Shadow IT Departments

The Shadow KnowsThis morning I read an interesting article at Infoworld. It deals with the collision of paradigms between old IT and the new Infoworkers.

Here’s a sobering statistic: Eighty percent of enterprise IT functions are being duplicated by folks outside of the IT department, says Hank Marquis, director of ITSM (IT systems management) consulting at Enterprise Management Associates. In other words, for every 10 people doing IT work as part of their jobs, you’ve got another eight “shadow IT” staffers doing it on their own.

You probably know them. They’re the ones who installed their own Wi-Fi network in the break room and distribute homemade number-crunching apps to their coworkers on e-mail. They’re hacking their iPhones right now to work with your company’s mail servers. In short, they’re walking, talking IT governance nightmares.


I would amend this – they are old IT’s worst nightmare. As the article points out, they can become an organizational asset.

The reason superusers go rogue is usually frustration, says Marquis. “It’s a symptom of the IT organization being unable to meet or even understand the needs of its customers,” he says. “Otherwise, it wouldn’t be happening.”


One of the things that IT sometimes forgets in their rush to security is that IT is a tool for business. It should be an enabler, not a hindrance. Too often, old IT implements rules and regulations which stifle creativity and solutions, with out an understanding of the real world problems that the business is facing. They mean well, however they do not understand the reality of life in the trenches.

There is a fine line between rules and regulations which enable a safe environment, and rules which are a hindrance and circumvented simply to get the job done. A perfect example is a company that I once worked with. They had a rule about thumb drives (only a specific model, only with encryption turned on, etc). There was no way of using the drive with out being an admin on the workstation – as drivers need to be installed and loaded each time the device was inserted.

So, no one used thumb drives. They used CD-RW’s instead. Every machine had a CD-RW drive in it (as all modern machines do) and the software loaded. It was more of a headache, but they could still move large files around. Users are smart. They tend to find ways around policies and rules if they need to.

Procedures are a tough balancing act. If they’re too lax, there will be security problems. If they’re too tight, people will get around them and there will be security problems.

Bruce Schneier

One of the solutions that I have used in the past, and the Infoworld article talks about is bringing the ‘superusers’ into the fold. Make them part of IT in some fashion or other. The article has several good examples, and I have actually used a few in the past. But here is the skinny, IMHO…

Superusers can be a great ally. Policies are no use if they are not used. If the superusers understands why a policy is in place, and how to still use their tools in an effective manner, they can be a powerful public opinion tool. After all, if the superusers are grousing about this or that, they will bring down the collective opinion of the IT department.

“My goal is to have 100 percent of our knowledge workers be shadow IT,” says Weider. “Every employee must be tech-savvy and leverage the tools provided in order for us to have any hope of achieving a return on our very expensive IT investments.”


It all comes down to ROI. Organizations that have users which, via polices and training, are enabled to leverage technology will see a higher ROI. They will become agile and more entrepreneurial. They will foster creative and relevant solutions, and survive in the global marketplace.

The way I see it, an IT ‘group’ is an outmoded way of thinking. IT should become a decentralized, organic part of the company. As the MySpace generation enters the workforce, I think that we are going to see more and more of this. And it’s a good thing.

2 thoughts on “Shadow IT Departments”

  1. On the thumb drives, I can see training, and limiting them. There was a <a href="">hack</a&gt; involving ‘free’ thumb drives with a picture and an embedded Trojan horse on board. So, that threat is at least real. A good reaction would have been to find solution that worked, across computers, with out drivers or applications. Or simply educated users about the dangers of Thumbdrives, and made sure that it was against policy to have any sensitive data on them.

  2. Agreed. The problem that the old way of doing things has, is that it tends to be so restrictive that users become annoyed.

    Things like multiple systems, all with separate access credentials, and then changing the passwords constantly, may sound like a great security feature. In reality, this does nothing more then force users to start writing down their passwords (a big security no, no) because the IT world has increased their security requirements to the point of stupidity.

    As with most things, the level of access need only be as complex and secure as the item they are protecting.

    Allow your users to create secure passwords (I really like the trend in systems showing the password complexity when it’s created) and then let them use those secure passwords for longer. Unless a users feels as though their password has been compromised, there is no need to constantly be changing them.

    Don’t get me started about retarded thumb drive rules… It seems as though with every new technology comes a new level of ignorance to control it.

    One of the huge keys to successful system security is user training, and ongoing user training, not just a quick 10 minute session when they first get hired. Train your users over and over again until it is second nature to do the right thing with IT systems. No, it’s not perfect, but not training your users is a real bad practice.

Leave a Reply