Ready for a classic horror story?
It’s a dark and stormy night (of course it is). Deep shadows are spreading. In them, a nameless evil starts to take form.
A secret society is there to name that evil and fight the shadows (sound fx: crack of thunder). But it needs your help!
The secret society is Internal Audit, the spreading shadows are shadow projects — the too-small-to-notice-but-too-important-to-let-fail projects business managers charter. The name of the nameless evil? “Shadow IT“!
Now you know why I don’t write fiction.
It is, however, a horror story because the last thing IT should be doing in most organizations is treating these as evils.
The story so far:
Before the cloud became a force, IT had mostly stomped out shadow IT by locking down desktops, limiting the availability of MS Access, and disabling VBA. That successfully eliminated the risk that non-IT staff might create value with IT innovation, while shifting intruders from buffer-overflow exploits to phishing attacks.
But then came the cloud, and specifically Salesforce.com, which represented a triple threat:
- It catered to Sales, the least rule-conscious group in any business. Being part of revenue and all, it has more political muscle than IT, too.
- Unlike most business applications, Salesforce.com can be implemented effectively without any integration into other business systems.
- IT couldn’t stomp it out without instituting Internet filtering, which is a labor-intensive pain in the patootie requiring additional headcount the CFO probably wouldn’t approve were IT to try to make its case.
Face it: The cloud means shadow IT is going to happen. That ship has sailed. We can either climb on board or wait at the Greyhound station, doing what we can to keep our so-called “internal customers” from climbing onto buses they no longer want to ride anyway.
Oh, and in a classic case of turnabout being annoyingly fair play, while IT can’t stop shadow IT anymore, our partners throughout the business can easily stop us from climbing the gangplank to join them.
Then there are shadow projects. Like shadow IT, shadow projects happen outside the company’s approval processes. The managers who want them to happen simply charter and assign them, because they have enough authority without anyone else butting in to make sure they’re “done right,” whatever that might mean.
Something else the two shadows have in common: As a practical matter, their costs are low, their benefits are, in proportion, high, and the cost of stopping them would exceed the cost of just letting them happen.
One more characteristic they share is that they increase risk, because the folks who take them on often aren’t as familiar with the company’s compliance requirements as IT professionals are who have to take them into account with everything they do.
That doesn’t, however, mean IT has to become the Deputy Dawg of company compliance.
The fact of the matter is, Internal Audit gets a bad rap in most companies. It’s goal isn’t to prevent people from doing their jobs. It’s to recommend a healthy set of management controls, then to make sure everyone complies with the controls management actually adopts.
Describe a hypothetical shadow project to Internal Audit. Make it a typical one — one that’s going to build some shadow IT that won’t cost very much, and will do something useful and profitable. Ask if it should be stopped because it might lack the proper controls, and the most likely answer will be, no, don’t stop it. Just have it add the proper controls.
Internal Audit isn’t the only compliance function in the company. Inside IT (or inside its orbit), enterprise technical architecture management (ETAM) and information security wear compliance hats, and sometimes the PMO as well. Because they’re compliance functions, making sure everyone complies is almost instinctual. That is, after all, what compliance means.
And so, ETAM turns into the architecture police, the PMO turns into the methodology police, InfoSec turns into the Value Prevention Society, and IT takes the easy way out, doing its best Sergeant I-see-nuthink! Schultz impression while deploring the whole shadow enterprise.
There are alternatives. ETAM and InfoSec can collaborate to create a secure and supported end-user-computing platform. Internal Audit can provide a compliance checklist available to anyone who wants it.
IT can provide consulting services on how to design and build small applications. And if you have a PMO, it can provide training and coaching in ultra-basic project management techniques.
Preventing failure and encouraging success aren’t the same thing. The difference is the vast gap separating “No!” from “How can we can help?”
Then there is the issue that once you touch it, you own it. Having 30+ years in IT, I have seen it all too many times. Staff creating “tools” using software the department has no expertise in (but the creator’s kids do) and then showing it off to the powers-to-be with a “Look what I created in no time, seems our IT shop could do that too”. In the State, we have control agencies that impose processes and procedures on us, at least those of us who adhere to such things. All with the mind-set to not spend the public trust in a fashion that hints at any type of failure, no matter what you might have learned from such a failure.
Back to the “you touch it you own it”, getting to follow a trail of poorly defined and architected systems and being expected to “fix” them for the users has been ever so satisfying….. Especially when they are developed in a language that you or your staff have no expertise in.