Stop stomping out shadow IT

Like Tweet Pin it Share Share Email

“I have two questions for you,” a client told me, shortly after I launched IT Catalysts: “The first is, how can I instill a better customer-service attitude among the IT staff? The second is, how can we stop all of the shadow IT [he called it ‘rogue IT’] that’s going on in the company?”

My answer was, and continues to be, pick one. If they’re really your customers you have no business telling them they can’t do what they want to do. It’s the difference between being a restaurateur and a dietician.

And even that answer is less than the best, because neither one is a particularly good idea. So pick neither.

There are no internal customers, as regular KJR readers are tired of reading by now, and anyway, the word “customer” is superfluous. Instill a service attitude and have done with it. “We’re here to help everyone else take care of the people who pay the bills … the company’s customers,” does the job just fine.

Meanwhile, IT’s attempts to stop shadow IT are like squeezing a closed tube of toothpaste. The toothpaste just moves around inside the tube, just as shadow IT is moving from the PCs hard drive to the cloud.

We used to be able to pretend. We’d lock down the desktops, hoist up the landlubbers, and congratulate each other over having followed security best practices.

We can’t pretend anymore, though. Back when, we were able to prevent the sales force from installing Act! on their laptops, thereby reducing an already-minor security risk while helping make sure the company’s revenues were smaller than they could be.

That was then. This is now. We can still lock down their laptops, but we can’t lock down the cloud, which means that while we can stop the sales force from buying Act! licenses ($550 each one-time), the only way to stop them from “installing” Salesforce.com licenses ($780/year ongoing) is to use a website blocker, which means the cost of blocking Salesforce.com (blockers aren’t free, and someone needs to administer them too) probably exceeds the cost of buying Act! licenses.

Here’s what kills me: Salesforce.com has to have the most amazing PR machine in history, because the usual cant about Software as a Service is how much more economical it is than the usual IT-installed solutions.

And lots of CFOs believe it!

There are, at a rough level of analysis, two types of CFO. One understands only costs, and sees IT as the company spendthrift, always trying to increase them; the other understands both the concept of investment and the value of better tools.

The CFOs who believe the “the cloud saves money” stuff are mostly cost-CFOs, I think, probably because:

  • It fits the IT-as-spendthrift narrative they’ve already bought into. Few people scrutinize statements they agree with.
  • As Salesforce.com charges are paid monthly, and out of the Sales Department’s budget besides, they’re pretty much invisible, even though they’re a helluva lot higher.
  • IT has locked down the desktops to stop shadow IT, which means IT has to buy the Act! licenses (there’s that spendthrift thing again), handle the installations, and support the users (we’ll have to hire more staff).
  • Because we’re IT and think this way, we’ll first do a bunch of business analysis to determine whether Act! or an enterprise CRM suite would be a better choice.
  • Also because we’re IT and we think this way, we’ll do more business analysis to determine how to configure the solution we decide on to fit the company’s sales process, and to integrate it into whatever other systems it has to integrate into.

By the time we’re done, Salesforce.com costs a lot less … not because it has to, but because we’re so determined to stamp out shadow IT and do things “right.”

Imagine that instead of trying to stamp out shadow IT, we embraced it. The sales director would have told us that many of the sales reps wanted to install Act! Is there any problem with this?

No. No problemo, so long as they’re willing to be self-supporting (just as they are with Salesforce.com) and aren’t looking to integrate Act! into any of the company’s other systems.

And if Sales wants IT to provide integration and support? That also isn’t a problem, and costs the same whether IT is integrating and supporting Act! or Salesforce.com.

There are three bottom-line “goods” in any business: Revenue, cost, and risk. Stamp out shadow IT and you’ll reduce risk a bit. Embrace it and you help improve revenue and cost.

Tough choice.

Comments (12)

  • Obviously we want to take advantage of everyone’s ideas and certainly IT people are not the only people who can come up with ways to utilize computers effectively. The question is always how do we get the individual computing activities to mesh together into a greater whole? In short, if we just have a free for all, the best we can expect is 2+2 = 3. How do we manage these independent activities so we can get to 2+2 = 4 and maybe 2+2 = 5? In short, how can we make the whole environment so it is greater than the sum of its pieces? Maybe the best model is lean manufacturing. Someone smart determined we are better dealing with the entire end to end process rather than suboptimizing each individual work station.

    • Related to my other reply…

      Your comments about systems integration are another issue with shadow IT. End users aren’t going to consider how systems need to tie together to bring great overall efficiency. So again, the need to control shadow IT to create a standard IT architecture.

  • Bob,

    This is rarity but I have to disagree with you on shadow IT. I work for a large, multinational company and we’ve ended up with 180 different client reporting systems thanks to shadow IT.

    We are trying to work more closely with the business to understand their needs and point them to standard solutions through an expanded business relationship management team within IT. But if we don’t try to limit shadow IT, we will continue to waste millions of dollars on systems that are redundant and don’t meet anyone’s needs.

  • Bob: I see two sides to this coin. On the one hand, I understand the desire to embrace “shadow IT”. On the other hand, however, I see the multi-dimensional Red Queen’s race we are already running (and losing) with regard to IT security. Considering the legal jeopardy that a company can enter into if personal information is mishandled or leaked, and the loss of revenue that can be triggered through the leaking of intellectual property, this choice is really, really, really hard.

    I think you might do a follow-on (maybe two or three columns, even) to discuss what the real ins and outs of embracing “shadow IT” really are. What things are off-limits without negotiation? What are the real “don’t cares”? How do you rationally evaluate costs and risks?


  • Could the demand for shadow IT be taken as signals that there is a “deficiency” somewhere in what IT is providing? Not that IT has necessarily done a bad job, but that they still have more work to do—and more opportunities, or maybe threats.

    • In our case, it’s because IT has done a poor job of reaching out to the business to understand demand for services. Of course, we still don’t have enough resources.

      But I don’t think it’s the user’s “fault” that we have shadow IT.


  • I don’t think it’s as simple as you think Bob. Sadly we live in a world of auditors and regulations. Let’s use salesforce.com as an example. If your marketing department runs off and contracts with them, what happens when salesforce.com looses information or suffers an outage and there isn’t a recovery system available? Or my favorite one, an employee starts to do their own data mining and customer reporting — wrong customer reporting. I get that there are shops that are way too tied down, but when was the last time you saw a nurse doing surgery in a hospital (she has access to all the tools). I know I’m stretching it, but running a business well requires knowledge and some form of structure.

  • Bob, earlier this summer you wrote about Enterprise Technical Architecture Management. Shadow IT seems kind of like the opposite of that. Is there a time and place for each?

    • Sue …

      You’re right that shadow IT, and especially unsupported shadow IT, is unlikely to conform to a managed enterprise technical architecture.

      As stamping out shadow IT isn’t just a bad idea, it isn’t really possible, the solution is to incorporate the requirements of shadow IT into the architecture.

      I’ll talk about the specifics in an upcoming column. Thanks for raising the issue.

      – Bob

  • Thank you for writing this article.

    I think the core idea you are expressing has to do with the tension that exists between the perceived efficiency of centralization (IT controls everything) and the perceived effectiveness of decentralization (perfectly fitted custom solutions right in the place of the specific problem designed by the person most intimately connected to the problem). And with all complex systems, the answer is probably not as simple as one way (centralized IT) or the other (let the business reproduce IT value resulting in a substantial overall inefficiency).

    I would love to see you write an article delving more deeply into the myriad of problem spaces IT faces where the business tends to try and invent locally “because IT just isn’t responsive enough”. My own experience says that sales like activities are better suited to the “embrace it” attitude than say core financial activities where security and regulatory compliance tends to have a much higher value.

    Thank you again for hitting an industry hot button dead center.

  • I think Jim has gotten to the crux of the matter. There is a tension between helping everyone get everything they want, and doing everything by the book.

    For every organization, there is some per-project, per-department, per-situation middle ground that has to be worked out to the benefit of the organization. The answer is not always that IT is clueless or negligent. Nor is the answer that the business is always too demanding or unreasonable.

    The real risks to the business must always be identified and addressed, and this requires cooperation between IT and other departments. IT also needs to have the necessary resources to do these things correctly, but expediently. This is where the other departments can validate IT’s request for necessary resources.

    Trying to stamp shadow IT out is counter productive, and it will just sneak underground. Letting everyone do exactly what they say they want, and how they say the want it, is reckless. Timely and appropriate assistance will lead to more information sharing, which will lead to better results for the organization.

    It can be done, albeit gently.

    -ASB: http://XeeMe.com/AndrewBaker

Comments are closed.