All Posts in Shadow IT

|In: Shadow IT|Last Updated:

Call it plausible blame.

A frequent correspondent (who wasn’t, by the way, endorsing it) brought an interview with Thomas Sowell in The Federalist to my attention. In it, Sowell says:

… just the other day I came across an article about how employers setting up new factories in the United States have been deliberately locating those factories away from concentrations of black populations because they find it costlier to hire blacks than to hire whites with the same qualifications. The reason is that the way civil rights laws are interpreted, it is so easy to start a discrimination lawsuit which can go on for years and cost millions of dollars regardless of the outcome.

Shall we deconstruct it?

Start with Sowell’s evidence: he “came across an article.” That isn’t evidence. It’s an unsubstantiated assertion once removed. And … uh oh … I came across an article too. Turns out, fewer than half of all EEOC filings are based on race or color; for claims where the plaintiff wins the average settlement is $160,000. That isn’t a small number, but at best it’s a tenth of Sowell’s claimed “millions of dollars.”

Oh, and presumably some of the plaintiff wins were due to actual harassment or discrimination.

And the “evidence” is stronger than the rest of Sowell’s claim. If you’ve ever been involved even slightly in business decisions like where to locate a factory, you know the process is far too complicated to give discrimination-lawsuit-prevention-by-avoiding-populations-with-too-many-potential-lawsuit-filers a determining role.

Or, for that matter, any role at all.

The underlying message, though, is pretty clear: government programs to correct social ills backfire, so those who propose them are misguided.

Only there’s no evidence that the problem even exists, and its purported root cause doesn’t stand up to even the slightest scrutiny.

That’s why I call it “plausible blame:” The stated problem isn’t real, but plausibly could be. The blame for the problem is plausibly ascribed to a group the blamer wants to disparage, with “plausibly” defined as “sufficient to support confirmation bias.”

Which brings us to Shadow IT, as you knew it would.

I’ve been reading about Shadow IT and its enormous risks. Why, just a few weekends ago, Shadow IT took down Target’s point-of-sale terminals in 1,900 or so stores.

Oh, wait, that wasn’t Shadow IT. At least, it probably wasn’t. We don’t know because all Target has divulged about the outage is that its cause was an “internal technology problem” that didn’t result in a data breach.

That’s unlike Target’s massive 2013 data breach, which was due to Shadow IT.

It wasn’t? Sorry. Bad memory.

In case you’re unfamiliar with the term, “Shadow IT” is Professional IT’s term for unsanctioned do-it-yourself IT projects taken on by business departments without the benefit of the IT organization’s expertise. With all the bad press Shadow IT gets, I figured it must have been the root cause of at least one major outage or data loss event.

But google “data breach” and while you’ll find a rich vein of newsworthy events, none had anything to do with Shadow IT.

This is plausible blame too. The problem hasn’t been documented as real, and fault for the undocumented problem is assigned based on superficially sound logic that doesn’t stand up to close scrutiny.

Plausible blame is a handy way to make us despise and direct our anger at some group or other. Shadow IT’s undocumented perils, for example, lead IT professionals already predisposed to disrespect end users (see “Wite-Out® on the screen“) to sneer at the clueless business managers who encourage it.

And it is plausible: Information Security professionals know what to look for in assessing the vulnerability of potential IT implementations — a lot more than do-it-yourselfers. Sometimes they know so much that applying that knowledge cripples creativity and initiative.

Make no mistake, Shadow IT does entail real risk. But stamping it out ignores the even greater risks associated with manual methods. Risks? Yes. Few IT organizations have the bandwidth to attend to every automation opportunity in the enterprise. Insisting on nothing but manual methods for everything else means operating far less efficiently and effectively than possible.

Logic says Shadow IT entails some risk. The evidence says professional IT is, in its own ways, just as risky. Plausible blame says Information Security should focus its attention on Shadow IT.

My conclusion: plausible blame is riskier.

Comments

|In: Industry Commentary|Last Updated:

Travel is supposed to broaden the mind. Regrettably, after more than 21 years of writing this column, my mental ruts seem to resist travel’s broadening impacts: Everything I see turns into guidance for running businesses, IT organizations, and all points in between.

And so, following a couple of weeks touring in Rome and exploring bits and pieces of Sicily …

> The Romans built the Colosseum in eight years, with no project management or CAD software to help them. It’s about 2,000 years old and still standing. That should worry us.

> The Colosseum’s construction depended on two innovations: concrete, and interchangeable parts built to standard specifications. If any Roman architects, artists, or engineers suffered from change resistance, those who embraced the innovations apparently drowned them out.

> The Colosseum’s standard program was executions in the morning, followed by slaughtering exotic animals, followed in turn by gladiators trying to hack each other to bits.

I think this means we have to give the Romans credit for inventing standing meetings with standard agendas.

It also suggests they were early victims of the consequences of bad metrics. Because every day started out with executions, the Roman courts had to convict enough suspects of capital crimes to fill out the program, whether or not a sufficient number of capital crimes had been committed. I presume the parallels are obvious.

In any event, combining the morning executions and gladiators who got the old thumbs down, a million corpses exited the Colosseum’s fabled arches during the years it was in session, although the pace slowed a bit when Rome became Christian and did away with the gladiators.

I guess that was progress. Speaking of which, for the Roman Empire, conquest was what you did if you could. Now, it’s frowned upon. That’s progress, too, I guess.

> While walking through the Pantheon our guide pointed out a row of headless statues. They weren’t, he assured us, early examples of Dr. Guillotine’s work products.

It was due to Roman parsimony. Coming from a practical society, Roman artists figured out the average statue would greatly outlive the person it had been carved to honor. And so, they designed their statues to have replaceable heads.

In IT we call this “modular design.”

> We didn’t spend all of our time in the Colosseum (and Pantheon and Forum). We also toured the Vatican, where, in the Basilica, we saw evidence of St. Peter’s tribulations. As it happens, visitors rub St. Peter’s feet for luck. No, not St. Peter himself but a bronze statue thereof. Bad luck for St. Peter. After centuries of this his feet are being rubbed right off, toes first.

I’m pretty sure we in IT have parallels to muster. If not, elsewhere in technology land I’ve read we’re running out of helium, one birthday balloon at a time.

Sicily has been more relaxing, at least from the perspective of spotting IT parallels. I’m hopeful this might mean I haven’t completely lost my ability to disconnect from the world of information technology. But there is Mount Etna, an awesome and awe-inspiring site.

> On the not-a-parallel-at-all front, shortly before its recent eruption, data integrated from a variety of sensors reported a 10 centimeter increase in the mountain’s elevation (about 3 inches if the metric system isn’t your bag; also about 3 inches if it is your bag only you don’t need me to handle the conversion for you).

Where was I? Oh, that’s right, 10 centimeters, and I hope you aren’t so blasé that you aren’t awed by our ability as a species to measure such things with such precision — a precision that allowed geologists to warn everyone potentially in harm’s way so they could get out of harm’s way.

> On the back-to-parallels front, Mount Etna doesn’t have just one crater, although the main caldera is enormous.

It has hundreds of craters. That’s because, when pressure increases and the old eruption paths are plugged, the magma doesn’t metaphorically say to itself, oh, gee, I guess I’d better calm down and head back to the earth’s mantle.

Nope. The pressure is there, the result of physical forces that can’t be eliminated and physical laws that can’t be repealed.

The result: The magma has to go somewhere, and where it goes is the path of least resistance, culminating in it pushing through the side of the mountain, resulting in a new eruption and new crater from which it spews out.

The business/IT parallel is, I trust, clear: Good luck trying to stamp out shadow IT, which is also the result of pressures that won’t go away just because you want them to.

It’s time for me to head back to the beach. The IT parallel? None.

Ahhhhhhh.

Comments