'Shadow IT' gradually sapping power and budget from CIOs

"The banking sector reports the biggest drop, with an average decrease of £625,000."

Erm, as a percentage of what?

"Shadow IT" is a big problem for the biz's information security arm. Everyone wants to do cloud crap, and if it's some startup's free webapp they won't even ask the IT dept to certify or vet it...then they start putting sensitive corporate/customer info up on some wanker's AWS storage. It's a compliance nightmare!

And they also buy the wrong thing

"It's not working! Your network/wireless/server/coffee-machine-as-a-service must be broken!"

"We spent 10K on this! It NEEDS to work!"

No, you bought a piece of shit, untested and on the promise of the sales weasel, with no clue about the infrastructure you want it to work over and that's my problem how?

We've just placed a block at Finance level, on departments buying their own [Redacted due to not being AC but see above "10K" example] kit, for instance. There are already sanity checks in place to get Central IT approval for other hardware purchases.

It still doesn't stop me being presented with a 10 year old piece of crap that's been retrofitted with an 802.11b wireless card and being asked to find out why it's not working "because we've bought 100 of them".

Join the dark side, it's more fun

Contracting, that is, almost universally under clients' marketing chain of command.

IT does tend to get cut out of the loop. They're not prepared to deal with crap like Linux and WordPress though. Stuff would not get done. Yeah, I'm a little leery about the security aspect; marketing and design folks are too quick to reach for the cloudy sharing services. Fortunately the worst case scenario is just a website getting hacked. What worries me are all the doctors' offices, government agencies, etc outsourcing their record keeping to cloud providers. And ecommerce.

History repeats

25 years ago the data center executives where screaming and hollering about the influx of PCs that was wrecking their carefully crafted setup...and stealing their budget. Sound familiar?

shadows within shadows

The best one I've seen comprised...

1) The official IT strategy as proposed by the IT staff which had a 5 year plan, a massive budget and was all techy and BIG METAL and had nothing to do with business functionality.

2) The self taught guerrilla developers sniping out applications from within their own business units so the units could function.

3) The top secret corporate IT strategy which was basically get rid of 1 and 2 by restructuring the business and moving the parts to other divisions.

It was amazing watching the battles knowing that it didn't matter a rat's ass who won what, because The Chief Grand Fromage was about to nuke the lot of them.

Nothing new

This is nothing new, part of the ebb and flow between centralised and departmental IT. In most jobs I've had over the years there has been oen or more departments who go there own way, some with good reason (compliance) others just because that department head likes to be in control or someone in the department claims to be an IT specialist.

At some point however they all rang up for something, usally something important like recovering their database, which usually proved problematic due to a lack of backups or if they had backups, valid ones, or ones old enough to recover a decent copy of the data. Generally they either had none or they never actually checked to see if they were done/worked let alone actually check whether they were any good.

It's all cyclical

Businesses, especially those whose primary focus is not technology, are not concerned about IT and information security, full stop. All of the credit card related breaches are covered by insurance, so businesses see no need to protect payment systems. Maybe the Sony Pictures hack will ring a few bells, now that some of the corporate dirty laundry is starting to be circulated. It's a whole different thing when emails about your political opinions, what you think about your employees/customers, or other secrets come out as opposed to something your insurance company just writes a check for.

All the breathless Gartner people talking about BYOD being the future are blissfully unaware of the fact that doing it correctly basically means a complete network transplant. It used to be that you trusted most things sitting behind the firewall. Once you start letting phones, tablets, etc. into the system, everything becomes untrusted no matter where it's connecting from. Most companies aren't willing to pay the money required to do this correctly. I would say most IT organizations are jumping around making executive iDevices work come hell or high water now. Anyone who doesn't is going to be called obstructionists like this article seems to state, and will be outsourced to India.

Just installed a new router at home with a VPN facility. Just testing and it looks like I can fire up a VPN on the company provided laptop, connect to home router and then burst out onto t'interweb o' pr0n in FREEDOM!

Shadow nightmare

Customer: We bought this PR software package. It's fabulous. It does exactly what we want. Can you install it on a server please.

I.T.: OK!!!

Later.....

Customer: Why can't people access it on the Intranet?

I.T.: The software is client server, it does not work in a browser.

Later.....

Customer: Hello, Servicedesk! I'd like to log a call please. Please build us a web interface for our PR software.

Problem solved!!!!!!

And in another very similar situation, I.T. were unable to build a web front end for another customer bought system. A few days later the customer was overheard saying in a meeting "Yeah, we asked I.T. to web enable it but the too difficult light came on".

And don't get me started on 101 instances of "we've got this Access database that John wrote. John's left the company now and so you will have to support it"

Balance

The reasons a company needs to provide standardised IT has several explanations. Buying standard kit provides cost benefits if the procurement deal is setup correctly. It also allows the deployment of a standard build - this makes sure subsequent troubleshooting is simplified by having a common stack deployed.

It also ensures the 'standard' software stack as defined by policy is applied to all deployed IT - anti-virus, software required to complete common tasks, audit/compliance tools. It also allows restrictions to be applied - such as preventing data from being copied off unencrypted to portable data devices that can be lost or stolen.This can look draconian - however, if you take a step back, it's not just dogma and belligerence at play when these systems for IT are in place.

What happens however, is that people get excited by the new toys on the block - tablets, smart phones etc - that have features that are 'missing' from the standard IT deployment - like the ability to have portability, or touch screens, or apps that are disallowed by 'corporate standard'.

The solution to this is not 'BYOD and secure it' - the solution is to look at what the user community wants and what they are solving using their own IT devices, and see if there is a secure, compliant, non-draconian option for providing this instead.

Both solutions - BYOD or offering more 'flexibility' to user IT - comes at a cost, due to increased security infrastructure, testing and support required.

In addition to this, BYOD often comes with fewer restrictions over using 'the cloud' and external applications - there are often very limited alternatives that the corporate IT provide.

For examples:

BYOD user - "I want to share documents easily and globally so I use Dropbox". Corporate IT response - "Have you tried our file server or sharepoint which is only accessible if you are local on our network and you have permissions in place"

BYOD user - "I want to video chat with an external client, so I use Skype" - Corporate IT response - "Have you tried using the internal chat tool with no video that also can't connect to clients"

If the IT department doesn't respond to the needs of the business and users, then it's not surprising it finds itself side-lined and circumvented.

Make your bed

Well, not YOU. The people who you work for.

I've been in IT for almost 20 years. Started out in desktop and moved up to servers, infrastructure. Always did my best to counter the meme that IT is a bottleneck and can't get stuff done. Fought the forces of circumvention with service. But then I moved into a new position and became just another "customer" of IT. It didn't take long for me to reconsider the legitimacy, no, the necessity, of circumvention.

If you can't beat em, join em

Which is why, despite umpteen years in corporate IT, I now find myself taking time to acquire skills in AWS...