Search Results for: shadow IT

Shadow IT and Enterprise Security – The boogeyman and the shadows

This post sponsored by the Enterprise CIO Forum and HP.

First off…if you aren’t familiar with the boogeyman, its the bad person in stories that are normally told to kids to keep them in line.

The boogeyman is also used by adults to scare other adults to make them stay in line. IT Professionals use the boogeyman to keep the organization in line (e.g., “you can’t do that because it will open a security hole”). Ooooh! The boogeyman!

But…the boogeyman IS real when it comes to Security.   There really are people out there looking for flaws in IT security.  There really are boogeymen out there.  And they lurk in the Shadows.

I’ve written a lot about Shadow IT in the past.  I like the idea of technology ownership outside of IT. It does two things: 1.) forces IT to stop saying ‘no’ to everything and start looking for ways to say ‘yes’ or at least “no…but we can help do that with our ____ system” ; and 2.) shows that technology is much more important to the organization than just a bunch of ‘computers’.

CIO’s should be taking advantage of the rise in Shadow IT.  They should be using this time to push for more budget to help the organization. They should also be building up a ‘consulting’ arm to help the rest of the organization better understand technology and how to select, implement and manage said technology.

Part of this consulting arm will need to focus on education as mentioned by Christian Verstraete in his Enterprise CIO Forum article titled Shadow-IT, it’s forbidden to forbid. This education is important as it helps the organization understand the underlying issues found within Shadow IT (data disconnect, information optimization, etc) but it should also stress the security implications found within Shadow IT.

These security implications are extremely important.  There’s nothing more dangerous to an organization than to have a non-secure system open for infiltration.

Because of the importance, IT must spend time talking about these issues and educating the organization. But..rather than use the old methods of  ‘the boogeyman’ that most people are used to hearing, it needs to be done in such a way to explain the dangers while keeping people interested.

The second you talk about “PCI Security” or “compliance” or one of the other boogeyman avoidance terms that we like to use in IT, people’e eyes glaze over and they immediately go on the defensive. They are reminded of the boogeyman stories of their youth and how those stories weren’t really true…so why should they believe you?

Rather than use the IT terminology to talk about security, we need to build a conversation around real issues that the organization can understand. Rather than use “PCI Compliance”, why not talk about “stolen credit cards”?  Sure they aren’t the same thing exactly…but the main point is conveyed.

Tell someone that they can’t do something because of “PCI Compliance Issues” and they’ll most likely go right ahead and do it.

Tell them they can’t do it because the system they want to use might allow credit card information to be stolen, and they’ll take a step back and ask you for help…or at least you hope they do.

True Story

I worked for an organization that had a HUGE PCI Compliance issue. A group was using a third-party web server to host their website.  Credit Card information  was being submitted via a plain text web form (!) with no security (!!) and stored in a local text file for reference (!!!) and then emailed (!!!!) to a person to run through the credit card processor.  The CIO and many IT professionals spent many hours talking to the group who were collecting the CC info. They talked about ‘PCI Compliance”, “Personally Identifiable Information” and other key terms….but the group kept on doing what they were doing.

Now…there are two things to learn here. The first, the CIO didn’t have the power to force this group to stop doing what they were doing. That’s bad for the CIO and bad for the organization. That’s a bigger issue. The 2nd issue at work here is much easier to resolve. Its the issue of educating the organization on the dangers of collecting data.  Rather than use “PCI Compliance” and the other big / buzz words, the CIO should have taken a step back and said “hey….look…I just downloaded your text file from your server and now have 2million credit card numbers”.    He didn’t do that though….he fought the “PCI Compliance” fight.

It took a boogeyman sneaking into that group’s web server and stealing those credit card numbers (and a lot of other Personal information) and then contacting the company offering to sell the information back to them before the group realized they had a problem. was too late. The boogeyman had come out of the shadows.

That organization spent a good deal of money to fix that problem. The group responsible stuck to their claim that they had never really understood the ‘dangers’ in doing what they were doing. After many months of begging and pleading by the CIO, 10 minutes of hacking by a boogeyman finally told the story of how dangerous their setup was.

Talking about the Boogeyman

These folks were doing everything wrong. The CIO had no ‘power’ to stop them either.  Many things were going wrong in this instance…but one wonders if the approach to education had been a bit different, would things have turned out differently? There’s no way to tell but I would hope the answer is “yes”.

So…we in IT KNOW the boogeyman is out there. We KNOW the damage that can be done. But…we have done a poor job of communicating the danger to the organization. We tell stories of the boogeyman. We use big words and lots of jargon and the eyes of our clients glaze over.

We need to find ways to highlight the dangers of the boogeyman without actually making people think about the boogeyman.  We need to talk about the dangers of Shadow IT while educating our clients to the real dangers that exist using language they can understand.

The boogeyman exists. He lives in the Shadows.  Its our job to help shine the light on him and help them stear clear of him.

Image Credit: Boogeyman By Billie Jane on Flickr

This post sponsored by the Enterprise CIO Forum and HP.

Shadow IT and Information Optimization

This post sponsored by the Enterprise CIO Forum and HP.

Following up my Data Disconnect and Shadow IT post from yesterday, I wanted to talk about the 2nd area that is often overlooked when people undertake their own Shadow IT initiatives.

In my previous post, I talked about the Data Disconnect. That space where the data in your Shadow IT applications is disconnected from the rest of the organization.

This disconnect is something that requires the IT group to educate the rest of the organization as highlighted by Christian Verstraete in the his Enterprise CIO Forum titled Shadow-IT, it’s forbidden to forbid.   In some instances, the Data Disconnect isn’t a big issue…but many times, the disconnect is a huge risk for the organization.

Today, I want to talk about another aspect of Shadow IT related to Data  and Information…the optimization of data.  The world today is ruled by data.  That data is turned into information and sometimes that information is converted into knowledge.

When data lives outside the enterprise in the cloud or within a local ‘shadow’ database, it’s disconnected.  To be able to use the data within your organization’s applications, they need to be connected. Therefore…the first step is solving the Data Disconnect problem.

Once you know how you’ll solve that disconnect problem…whether by using internal systems, API’s to access cloud app data or simple scripts to dump/convert data…then you need to think about the Optimization and Conversion problem.

The optimization problem is a big one.

There is a ton of useful (and useless!) data in every organization living as structured and unstructured data.

Structured data is quite easy to access and use and is fairly easy to connect when you face yourself with a data disconnect. Find the data. Access/Dump the data. Use the data.  Repeat.

Unstructured data is different. This is the data that is growing exponentially these days. Its your email, text messages, twitter messages, blog posts, images, videos etc.   The data stored within these mediums is unstructured in that it is text based and or audio/video. Optimizing and using this data is difficult when its stored inside enterprise applications and its even more difficult when this type of data is stored in applications that aren’t managed by the IT group.

This unstructured data is what you find in collaboration tools. Its the information that your team’s share and knowledge that your team’s create.  If its stored in a third-party system with little to no access to retrieve the data, its not only disconnected, but useless.

Imagine that you work with a virtual team that is  ‘in the cloud’.  You use something like Basecamp or some other web based project management and collaboration tool to manage your projects.  In addition, your team uses email and an instant messaging platform like Skype to keep in touch throughout the day.

A great deal of knowledge flows through your collaboration platforms….but what happens to that knowledge after the first creation  and share?  Does it sit out in ‘the cloud’ forever and is never revisited…or do you somehow grab that knowledge to ‘share’ with the rest of your organization.

You can’t optimize the information and/or share the knowledge if it isn’t held within the organization’s systems in a manner that use usable and accessible.  This is the challenge of information optimization in the world of Shadow IT. There’s a lot of data / information / knowledge created that might be lost ‘in the cloud’ when these things aren’t considered.

So…CIO’s and IT groups…take the time to educate your organization on the pro’s and con’s of Shadow IT.  If people are adamant about using a cloud service that doesn’t fit into the IT Strategic roadmap, make sure you understand why they are so adamant about it and what they and you must do to make sure the Data Disconnect and Information Optimization problems are considered and addressed.

Image Credit: Information By heathbrandon on flickr

This post sponsored by the Enterprise CIO Forum and HP.

Data Disconnect and Shadow IT

This post sponsored by the Enterprise CIO Forum and HP.

Yes Shadow IT again.

But…rather than rehash the things I’ve talked about before, I wanted to take some time to walk through a few issues that aren’t always discussed when we talk about Shadow IT.

The first is Data Disconnect, which I’ll talk about here. The 2nd is…well…you’ll have to check back later this week for that post.

Data Disconnect is exactly what it sounds like. Your Shadow IT ‘initiatives’ might just have created an environment where you have multiple disparate systems with a data disconnect.  The data in one system isn’t readily available for use in another…nor is it readily available for use in any other system.

Why might this be a problem? Lets look at a few examples.

Project Management

You need a project management tool and don’t want to use the IT provided Microsoft Project platform. You hate Gantt Charts and feel that you really need collaboration tools, which is something that Project doesn’t really do well.  The IT group offers you access to the new SharePoint system for Project Management + collaboration, but you really don’t want to have to go through the hoops necessary to get your team trained up on this new system and, if you are honest with yourself, you really hate SharePoint and will do anything to not use it.

So…you go out and plunck down your credit card number for access to Basecamp for you and your team.  You love basecamp. Your team loves basecamp.   The platform is a great place to collaborate and manage your marketing projects.

But…what do you do when the day arrives where you have to leave Basecamp?  What do you do with your data stored inside the app? What happens to all of the project knowledge from the projects and project teams that have worked inside Basecamp?    Do you just let them go or do you spend a few days downloading everything manually (or perhaps there is an API that lets you do this?).

Regardless…these things happen. While the Basecamp app was great while you used it, what happens when you stop using it (or are told to to stop using it)?  If you think about this issue beforehand, it may not be an issue at all since you can keep ‘local’ copy of data/knowledge…but the collaborative environment inside Basecamp might be gone forever once you stop using it.

Another Example – Web Analytics

You have an analytics tool that you love to use to analyze your websites. Whether its Google Analytics or  some other platform…you use it for years to track and analyze the websites of your organization.

Your CIO takes the initiative to purchase an enterprise license to a different platform to for web analytics. While they come to you for advice on this new platform, they decide to go with a platform different than your favorite one.

You love your analytical platform and have no interest in ever giving it up, but you try out the new system but it just doesn’t do what you think you need it to do.

So…you stick with your analytics platform and IT sticks with theirs. Their platform is used to track analytics of the ecommerce site and other IT driven websites.   You continue to use yours to analyze the sites that you are responsible for.

Then…you and your IT counterparts are asked to start combining your analytics reports.  Rather than push a few buttons to get a combined report, you now have to do a bunch of spreadsheet engineering to combine data…or perhaps you can build some scripts to combine data.  But…either way, you are doing additional work to combine data.

Data Disconnect

In both of the above instances, you are in the Data Disconnect world.

The Data Disconnect isn’t a reason to shy away from the world of Shadow IT, but it is something that everyone needs to be aware of when thinking about “going around” IT to purchase/implement your own systems.

In all of the groups I’ve worked with, there’s been little discussion of the Data Disconnect…but there should be.This Data Disconnect is also one of the issues that the IT group / CIO need to focus on as an educational aspect within their organizations as Christian Verstraete wrote in his Enterprise CIO Forum titled Shadow-IT, it’s forbidden to forbid.

You can do your job. And…you can do your job well.  But…your work is being done in a vacuum.

Your data might remain in that vacuum. But worse….whatever knowledge that data might create (or has created) will remain in that vacuum as well.

Image Credit: Disconnected by By Bee-Brilliant on Flickr

This post sponsored by the Enterprise CIO Forum and HP.

Revisiting Shadow IT…again.

This post sponsored by the Enterprise CIO Forum and HP.

The topic of Shadow IT is making the rounds again.

A quick Google search finds more than a few new posts on the topic in last few days/weeks with more than just a few pointing to the “good” that can come from Shadow IT.  I don’t know that Shadow IT can really be considered ‘good’or ‘bad’ per se…but there are good and bad things about Shadow IT.

The good is easy to quickly name…there’s agility with Shadow IT services. There’s also security issues with Shadow IT services.

While I’ve been a big proponent of Shadow IT for years, there are issues that people need to know about. Not only are there security issues, but there are pure operational issues that most folks don’t think through.

Christian Verstraete writes about these operational aspects on the Enterprise CIO Forum in a post from July titled Shadow-IT, it’s forbidden to forbid. In that post, he writes:

Talking to business users, I’m often flabbergasted how little they know of the potential risks encountered by putting information in the public cloud. Things happened over the years. Many of us received several e-mails from loyalty programs when a company, called Epsilon, got a security breach. I did not suffer any damage, but many others did. Interestingly enough, there is NO legal obligation today for companies to make security breaches public. The EU wants to change that, but it’s not a done deal yet.

How many of your users are aware of this? How many know about Data Protection Acts and other data related negotiation? Do they have that in mind when sharing information using DropBox, Skydrive, LinkedIn, Facebook or another tool.

Christian continues with a very key point for IT  professionals…whether we are talking about Shadow IT or anything else related to technology.  He writes:

Education is of the essence, not to scare them, but to point out the importance of being careful when using open internet services. The second element to take into account is BYOD. App stores have hundreds of thousands of applications. What are those actually doing? Who is making sure none of them collects information on behalf of hackers or criminals.  That is doomed to happen if not yet.

Well said.

Without education, the organization really has no idea how much damage they might do by going the cloud services or the BYOD route.

But..its more than just about education. Its gotta be about delivering services. The organization is going around IT because they haven’t, won’t or can’t deliver.

The CIO and IT group should look at Shadow IT as an opportunity. An opportunity to compete and win back the ‘hearts and minds’ of the organization.  As Dave Linthicum writes in Shadow IT can be the Cloud’s Best Friend:

When the business units move forward, they force the hand of corporate IT. Often, IT will stomp out the use of unauthorized cloud-based resources and thus reduce the productivity of that business unit. A better approach would be for IT to get ahead of that technology on behalf of the company, leading versus following those business units into the cloud.

Emphasis Mine.

Educate, then communicate. Then…Lead.  You won’t snuff out Shadow IT, but you’ll at least be leading the way for the organization’s technology initiatives rather than playing catchup to the various cloud services projects that are kicked off without you.

This post sponsored by the Enterprise CIO Forum and HP.

More on Shadow IT…

This post sponsored by the Enterprise CIO Forum and HP.

Martin Davis wrote a nice piece titled Is Consumerization of IT” really “Shadow IT” in disguise? where he asks a really great question….Is Consumerization of IT (which is something many people are talking about today) just another version of Shadow IT?

I’ve written about Shadow IT many times in the past and will most likely continue to write about it in the future.

In this article, Martin writes:

CIOs have long battled against Shadow IT and how to prevent, control, deal with or remove it. The arguments for doing this have usually revolved around security, compliance, supportability and business risk. Although IT’s fear of losing control has been an underlying theme.

Martin continues with:

The bottom line is that it is becoming easier than ever for the business to procure cloud based services without IT involvement and more worryingly without IT even knowing about it. Unless IT adopts a different approach to servicing the business they risk being sidelined.

Emphasis mine.

Most people believe that IT’s command/control focus (via processes, procedures, frameworks, etc) has been put into place for the simple fact that IT likes to ‘own’ things and ‘say no’ to any request. While its fun to joke around that IT is the place that pessimists go to work, its an important aspect of organizational life.   IT IS a place where NO is staid more than Yes in most organizations.  Not because its fun to do but because its necessary.

But…a ‘no’ can be delivered in many ways. Rather than say ‘no’ and nothing else, a ‘no…you can’t do that but you can do this’ could go a long way to soothing the ruffled feathers of those who’s requests were denied. Control isn’t a bad thing. But approaching control with a ‘no’ attitude rather than a ‘no…but…’ attitude would help go a long way toward helping keep IT away from the sidelines.

Its this denial and lack of alternatives that make people think they need to go ‘outside’ to find other solutions. Hence, Shadow IT’s growth in organizations. The consumerization of IT is just another fancy name for Shadow IT.

Martin ends his piece with:

CIOs must accept that IT cannot control everything and need to embrace the Consumerisation of IT given the massive benefits it can provide. They must find a way to help the organisation whilst still preventing it from doing something stupid.

Well said.

This post sponsored by the Enterprise CIO Forum and HP.

Clouds and Shadows – Managing Shadow IT with the Cloud

This post sponsored by the Enterprise CIO Forum and HP.

Clouds and shadows by ericbrownCloud computing is here to stay.

Oh wait…I hate statements like that.  Sorry about that.

Statements like the above are made by people trying to defend the ‘cloud’ or whatever new or important product/service they are trying to sell today (or one they want to sell tomorrow).

That said…the cloud is an important aspect of technology that every organization should have already adopted into their technology strategy and roadmap. Ignore the option of the cloud and you may find yourself without a job soon.

Many IT professionals look at the cloud through fear-filled eyes. They see the cloud as their competition. They see the cloud as their job.  This fear is natural and understandable…cloud services are a form of ‘outsourcing’.  But…IT Pro’s shouldn’t be fearful and/or ignore the cloud…we should embrace it and plan for widespread adoption.

If the IT professional doesn’t plan for the adoption of cloud-based services, others will.   Much like the world of Shadow IT within organizations…the cloud can enable an even greater Shadow…or it can help the CIO and IT shine some light within these shadows and start to transform Shadow IT into a properly managed technology infrastructure.

Terence Ngai, an HP Blogger and employee, writes about this very topic in an article titled Cloud computing puts an end to shadow IT on the Enterprise CIO Forum.  In the article, Terence suggests that the Cloud will end Shadow IT for good. I disagree with that premise but I do think the cloud is a good start to getting a handle on Shadow IT.

Terence writes:

Cloud computing gives business execs and IT leaders a unique opportunity to work together to develop an IT strategy that really meets the needs of the business. Why? Because more than any other technology, cloud computing offers undeniable benefits that can close the gap between business and IT.  Line of business owners can quantify the business value of needed resources. And IT leaders could use that info to create a winning business case for cloud computing and demonstrate the value of IT.

I don’t disagree with that at all.

Terence implores business leaders to learn about Cloud technology and services and then help guide their IT groups towards those services.  Not a bad approach for selling more services into the enterprise 🙂

One thing that bothers me about Terence’s suggested approach is this: If there’s a CIO or IT group out there that hasn’t already developed a technology strategy that includes the cloud, the leadership of that IT group should be replaced immediately.  That doesn’t mean that their strategy should be to use the cloud…just that they’ve thought about how the cloud can be used when it is needed.

Personally, I don’t think the cloud will end Shadow IT.  The cloud is an enabler of shadow IT…and if a CIO or IT group cannot find a way to insert themselves into the discussions around Shadow IT and moving services to the cloud, they’ll find themselves without jobs in the near future.

The cloud is here to stay (ack!)…and those of us in IT need to find ways to ensure cloud based services are used in a secure and professional manner. We know people within the organization are going to the cloud for services that they can’t get from IT (or at least think IT is too slow to deliver those services in a timely manner) so let’s help them understand the benefits and the challenges of the cloud.

By developing a technology strategy that includes the cloud and cloud based services, maybe…just maybe…shadow IT can be managed. It won’t be completely banished but at least IT professionals can get a better grasp on situation.

The cloud has helped to expand Shadow IT…its time for IT groups to incorporate both into technology strategy and roadmaps.  Without embracing the ‘clouds and shadows’, the organization will continue to move faster than the IT group and continue to make IT and the CIO less relevant and less valuable.

Image Credit: Cloud & Shadows

This post sponsored by the Enterprise CIO Forum and HP.

If you'd like to receive updates when new posts are published, signup for my mailing list. I won't sell or share your email.