These are the same groups that then lobby to fire even more tech staff when their shiny new toys don't actually work. Yet again, instead of firing those actually (ir)responsible for the dodgy purchases in the first place.
CIOs and IT bods are in the dark over tech budgets as lines of biz people sidestep them to deploy their own projects, according to a survey by the Corporate Executive Board. Some 165 firms with a tech spend of $29bn responded to the questions from CEB, an advisory firm, which estimates that up to 40 per cent more is …
Where does this prick live, I've got some innovation right here for him! this type of tom-fuckery is the bane of my working life, and it's always the damn magpies in finance that do it, then they start budget fisting when you want to bang an extra PoE switch to support IP telephony, all because they have spunked the contingent wad on 4g iPhones in a non 4g covered office and tablets that will not run AX.
It's all great until users start phoning the helpdesk and the helpdesk is like "what the fuck are you talking about" then it goes around for a couple of weeks, turns out there's a giant shadow IT project that's now business critical so it gets shuved up the app support guys arses and slammed on the IT budget while the budget has no provisioning for this and no understanding of what it is.
I work desktop admin for a very large firm and its amazing the amount of crap which just seems to magically appear on our sales peoples laptops. This isnt games or cat videos, its various macro-stuffed excel documents or plug-in loaded intranet sites which have been pushed out via email and are now mission critical and requiring urgent IT support despite the first we know about it being when a helpdesk guy wanders over and asks wtf this new 'app' is.
Organisations clearly need a mobility policy that EVERYONE is aware of, otherwise it's going to become a security and management nightmare. Sure, allow BYOD, or different departments to purchase kit, but make sure they know the minimum security requirements prior to making that purchase - and that they'll be on their own in terms of hardware support or they'll need to contribute budget for the increased workload IT is about to take.
Awareness is rarely the problem, it's enforcement that's the rub. It becomes exponentially harder the larger your user base gets.
Besides, this whole thing isn't really a problem. Just invoice the department that's needing the extra support. Just bill the shit out of them. Obviously they won't pay, but you aren't going to get anyone's attention complaining. It's a stunt, but if you break down the actual costs of the extra/unplanned support and ram it through billing it'll get the attention of people who won't be too keen on it.
". . . it's enforcement that's the rub."
Exactly. It's all about having a CIO/CTO with the knowledge and personality to communicate this effectively to the other C-levels and the clout and balls to carry the day.
One thing I have found, working in companies of different sizes is that directives like these must come from, and be supported by, the very top of the chain. Otherwise it's just inter-departmental bickering.
This is also a good learning point for IT staff, and can help teach how to properly and effectively convey what the problem is, why the system(s) are problematic, the consequences, what can be done now and, importantly, how everything would have been better if IT was involved from the very start. That is a very valuable skill.
Sometimes, just sometimes, when doing that, you find that the system that has been purchased without your knowledge is actually not too difficult to integrate. That doesn't excuse what has happened and in those instances I make sure I point out that it was pure luck that the systems work, but I must confess that at least once I have taken the usual stance and, in trying explain exactly why we can't help, I have come to the realisation that there's really no reason it can't all work well.
Accompanied by a suitable report detailing why we should have been consulted first, what the complications were and how we can manage these implementations better in the future, I have at least once found that the overall result was better cooperation from that department head. In short, she knew we actually did care about them and wanted to help them do their jobs and make their lives easier. She better understood why we have the structure and restrictions we do (though still complained about mailbox size) and the next system (an online employee portal - yes, it was HR . . . ) went much more smoothly.
That's far from the rule, but don't rule it out.
Exactly. It's all about having a CIO/CTO with the knowledge and personality to communicate this effectively to the other C-levels and the clout and balls to carry the day.
Oh, you mean like what my CIO did last year when Finance went out and bought some fruity fondleslabs without consulting IT??? She went to the CEO and demanded (and got) over $65K from Finance's budget to cover the costs of supporting those worthless (for us) things.
For some strange reason, they seemed to have disappeared at year end.
I don't want to be in control of these projects, I just want to be involved.
It's shortsighted in the extreme for these outside departments to exclude their experts when making tech decisions. Too often I have had an outside department bring me a multi-thousand dollar software package only to be told, a) We don't have the server infrastructure for it and b) they didn't buy enough licenses and c) we don't have the network infrastructure to handle the remote sites.
Usually, it's even more basic than that; often they'll buy things that don't match their requirements. Not their "wants", but their requirements.
To say nothing about the various regulations that need to be observed.
IT, as a department, has untold amounts of experience with all things technical and regulatory. Not including them in a tech project is remarkably stupid.
. . .
And why is there a problem with gatekeeping? See things from the other side for a moment.
I had a request (demand, actually) recently to implement a piece of software which was basically a FTP webdrive that required (expensive) licenses. I didn't have a great objection to that, but I did have a great objection to the fact that we are UK based and the program was US based and there was no encryption and only a simple password. Simply emailing the bloody files was actually more secure!
Our professional requirements state that we can't transfer data outside of the EU without the informed consent of our clients. This was reported along to the people requesting it, who then kicked off big time to management about it demanding that they be allowed to use it because it was "easier" than existing procedures.
When management was informed that using this program would be a breach of our professional requirements meaning that anybody using it could not only be fired from our company, but up on a disciplinary tribunal from our regulatory body facing being barred from ever working in our sector again there was and remains a deafening silence as to who actually came up with the idea.
I mean, before demanding it being installed people did check things like this, right? No? Just as well IT did then hey! Think of what would have happened if we had of just quietly installed it for the people who demanded it and then just reported the annoying sods! Not only would we have never had to deal with them again, we know nobody else would have had to either, because they'd be unemployable in our sector.
Still, they are at least grateful for us saving their jobs and career right? RIGHT?!!
Alternately, they are probably complaining about IT being obstructionist. I know which my money is on.
"Our professional requirements state that we can't transfer data outside of the EU without the informed consent of our clients. "
So no use of gmail, Dropbox, Skydrive (or whatever Microsoft call it now) or any service that depends on Amazon storage and so on. I imagine BYOD is out and that you restrict data transfer to personal storage of any kind to eliminate the possibility of inadvertent use of a trans-border service by professional staff. RDP into locked down desktops springs to mind. Surely working under those conditions would imply training for staff or general awareness raising?
I realise you can't name the sector but if it is a large sector, then it strikes me that there should be someone providing online services guaranteed to be within Euro or UK jurisdiction that you could point the people to. Business opportunity if there isn't!
My employer makes available RDP into my work desktop so I just keep any information about identifiable people on that desktop. If this laptop (my own device) got pinched then its just teaching notes. Possibly a list of first names and test scores.
I suspect they meant "obstructionists" as opposed to "gatekeeper".
Too often I've walked into IT depts where they do their best to torpedo every request. I've never really learned where IT depts get this attitude from, but it's prevalent. One of the first things I have to do anywhere I go is implement an objective approval process, complete with open communication to all involved parties.
Too often the IT decision making processes are voodoo to outside departments, precisely because there is no visibility, no communication. This breeds an environment where outside depts are resentful that IT nixed their FTP server project, and IT is resentful because of their perceived attitude problem.
"Too often I've walked into IT depts where they do their best to torpedo every request"
Haven't you ever considered the possibility that many of those IT departments are too under-budgeted and/or under manned to perform those requests?
I've lived personally that experience when I was in a mid-sized company in the nineties. The Marketing department came up wit a cunning plan to allow employees to telecommute, in a moment in which ADSL at 256 Mbps was an expensive novelty and patchy, to boot. The
fuckers Marketing dept. put some pressure on me for a while and finally arranged a meeting with the boss. Luckily -for the company- the boss shot them down in flames in minutes.
But I've heard from colleagues and read in forums about many, many cases that didn't end so well. Purchasing IT without feedback from the IT dept or without the means/budget/personnel to install and maintain the kit is like self medicating, and as self medicating it can be deadly for the company.
Haven't you ever considered the possibility that many of those IT departments are too under-budgeted and/or under manned to perform those requests?
Of course. The problem is that, quite often, IT depts will simply say "No", or possibly "No Money" and shutdown the request.
That's not the proper way to handle it, however. You need to involve the requesting department in the entire process. Done correctly, they'll come to the same conclusion you did. But they need to feel included and that you took their request seriously.
What I've found is that when you take the time to educate other departments, not only do they stop going around IT, but they work with you to lift those constraints. IT budgets are often low because IT is "magic" to everyone out side of IT, because no one has ever taken the time to show everyone what IT actually does.
Communication is, as ever, key.
"The Marketing department came up wit a cunning plan to allow employees to telecommute, in a moment in which ADSL at 256 Mbps was an expensive novelty and patchy, to boot."
Er - I was 'telecommuting' on modem dialup in the early 1990s. Lotus Notes for one employer and Outlook with local folders for another. It all worked ok. Depends on a task analysis and what the data sharing requirements are. That Lotus Notes server went for 3 years without a reboot by the way.
As someone else said earlier on, you need a task oriented view. The department requesting the facility says what they want to do and you find a cost effcient way of doing it.
"implement an objective approval process, complete with open communication to all involved parties." - ah, given the corporate-speak, you're a (management) consultant. Brave of you to post here, given your sort is a big part of the problem we face.
And please don't do the 'at least I use my real name in postings', sort of reply; that's been done to death. Thank-you for your understanding.
".....When faced with those types it's no wonder IT is viewed as gatekeepers rather than enablers." Er, could that be because IT'S THEIR JOBS!?!?!? They are there to enable the company to operate effectively and efficiently through IT, not to pander to every stupid and unplanned IT request from some numpty that "saw this stuff on TV". Just imagine how upset HR would get if IT went and hired employees without engaging HR or following company employment rules or - worse - employment laws?
"".....When faced with those types it's no wonder IT is viewed as gatekeepers rather than enablers." Er, could that be because IT'S THEIR JOBS!?!?!? They are there to enable the company to operate effectively and efficiently through IT, not to pander to every stupid and unplanned IT request from some numpty that "saw this stuff on TV".
Peter2, pierce and Matt Bryant are all on-the-money.
Finance acts as gatekeepers to the money because they have the knowledge, expertise and responsibility to ensure that the company's money is spent according to company policies.
HR acts as the gatekeepers to staffing because they have the knowledge, expertise and responsibility to ensure that the company's hiring and employee management practices are conducted according to company policies.
Guess why IT acts as the gatekeepers to the IT environment?
My favourites are web-based and 'cloud'-based solutions, as the pre-sales people for these often actively tell people that they don't need to involve IT - it's all online and you won't need to install anything, don't you know?. I took this up with a pre-sales team once and was told, verbatim: "we try not to involve the IT department". You what? The marketing for such products is usually an endless parade of racially-diverse, young corporate-types leaning over each other at boardroom tables in expensive, light-filled offices, smiling and pointing at tablets & laptops.
It's all so easy, see?
. . . except that the platform requires Java, which has been disabled due to several unpatched security issues with particular relevance for company systems. Or it needs to install an (unsigned) ActiveX control that is not compatible with the installed version of Internet Explorer. You could roll-back, but there are several unpatched bugs and it wouldn't work with the company intranet anyway. Or perhaps it's not coded to deal with IE at all and certain features only work in Chrome. Great, except IT were instructed not to install Chrome due to privacy concerns and the staff only realise the problem at the end of month when they find they can't run their reports properly.
The reply from the department in these cases is almost always a variation on: ". . . but I don't understand what the problem is; <insert vendor here> said it was all on the Internet and would work anywhere!"
Everyone in IT has been there and we all have our stories. Shudder.
Sometimes even being involved isn't much help. We recently ran a tablet test here, assessing which of the tablets was best for our needs. The best option for us was, surprisingly perhaps, a Surface tablet.
So, shortly therafter, we purchased over a hundred iPads. "They work better", we're told. Not according to the testing we did. "They're faster", we're told. Not for the specific situation we had. "They're more reliable", we're told. Not judging by the support issues logged.
I really would have preferred if they'd said at the start "We're getting iPads because we want iPads." Don't make me spend money and time on doing the process "properly" if you have no intention of listening to what I'm going to say.
This is hardly news.
If departments aren't controlled on how they spend their budgets they will inevitably go out and do what they think will either a) get the job done quickly or b) look cool. - Or both.
Since IT departments are so often seen as the people who say "no!" the staff in other departments will do their best to bypass them, until it all goes horribly wrong.
Face it. As far as other staff are concerned you are there to make things better when they've gone wrong, not to stop them doing what they want.
You wanted to be a wizard didn't you? So keep the wands waving.
I was intimately involved with this type of change in a few of the big Canadian Banks and Telcos. The entrenched IS was not responsive to user demands and so they began the PC assault on the glass house. Eventually, after being practically begged and showered with money by the user community, the keepers of the keys finally began to formalize the introduction of PCs and LANs. However, they fought this tooth and nail until it threatened to replace them.
Security has never been much of a selling feature to end users. Transistors are crucial to the operation of modern computing machinery but they are of no interest to consumers. Same thing with security. Corporate consumers have a right to expect that security, manageability, interoperability and economies of scale are handled silently behind the scenes by their IS departments.
The fact that corporate personnel and their departments have taken to buying and deploying this stuff on their own is not a failure on their part. It is a failure on the part of IS to meet their needs.
There is an essential tension between innovation/development and stability/production. Neither developers nor production staff are to blame here. Both are doing their job. Higher management makes this a problem by disrespecting both groups and failing to manage appropriately.
Agree, we saw this user led departmental level procurement and deployment with PC's in the 80's and early 90's, before IS and the business finally got their collective heads together.
What is particularly interesting, is that I suspect it will be "the fools in HR, Marketing, Operations and Finance" who will be doing similar with third-party SaaS providers...
Naturally IS will know nothing about these procurements, because the SaaS vendors don't market to IS they target their marketing directly at HR, Marketing etc.
Last friday I took a call from the service desk:
Them : "We have a priority 1 call logged for the purchase order import system"
Me : "Never heard of it, The purchase order system has an import facility is that what you mean?"
Them : No its an access database that user x made, but its not working and he left last month
Me : hahahahaha, CLICK.
Of course being a finance application its now "BUSINESS CRITICAL" so the end result was that I fixed it because people several grades above me wanted it done, but thats with the understanding that they will raise a project to get it moved into a properly supported process right away (yeah right), this will be the last I hear about it until it breaks again next year!
Users/Departments outside IT should not be doing their own thing without some input from IT.
Since we do not support the use of any Apple products through our IT department, we simply set MAC address range controls on your wireless access points and then exclude any of the Apple ranges (available here http://standards.ieee.org/develop/regauth/oui/public.html). Apple devices can only connect to our guest WLANs at certain sites and nowhere else, only wireless adapters inside the range for the laptop vendors we support can join our segregated office WLANs, and we have our desktop RJ45 ports locked down so if you plug in an unknown MAC address the port simply stays dead. The few "valued colleagues" that bought iPads out of their department's petty cash soon gave them up when they realised they were useless in our offices, and none of them had the chutzpah to even try faking MAC addresses.
Re: "set MAC address range controls on your wireless access points and then exclude any of the Apple ranges"
Credit where credit is due. Good for you.
I just about never agree with you and don't really agree with your mission here. However, I applaud your strategy. I knew that MAC addresses contained an OUI this way, but since they *can* be spoofed (I sometimes do this) and my interest in such things is more security minded it never occurred to me to do what you have done. It is a nice solution whose theoretical weakness is irrelevant in this practical context. Very amusing.
Agreed - it's a great strategy. In a past life we did a similar thing for the phone and PC VLANs: whitelist (the correct brand) IP phones on the voice VLAN and blacklist those same MACs on the data VLAN.
It wasn't really a security thing, though - more a helpful way to troubleshoot as a device plugged into the wrong VLAN just wouldn't get an IP. It was also good for a remote office with no local support - plug the phone in and if it gets an IP, it's on the correct VLAN. If not, try the other outlet!
Doesn't work if you have the PCs connected through the phones but if you have dedicated outlets and switches it just makes things easier - especially when troubleshooting remotely.
Most 'shadow IT' that I've come across exists because the 'official IT' is seen by its customers as too rigid and too slow to respond (fairly or not).
'IT' is available over the counter at a shop near you and some enterprising non-IT person decides that the kit he/she can buy over the counter can do that particular job and that going that way circumvents the bureaucracy, delay and other assorted frustrations of dealing with the IT department.
Is it frustrating for conventional IT types? Yes it is - immensely. Will the non-IT types want IT to support their new kit? Yes they will - because many of them are revenue earners whereas IT rarely is. Is there much the IT department can do about it besides whinge? No.
Most 'shadow IT' that I've come across exists because the 'official IT' are not informed of the requirement or given a budget, and when notified their legitimate concerns are ignored. The purchaser is often gulled by some slick sales droid and doesn't have any idea of the TCO of the new shiny thing the want.
Just bring up the various IT related policies and highlight the sections on unsupported devices, project lead times, project costs, system access, and procurement procedures. You will find that just about every single one of these Shadow IT shenanigans fall afoul of at least 2, if not all of the policies and procedures.
You then have every right to go tell these HR drones, Marketing wanksticks, or Executive blowhards to go away and never darken your doorstep (or cubicle) again.
Should word come down from up high (and your contract doesnt cover you against act of fuckwad), then approach the "request" with a work-to-rule mentality. Meetings, project estimation committees, team meetings, one on one meetings, focus groups, you name it. Bury them in the same level of bullshit they tried to bury you in by hiding it from you.
If all else fails. Cattleprod, roll of carpet, shovel and quicklime are your friends.
One arse-clenching "shadow IT" deal I came across was the bods in a satellite office who "wanted the internet on their desk". Company policy was that internet access was locked down by proxies, not surprisingly in an industry where billion-dollar fines for breaking the law are not unheard of. Everything business-related is logged in the likely case it needs to be used as evidence in a court of law. But they wanted the internet so...
These suuuuper-geniuses signed up for a broadband package without telling IT or indeed anyone above their pay grade. The engineer turned up and hooked a wifi-enabled commodity router with default passwords into the office comms cabinet which was part of a secure firewalled and firegapped network with billions of dollars an hour in financial traffic flowing through it, never mind confidential customer data etc.
When it was discovered what they had done words were had and there were some empty desks soon after. Then again that particular part of the business was well-stocked with risk-taking twenty-something cowboys who regarded "being caught" as much less likely than "million dollar bonuses all round".
"These suuuuper-geniuses signed up for a broadband package without telling IT or indeed anyone above their pay grade. "
@ Robert Sneddon
My students just use their Blackberrys. G3 mobile connection. No interaction with College network. Nowt I can do about it other than stainless steel storage cannisters. Handy those.
These suuuuper-geniuses signed up for a broadband package without telling IT or indeed anyone above their pay grade.
We had a marketing asshole do almost exactly the same thing, except, he used a secondary wired connection at his wall jack to give himself a public IP address on a second NIC clandestinely installed in the desktop PC.
The networking guys picked up on it, and three security guys came to his desk and dragged his ass out of the chair, and booted him out of the building. My boss and the CEO me him at the front door and told him WHY he was being fired. While we are primarily a *nix shop, he was one of the (l)users still using Windows, which bridged our LAN and his public IP address together. Dumbass!
".... Is there much the IT department can do about it besides whinge? No." Seriously? You obviously have not thought that statement through. There are a dozen ways an even vaguely competent BOFH can scupper unapproved IT projects, usually the first stop being the company's security policy, which a true BOFH will have ensured is sewn up - "I can't let you connect to that hosted SaaS solution because their traffic is not encrypted with AES1024 encryption as our security policy says it must be" (the board didn't have a clue what AES1024 was when they signed off the policy but the BOFH told them it was 'vital to security'...). Even more fun can be had with desktop OS tinkering - "Sorry, we took Adobe Flash out of the supported OS build because it's a security nightmare, so sorry that your unauthorised internal website needs it." Then there are the literal power games, such as PAT testing where unauthorised kit will magically fail and have to be removed from site (after extinguishing it), or powercuts only notified to those running authorised NAS systems. Etc., etc.....
We've all been there. Budgets are fine until a group of one or more directors decides "Ipads it is".
Ok, finance all wanted bigger monitors, then Susan got 2 screens because she works in some hideous and massive database she made herself. Then they all "needed" 2 screens. Remember? They don't have the budget for 14 iPads left in their IT spend.
Normally 1-2 weeks later...
Hi, we need a hand, can you come and make email work on these ipads please, oh and James can't make his connect to the shared access database they all use, that's fairly simple right? Just do it on his and he can show us. Susan got hers working on email but now she doesn't see emails she sends from the ipad on her work phone, that needs fixing and, and, and ,and.
Lets face it very few people understand technology, even in the IT world, people do not understand the full consequences of their actions. In away this is not news, be it HR, Finance and such, they all follow the IN commercial practice, often without thinking, because if company X does it, it must be the right thing to do.
The management of companies rarely understand their own businesses in any detail, let alone the legislation governing their business. Why should we be surprised that shadow IT projects appear when it's easy for an IT savvy employee to plug a wireless router into their network and enable all the wireless devices you like.
But fear not, outsourcing HR is now in vogue, so most of them will disappear, and services will be run from an emerging nation. That's right all your HR details shipped to the far east, bank accounts, the lot, and if you work for a secure government project, you can look forward to that being know outside your country as well.
Have you ever looked at the "deals" these non-IT guys make with vendors? More often than not they are getting screwed over royally by that slick sales guy, and even worse, they get talked into signing long-term contracts with god-awful T&Cs and exorbitant costs simply because 1) they don't understand all this stuff is negotiable, and b) even if they did understand it they wouldn't recognize when they were being screwed.
So forget the IT aspect. From a purely business/finance perspective they are making terrible business and spending decisions for the company, usually out of pure ignorance.
This article, and more importantly, the comments has actually been very refreshing to me!
I am the sole full time techie at a multimedia organisation, broadcasting radio and TV (we do have part timers too but it largely falls on my shoulders)
I really thought I was the only person experiencing this type of idiocy. I blamed it on all the "creative types" who just innovate their way around anything that took you hours to write for the Staff handbook and policy documents. Governance is a dirty word, there are comments on here of IT being "gatekeepers" and that we always hold other departments back, insinuating that the other departments are almost entitled to go and spend budget on IT kit or software or indeed BYOD and demand an apple device works seamlessly with a carefully constructed AD infrastucture..
Yes, yes, we are the nay-sayers and the people that say no.... Until you get a massive security breach or monumental public stuff up that costs the company so dearly that tomorrow you dont have a job to come into thanks to the huge fine from your respective governing body, or collapse of share price due to bad press (or both).
It doesnt even have to be that humongous...
Yes thats fine you stream your music to listen to (when you should actually be listening to the radio product you contribute to) and chew up the LAN/wan bandwidth and THEN complain that you find editing video and audio "slow", over the same network.
The worst part of this whole situation for me is that we regularly have Directors (with pre-agreed sign off limits that rival my annual wage) who but fondleslabs, Macbook pro's and the like, bring it in, install it at a workstation and then add it to the IT budgetline for the month.
Not only do we have to support kit that wont integrate, our planned projects for the month have to repeated get put back due to their spend, on our budget!!!! (oh and guess which director then asks why a project is not completed yet a few weeks later)..
I have considered buying marketing kit or some stationary in bulk and adding it to someone else's budgetline, to see what happens... alas, I am usually too busy getting macbooks to print to AD printers or some such task....
well, at least I am not alone. I find solace in this, at my time of need.
"Yes thats fine you stream your music to listen to (when you should actually be listening to the radio product you contribute to) and chew up the LAN/wan bandwidth and THEN complain that you find editing video and audio "slow", over the same network."
Yep. That's one of my favs too. More amusing, of course, is when you are expected to identify bandwidth hogs and yet they won't approve budget for some new, smarter switches to help you do just that. This, of course, despite the fact that the dev team just arrange purchase of SSDs for all their PCs to try and fix the network slowness.
Re: Macbooks and AD printers - how many times a week do you hear: ". . . but it works fine at home"?
Biting the hand that feeds IT © 1998–2019