Shadow IT – Page 3 – IS Survivor Publishing

There’s no such thing as an IT project. There is, on the other hand, such a thing as There’s No Such Thing as an IT Project: A Handbook for Intentional Business Change. It’s now officially available for purchase (or will be tomorrow morning). Humility prevents my coauthor, Dave Kaiser, and me from telling you it’s the most important business book published this year.

It’s a good thing we’re so humble. Or maybe not, because if you have anything to do with making business change happen … intentional business change, that is … you need this book. And I hope you’ll forgive a bit of hard selling because if you want the organization to change you’ll want your peers and collaborators to understand what it is you’re doing and why.

What’s the book about? It’s about 180 pages long. It’s about eighteen bucks … a dime a page … if you want the Kindle edition, more if you want crushed trees smeared with ink, and if you do, consider buying it straight from our publisher (https://www.bkconnection.com/books/title/Theres-No-Such-Thing-as-an-IT-Project ).

It’s about the difference between “implementing software” and something useful coming of it.

It is, we think, comprehensive without being tedious; practical and pragmatic while still presenting big ideas; clear and concise without being humorless.

If you’re a long-time KJR reader you’re familiar with the mantra, for example from this ten-year-old evergreen from the archives – https://issurvivor.com/2009/12/07/someone-elses-problem/ .

Now, instead of having to root around in the archives to pull everything together you’ll find it all in one place.

That’s how KJR works. You get a concise account of a narrow slice of a big topic once a week, out of the goodness of my greedy little heart. You get a complete view of subjects that matter from the books I publish from time to time (look here if you want to know what else I’ve written over the years: https://www.amazon.com/Bob-Lewis/e/B001HMOX0I/ref=dp_byline_cont_ebooks_1 .) It’s one way you can support KJR — something readers ask from time to time.

If you like the ideas and need help making them real, give me a shout. https://issurvivor.com/contact/ . With many consultants you don’t really know what you’re getting into. I am, more or less, an open book.

Well, 12 open books, but who’s counting?

Oh … one more request. Books aren’t real until they have a bunch of Amazon reviews. So I’m asking you to write one — preferably after you’ve read the book (as a consultant I have a strong sense of sequence).

If you like the book, please say so and explain why. And if you hate it, please explain that in a review as well. I’m not trying to put my thumb on the scale — I like good reviews as much as the next author, but it’s more important for the book to be real.

And don’t worry. Unlike public radio, I’m not going to hold KJR hostage until enough of you have bought the book.

I might badger you about it from time to time, but I won’t fill more whole columns pleading with you and your fellow readers to satisfy my deep craving for attention. Dave and I hope you enjoy the book and, more important, find it useful. We won’t know, though, until we read your review.

Call it plausible blame.

A frequent correspondent (who wasn’t, by the way, endorsing it) brought an interview with T ho mas Sowell in The Federalist to my attention. In it, Sowell says:

… just the other day I came across an article about how employers setting up new factories in the United States have been deliberately locating those factories away from concentrations of black populations because they find it costlier to hire blacks than to hire whites with the same qualifications. The reason is that the way civil rights laws are interpreted, it is so easy to start a discrimination lawsuit which can go on for years and cost millions of dollars regardless of the outcome.

Shall we deconstruct it?

Start with Sowell’s evidence: he “came across an article.” That isn’t evidence. It’s an unsubstantiated assertion once removed. And … uh oh … I came across an ar t icle too. Turns out, fewer than half of all EEOC filings are based on race or color; for claims where the plaintiff wins the average settlement is $160,000. That isn’t a small number, but at best it’s a tenth of Sowell’s claimed “millions of dollars.”

Oh, and presumably some of the plaintiff wins were due to actual harassment or discrimination.

And the “evidence” is stronger than the rest of Sowell’s claim. If you’ve ever been involved even slightly in business decisions like where to locate a factory, you know the process is far too complicated to give discrimination-lawsuit-prevention-by-avoiding-populations-with-too-many-potential-lawsuit-filers a determining role.

Or, for that matter, any role at all.

The underlying message, though, is pretty clear: government programs to correct social ills backfire, so those who propose them are misguided.

Only there’s no evidence that the problem even exists, and its purported root cause doesn’t stand up to even the slightest scrutiny.

That’s why I call it “plausible blame:” The stated problem isn’t real, but plausibly could be. The blame for the problem is plausibly ascribed to a group the blamer wants to disparage, with “plausibly” defined as “sufficient to support confirmation bias.”

Which brings us to Shadow IT, as you knew it would.

I’ve been reading about Shadow IT and its enormous risks. Why, just a few weekends ago, Shadow IT took down Target’s point-of-sale terminals in 1,900 or so stores.

Oh, wait, that wasn’t Shadow IT. At least, it probably wasn’t. We don’t know because all Target has divulged about the outage is that its cause was an “internal technology problem” that didn’t result in a data breach.

That’s unlike Target’s massive 2013 data breach, which was due to Shadow IT.

It wasn’t? Sorry. Bad memory.

In case you’re unfamiliar with the term, “Shadow IT” is Professional IT’s term for unsanctioned do-it-yourself IT projects taken on by business departments without the benefit of the IT organization’s expertise. With all the bad press Shadow IT gets, I figured it must have been the root cause of at least one major outage or data loss event.

But google “data breach” and while you’ll find a rich vein of n ewsworthy events, none had anything to do with Shadow IT.

This is plausible blame too. The problem hasn’t been documented as real, and fault for the undocumented problem is assigned based on superficially sound logic that doesn’t stand up to close scrutiny.

Plausible blame is a handy way to make us despise and direct our anger at some group or other. Shadow IT’s undocumented perils, for example, lead IT professionals already predisposed to disrespect end users (see “Wite-Out® on the screen“) to sneer at the clueless business managers who encourage it.

And it is plausible: Information Security professionals know what to look for in assessing the vulnerability of potential IT implementations — a lot more than do-it-yourselfers. Sometimes they know so much that applying that knowledge cripples creativity and initiative.

Make no mistake, Shadow IT does entail real risk. But stamping it out ignores the even greater risks associated with manual methods. Risks? Yes. Few IT organizations have the bandwidth to attend to every automation opportunity in the enterprise. Insisting on nothing but manual methods for everything else means operating far less efficiently and effectively than possible.

Logic says Shadow IT entails some risk. The evidence says professional IT is, in its own ways, just as risky. Plausible blame says Information Security should focus its attention on Shadow IT.

My conclusion: plausible blame is riskier.