT services is a functional business unit—sales, marketing, and so on—but, today, the real consumers of IT services are ad-hoc teams of knowledge-workers spanning multiple locations, and crossing business unit and corporate boundaries.

This shift in the exchange relationship has profound implications for the business and IT.

The underlying cause is the unstoppable commoditization of IT as advances accelerate productivity: The ubiquitous availability of information and internet technology is enabling knowledge-workers to traverse geographic, political boundaries, and now functional barriers.

Called “Shadow IT,” they are the millions of knowledge-workers leaping traditional barriers and asserting themselves in ways that challenge traditional IT departments.

Knowledge workers perform vital business functions like numerical analysis, reporting, data mining, collaboration, and research. They use databases, spreadsheets, software, off-the-shelf hardware, and other tools to build and manage sophisticated corporate information systems outside of the auspices and control of traditional IT.

By creating and modifying IT functionality, knowledge-workers are in effect supplanting the traditional role of corporate IT. However, they do so in a management and process control vacuum.

While the business can do these things due to the commoditization of IT, few executives ask if they should do them, and fewer say they must not. Virtually none realize the impact or import. Instead, to the dismay of IT staff, most senior executives and most CIO's condone virtually any demand the business makes.

This lack of control is responsible for many of the problems associated with IT today.

While the IT center-of-gravity has irrefutably shifted to the knowledge-worker, they do not have the long-term vision or awareness of dependencies and planning that IT traditionally provides.

The business wonders why IT doesn’t get "it" and ponders outsourcing when instead they should be taking responsibility for their own IT usage. No product IT can buy, and no outsourced IT utility, can handle these and similar issues encountered in ever-increasing numbers by real IT organizations.

Yet, it is precisely this consumer/supplier shift, increasing dependence upon IT, and the product-oriented nature of commodity IT that provides companies with the opportunity to leverage it for competitive advantage. However many senior executives have so far tipped a blind eye to Shadow IT, implicitly condoning the bad behaviors previously described—and they are throwing away any advantage that IT can provide.

New World Order

This lack of management control over business IT consumption has a tremendous cost. It is partly responsible for loss of the competitive advantage that IT can and does deliver, and is directly responsible for many lost opportunities, increased costs, and service outages.

Over time the erosion of perceived IT quality usually leads to outsourcing, which is increasingly seen as an incomplete solution at best, and a disaster at worst.

In order to recover and expand upon the advantages promised by commodity IT, senior executives have to change their concepts of an IT department, the role of centralized control, and how knowledge workers should contribute. The issue is fundamentally one of management philosophy.

The Nordstrom way promotes a customer/worker management philosophy where management’s first commitment is to the customer. The customer is always right in the Nordstrom way. This accurately reflects is the hands-off position taken by many senior executive leaders with regard to out-of-control Shadow IT practices and bad business behavior.

A better management philosophy for commoditized IT is the ‘Southwest’ way. In the Southwest way, the worker comes first. The customer is not always right, and Southwest has been know to ask misbehaving customers to fly another airline.

Management’s first concern is the worker, because they know that workers following sound processes hold the keys to customer satisfaction, and in turn, competitive advantage.

Making the Southwest model work for 21st century IT requires a more comprehensive view of what constitutes an IT organization, a view that extends well past the borders of what most leaders consider IT.

Shifting Demographics

The rising sophistication and expectations of knowledge workers results in divergence in perceived operational goals between IT and the business—an indicator of task-uncertainty and a key contingency within structural contingency theory.

These changing demographics give new urgency to the need for coordination of knowledge-workers and IT, yet management is trying to centralize IT spend and control via the CIO role.

Instead of embracing Shadow IT, CIOs are trying to shut it down. Consider instant messaging (IM), an application many knowledge worker consider critical. IT's approach to IM is reminiscent of the early days of the Internet.

Instead of realizing the job of IT is to support the needs of knowledge-workers, most IT organizations are trying to stamp out IM—just as they tried to restrict and eliminate Internet access. How will traditional IT respond to Wikis and blogs as corporate IT tools in the future?

The Corporate Executive Board projects that the percentage of IT spend under central control to grow from 50% in 2002, to 95% in 2006, but this does not take into account the knowledge-workers of Shadow IT.

A study by Booze Allen Hamilton found that shadow IT personnel equal as much as 80% of the official IT staff. Clearly, despite the best efforts of senior leaders and IT, the business stubbornly refuses to succumb to centralized IT control.

The problem with the current direction of the CIO role is that is typically has responsibility to support the business without authority to control the business; a classic management mistake leading to the aforementioned dilemmas.

The lure of commodity IT is great. Since shadow IT is a direct result of commoditized IT and resource dependency, it also demonstrates that both corporate IT, and IT utilities, are not delivering the services required by knowledge workers.

However, most IT leaders do not understand the strategic contingencies within the commoditized IT micro-economy. They don’t know their marketplace, and they don’t know who their customer is. In effect, IT is manufacturing the wrong products for the wrong market. IT doesn’t get it either.

[Jan 05, 2011] Shed light on shadow IT

07/13/2004
CmputrAce

They exist for good reasons

As was mentioned in the article, shadow IT exists because the business unit(s) *perceive* that IT is not meeting their needs. Whether or not that is an accurate perception is meaningless, because it is IT's fault that the perception exists.

I was part of a "shadow" IT unit at a major oil company that had (and still has) a monolithic IT department. We built systems in months that would have taken IT the same time just to complete their "JAD" sessions, and one of those projects went on to win the Microsoft Open competition at Comdex in 1993. Our little "shadow" IT unit changed the way Shell did IT - at least for a while. The corporate standard was going to be OS/2 - we demonstrated to them that Windows 3.0 was a better solution for the average desktop. They insisted on buying IBM PS/2's - we proved to them that it was much more economical AND MANAGEABLE to buy less-expensive, more mainstream units (clones). They insisted on buying IBM 8-bit SNA adapters, while we were purchasing Madge 16-bit SNA adapters at almost half the price. We also updated their networks for the whole complex.

At the end of our first year of operations, we had saved the company over $1 million in support costs and were rated the highest support unit in the company.

If you are in IT and have to "deal" with a shadow unit, here's a word of advice. LEARN FROM THEM. They exist for a good reason, and if you want to take them under your wing, let them teach you what they know. Make friends. Work together. Monolithic IT is good at moving slowly, so SLOWLY integrate the shadow units and learn from them.

Cool_Breeez
Your assumptions are as much of the problem.

Your description of local IT organizations as "clandestine," ominous," and "illegitimate" are symptoms of an attitude common among those who work for Central IT organizations. This attitude is often as much or more responsible for the problem as you cast it than all of the issues cited in this article combined.

The author of this article creates a neat self-fulfilling prophecy by relying on opinions from people who sell their services to Central IT Managers. Therefore, the perspective is limited to the very narrow interests of IT manager "afflicted" with the problem of informal IT functions. While security, network administration, and configuration management are critical requirements of any enterprise, they are most often peripheral to the organization's primary goals. In this context, the Central IT function becomes a service to the business and IT Staff serviuce providers who must make their services (security for example) relevant to their "customers." Thus, this article does not address the all too common communications failures of IT groups, the "not invented here syndrome" that almost defines the notion of Centralized IT, and the common lack of business savvy that dominates corporate IT.

This is an entirely superficial and incomplete treatment of one of the most costly aspects of modern business.

Shadow IT (aka Doing What IT Won’t-Can’t) By Eric D. Brown

February 23, 2007 | ericbrown.com

14 Comments

retweet

Shadow IT has been defined by George Spafford in his article titled The Dangers that Lurk Behind Shadow IT as:

groups providing information technology solutions outside of the formal IT organization. Their existence is due to groups thinking they can do things cheaper and/or better than the formal IT group.Also, it may be that the formal group can’t meet their service requirements or the formal group is forced to develop generic applications in an attempt to meet the needs of everyone and controlling costs versus customizing applications to meet the needs of business units.

A few examples:

How do we solve the Shadow IT problem? Mike Schaffner over at Beyond Blinking Lights and Acronyms has a few ideas. In a post titled Shadow IT Revisited, he writes:

The bottom line is we have to figure out a way to provide needed user services while meeting the legitimate IT concerns or the users will by-pass IT and do it on their own.

Mike is right. IT needs to be able to provide services to the business that force the business to never have to think about IT…don’t give IT users the opportunity or reason to look outside of the IT group for support. In other words, provide top-notch support to the business. This may require additional costs in adding headcount, but it might be something to consider if a good portion of the IT groups’ time is spent fighting Shadow IT issues.

Another way to solve the Shadow IT problem is for IT groups and senior leadership to understand the value that the IT group can provide to the organization. IT can do so much more than ‘support computers’…they can provide a strategic advantage as well.

Mike’s post, which describes an article titled “Users Who Know Too Much (And the CIOs Who Fear Them)” on CIO.com provides a great overview of how to solve the Shadow IT problem and is definitely worth jumping over and reading the CIO.com article and Mike’s post.

PS – Mike has another good post titled “IT Needs to Become more like Shadow IT” in which Mike describes more ideas for resolving the Shadow IT problem.

Selected comments
Adam Pacio:
November 1, 2007 at 1:47 pm

I like the name, ‘Shadow IT’. I have to say that I’ve been a part of it in the past, and I’m a part of Shadow IT in my current workplace, too. Partly due to the fact that for a decade I was working as a graphic designer, and company IT has been less than happy with having to work with Macs until relatively recently (the OS X years), so there is a whole generation of the design industry who are accustomed to providing their own network support and troubleshooting.

The other part seems to be the lack of understanding of technology in general from a senior management level. The old guard of managers don’t understand, for example, that it *might* just be a good idea to check with IT before committing to server solutions and rich internet application builds until it’s usually too late.

The upshot of all of this is that the IT Professional can no longer be expected to be the single-source of Information Technology advice. Nowadays you’ve got content managers and enterprise-level tech departments which operate on a P&L bottom line and outside of the traditional IT chain of command. If IT is going to combat the development of ‘shadow IT’ departments, it needs to become much less of a silo and more of a distributed network of knowledge leadership, but also knowledge support.

Which is very plain from the tech person’s POV, but not so much so from Sr. Mgmt or within the legacy hierarchy structures that most companies are struggling to revise or retool.

Shadow IT

Oct 07, 2010 | GovExec.com

America Online, eBay, Google, iTunes, MySpace, instant messaging, Yahoo, YouTube. What would life, or work, be like without these and other popular Internet-driven diversions?

Today's workers are tech savvy, and government employees are no exception. They want and use the latest applications. Whether their information technology administrators like it or not, federal workers are using the software to be more productive or, at times, to be entertained.

These un-approved applications don't come from agency IT shops, though; employees are downloading them directly off the Internet. The practice has become so widespread in all kinds of organizations that it now has its own descriptor: shadow IT.

The problem is that shadow IT poses security risks. The applications could have vulnerabilities that provide the holes hackers need to access employee computers and government networks and steal information or install malware. At a hearing this summer of the House Oversight and Government Reform Committee, security monitoring company Tiversa Inc. testified that it had found 200 government documents during a scan of the top three peer-to-peer software applications, which allow computer users with the same software to share files stored on their PCs or laptops.

Fear of security mishaps has caused some IT managers to ban unapproved technology by issuing strict policies or configuring firewalls to block applications. But how realistic is it to expect users to steer clear of the increasing array of cool technology tools? "Resistance is futile," says Alan Paller, director of research at the SANS Institute, a nonprofit cyber-security research organization in Bethesda, Md.

And fighting shadow IT could be counterproductive. Agencies that institute prohibitive policies will face substantial pushback, Paller predicts. Such policies could radically reduce the convenience of useful information sources and communications platforms, and could make employees less productive in the long run, he says.

Videoconferencing and wireless Internet access, which many agencies initially opposed, serve as examples of how departments could come to accept other new technologies, Paller says. When agencies blocked the use of Wi-Fi, managers sometimes couldn't reach workers, which ushered in the use of wireless technologies.

But the federal government has done little to keep up with the proliferation of applications. The latest policy governing employee use of government-issued PCs or laptops is now eight years old. According to a 1999 report from the interagency Chief Information Officers Council, workers are permitted limited use of office equipment -- including Internet services and e-mail -- for personal needs if it does not interfere with official business and involves minimal expense to the government.

Inappropriate uses are any that could cause congestion, delay or disruption of service to government systems. Creating, downloading, viewing, storing, copying or transmitting materials that are "illegal, inappropriate or offensive to fellow employees or the public" is prohibited as well.

To make sure employees follow proper procedures, some agencies, such as the General Services Administration, inform employees that their computer activities are continuously monitored. But a 16-year GSA veteran, who asked not to be named, says whether managers are "actively doing that is questionable."

The bottom line is "these workstations are not for personal use," he says. Still, this worker routinely checks his personal Yahoo.com e-mail account, which is "unavoidable because you're at work eight or nine hours a day," he says.

Personal applications downloaded from the Internet are widely used in government, including many congressional offices, where instant messaging is practically the primary means of communication. A former chief of staff on the Hill says IM was a necessity in his office. Sometimes he would find himself IMing facts and figures to his press secretary from across the room while his colleague conducted a telephone interview with a reporter.

The frenzy over downloaded software has only just begun, Paller warns. Applications being used without IT managers' blessings are "a tenth of what you'll see in two or three years," he says. The popularity of one of the largest virtual worlds, Second Life, and any number of next-generation Web wonders are going to fuel what he predicts will be an intensely interactive, "high-fidelity, high-bandwidth" culture -- if it hasn't already begun.

Instead of fighting it, Paller advises finding a secure way to allow the technologies. Agencies should embrace the concept of "comply and connect" rather than "scan and block," he says. Since 2005, the Air Force has not allowed any computer to be connected to the Air Force network unless it has a common configuration and all patches and updated security software have been installed, Paller says. In March, the Office of Management and Budget recognized the economic and security benefits of the initiative and issued a similar mandate for all agencies.

Marty Lindner, a senior staffer at Carnegie Mellon University's federally funded Software Engineering Institute, offers a common-sense solution. IT restrictions should be squared with the mission of the agency and the sensitivity of job functions, he says. "If I'm the operator of a nuclear power plant, I don't think anything should be allowed on that [computer] desktop that doesn't have to do with running that power plant," Linder says.

Agencies also should create a detailed policy about what can be loaded onto PCs and laptops. Most important, IT managers then must check individual PCs and laptops to "make sure people are following it," Lindner says. Setting an office policy can define "the things you should not do and the things you're allowed to do based on your business model," he says. "Just highlighting the stuff you cannot do is a bad way to write policy."

One way to let employees know what they can do is to create "white lists" of approved applications and popular Web destinations that employees can download and visit, says Shawn McCarthy, analyst at Government Insights, a Falls Church, Va., IT consulting firm. IT administrators sometimes are reluctant to embrace this approach because it's a big job, and they should not be setting business policies, he says. But the trick, McCarthy says, is to find "the right balance between individual productivity and the needs of the IT department."

Andrew Noyes is a senior writer for National Journal's Technology Daily.

RELATED STORIES

Shedding Some Light on Shadow IT

WorkloadIQ

You’ve no doubt heard about the stealth cloud—people “flying under the radar” consuming IT services without the permission or support of IT. Personally, I call it Shadow IT, because SH**IT happens—and whether you want to admit it or not, it’s happening in your company.

Business users are adopting cloud computing in droves—underground. So what can you do? Embrace it. Well, that is if you want to maintain enterprise security and compliance—and retain your customers. Recently, I read a really interesting article on this very topic—which includes some ideas on how to address this growing challenge. It’s a good article. Give it a read if you have a few minutes.

So why are IT organizations still so averse to cloud computing? Most people today will tell you it all boils down to concerns over security. However, most cloud providers can probably provide better security than most enterprises can. After all, their core business depends on it for survival. So I’ve started to wonder if it isn’t more of a case of insecurity. You see, for as long as I can remember, IT’s perceived role has been one of control. Underground cloud computing takes away virtually all of that control and puts it squarely in the hands of business users.

From what I’ve seen over the years, IT people are often insecure about their jobs or abilities. If they lose control of what goes into the cloud, perhaps they fear they won’t have anything to build or manage, or anyone left to control.

What IT perhaps fails to see is that when a business user goes around them and starts using an unapproved cloud-based app, they’re not doing it out of malice. They’re just trying to get their job done—and they view IT as too inflexible and unresponsive to help them. So they take matters into their own hands. Unfortunately, this underground cloud computing opens the company up to untold risk exposure and compliance issues, which could easily drive away customers if something were to go wrong.

So whether IT likes it or not, the time has come to start embracing cloud computing. IT needs to become more flexible and responsive to keep up with the pace of today’s business. Trust me, it’ll make upper management and your auditors much happier.

Intelligent workload management, infused with identity, can make the process that much more painless. Specifically, Novell WorkloadIQ solutions can help you and your IT organization discover the underground cloud applications that are being used, evaluate them and adopt the ones that make sense for your business. Then, you can build, secure, manage and measure your workloads across physical, virtual and cloud environments quicker and easier—and with confidence.

If your head is in the sand, pull it out—get past the insecurities and shine some light on stealth cloud.


Recommended Links

Softpanorama Top Visited

Softpanorama Recommended

BYOD




Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least


Copyright © 1996-2014 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Site uses AdSense so you need to be aware of Google privacy policy. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine. This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting hosting of this site with different providers to distribute and speed up access. Currently there are two functional mirrors: softpanorama.info (the fastest) and softpanorama.net.

Disclaimer:

The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: July 01, 2014