Shadow IT Revisited

Ben Worthen has written a great article on CIO.com about dealing with Shadow IT, "Users Who Know Too Much (And the CIOs Who Fear Them)".  He outlines a key factor about Shadow IT: "Users want IT to be responsive to their individual needs and to make them more productive. CIOs want IT to be reliable, secure, scalable and compliant with an ever increasing number of government regulations. Consequently, when corporate IT designs and provides an IT system, manageability usually comes first, the user’s experience second. But the shadow IT department doesn’t give a hoot about manageability and provides its users with ways to end-run corporate IT when the interests of the two groups do not coincide."

Because of this Shadow IT isn't something that will go away.  We can't legislate it away or control with strict policies and procedures.  I interpret his article as additional support to my original opinion of "the only way to put an end to shadow IT is for formal IT to compete with shadow IT head-on and outperform it."  The great part of the article is that he makes some very interesting suggestions on how to do this.

Worthen lists 5 techniques to as he says, make peace with Shadow IT.  He does point out these are a starting point and how they should be applied depend upon such things as risk tolerance, the degree of regulation to which you are subject etc.  His techniques are:

1. Find out how people really work. - Don't drive Shadow IT further underground by trying to squelch it.  This is an opportunity to find out where the IT services you provide are out of sync with your user's needs.
2. Say yes to evolution. - Shadow IT projects are attempts to solve simple problems.  Figure out a way to solve that problem while minimizing the risks.
3. Ask yourself if the threat is real. - "When a CIO prohibits people from using a technology that doesn’t pose a real security threat or doesn’t adversely affect his budget, he is setting himself up as a tin idol, a moral arbiter. That’s a guaranteed way to antagonize users. And that’s never a good idea."
4. Enforce rules, don't make them. - Get the business leadership involved in making the rules about how people can access and use data.  They know better what the user needs are than IT does.
5. Be invisible. - ". . . the key is to develop an approach that secures data without depending upon how a user accesses it or what he does with it."

This is an article well worth reading.  I especially liked the tagline that appeared near the end of the article.

"Messy But Fertile Beats Neat But Sterile"

The bottom line is we have to figure out a way to provide needed user services while meeting the legitimate IT concerns or the users will by-pass IT and do it on their own.

The one thing I did find disturbing about the article was some of the comments from CIOs.  It was rather disappointing to see CIOs that are still in the mindset tight control of IT services even if it limits the usefulness.  I suspect they have a carefully hidden but rampant Shadow IT operating in their organization.

What are your thoughts?

If this topic was of interest, you might also like these:

• IT is NOT Your Mother!
• How We Can Become More Like "Shadow IT"
• IT Needs To Become More Like "Shadow IT"
• Or the posts in the "Customer Service" category