back to article Techies! Shadow IT means you need to up your game

Shadow IT is not the result of “rogue employees looking to rebel” the research firm Frost and Sullivan has declared in a review of the hybrid cloud market. However, IT chiefs can take little comfort from the report as it goes on to explain that lines of business’s installation and use of unauthorised applications is …

  1. Anonymous Coward
    Anonymous Coward

    This comemnt posted with


  2. Ragarath

    A tech nightmare waiting to happen!

    “49 per cent [of employees] are more familiar and comfortable with the unapproved application, so using it helps them get their job done more quickly and easily”.

    Also known as lazy employees that cannot be bothered to learn the way it is meant to be done. There are usually good reasons for one application or program being used over another. If every employee used what they want there would be no support department big enough.

    Another 38 per cent of line of business employees fingered “slow or cumbersome IT approval processes for the needed service”, with almost a quarter stating “the unauthorised app met needs better than IT’s alternative.”

    A quarter? (of 38% I might add so overall <10%?) Seriously that means 3 quarters thought the approved application or program was the better option. Sounds like troublemakers to me, you know the ones you can never satisfy because nothing is right unless they have full control of everything*.

    I'm lucky that in my current position deciding what programs to have available is mostly a non-issue, at least at the moment. My last job though was a pain in the arse.

    *until of course it breaks. Then it's IT's fault, not theirs for installing umpteen GB of crap and messing with settings they had no clue about.

    1. Anonymous Coward
      Anonymous Coward

      Re: A tech nightmare waiting to happen!

      At it it's core this isn't an US vs Them issue, it is a case of poor management and lack of funding which results in such excuses by IT departments and complaints by other workers.

      A well managed company will supply employees with the hardware, software and support they need and ensure that people performing tasks generating tens or hundreds of thousands of dollars an hour are not held up by processes, departments or people trying to save tens or hundreds of dollars an hour.

    2. dsanda

      Re: A tech nightmare waiting to happen!

      Terrible mindset. IT is there to find out and keep asking what people need and help them support their infrastructure and managing compliance and backup and whatever on their own. If they think users are there to "comply" and work within most overpriced and easiest to support SW it can, they are due to be replaced.

    3. Fungus Bob

      Re: @Ragarath

      Now, now, now, stop being Sooooo Un-Evolved. We must EMBRACE DIVERSITY!!!!!!

      Perhaps you need to be dressed in a onesie...

    4. Mark 65

      Re: A tech nightmare waiting to happen!

      @Ragarath: Dude, you sound like one of the "no" do-nothing brigade where I work. You are the problem personified. The sooner IT departments learn that their role is not to control the business but to enable it the better.

  3. Anonymous Coward
    Anonymous Coward

    I'm going to stick my neck out here...

    Ok - couple of things:

    1) I do not work in an IT department

    2) I appreciate that there are many complexities around running a big IT department which are often overlooked by other parts of management

    3) I'm sure that being in the IT department is like being a goalkeeper... i.e. people rarely remember the successes but always remember the failures

    4) I'm sure that there are many people working in IT departments who are helpful, easygoing and have a constructive mindset.


    It does not seem to be unusal, when talking to someone in an IT department, that any change, piece of work or anything else is met with a sucking of teeth and implicit assumption that whatever is being requested cannot be done at all under any circumstances whatsoever, because.

    By the way, i do appreciate that there is a safety first approach in many places (which i fully support) and an understandable desire to make sure that whatever changes are made don't screw it all up for everyone else. But it just feels like the starting point is "we can't do that and lets think of reasons why not" as opposed to "we can do that, lets think of all the things that we need to carefully control".

    i think that it is that initial negativity, seen often (though not everywhere) which causes the problem...

    1. Vinyl-Junkie

      Re: I'm going to stick my neck out here...

      There is a certain amount of truth in what you say, but quite often the problem arises because the customer says "oh I just want this installed, it does just what we want, it's only for four users and it's free/incredibly cheap" without thinking that the systems people need to assess its impact on the network and infrastructure, the applications people need to ensure it doesn't conflict with existing applications (frequently the reason for retaining older web browsers), the desktop people need to assess its impact on the corporate build (particularly if using managed libraries), the information governance and security people need to look at what data is stored, where, under what T&Cs, and how well it is protected, the support people have to learn what is needed to support it (and what the services and SLAs from the supplier are) and so on.

      Apart from taking time, in most organisations carrying out these assessments is chargeable to the department that requests it, so the "free" application ends up being charged to the department at several thousand pounds.

      I think it is this that causes the sucking of teeth - the assumption on the part of the requestor that because something is for a small number of users it is somehow exempt from the processes (ITIL driven or otherwise) needed to ensure a stable corporate environment.

    2. Anonymous Coward
      Anonymous Coward

      Re: I'm going to stick my neck out here...

      I agree with you... too many poor IT departments are staffed by people who think ordinary users are lazy just because they can't use IT approved apps. It's these kinds of IT leaders that need the boot. IT is there to server a company not dictate how the company works

      1. a_yank_lurker

        Re: I'm going to stick my neck out here...

        I think this problem has two basic sources: badly managed IT and incompetent users. In many companies IT is atrociously managed whether the problem is internal to the IT department or external. The net effect is companies that barely are able function and if anyone does anything intelligent or reasonable the whole facade crashes. However many users do not understand how computers work nor understand their bad ideas could jeopardize a well run IT department. IT infrastructure is often fairly brittle because of its complexity and the diverse user needs. Doing something as user without understanding how it could affect the other bits is at best dangerous.

    3. Anonymous Coward
      Anonymous Coward

      Re: I'm going to stick my neck out here...

      Adding to Vinyl_junkie's excellent answer, there is the problem of people from different teams requesting different solutions to the same problem. So you may not be the first person to have made that kind of request.

      The other problem with personal- or team-size solutions is that the knowledge of that system/solution usually resides in the head of one person and there are likely to be business continuity problems down the road when that person leaves the firm.

      A good IT dept will take the time to tease apart Want and Need (which you may interpret as teeth-sucking as it does take time to think things through); a bad one will make you wait forever for a vaguely related product from their favourite big expensive vendor.

      1. Anonymous Coward
        Anonymous Coward

        Re: I'm going to stick my neck out here...

        Adding to Vinyl_junkie's excellent answer, there is the problem of people from different teams requesting different solutions to the same problem. So you may not be the first person to have made that kind of request.

        That's as maybe, but the bit that gets lost by the IT people is that these things get asked because shit needs to get done. Come back in a few months once we've gone through our shitty convoluted process driven by the ITIL wankfest is one of the main reasons businesses become infested with Excel and Access. IT would be smart to pick its battles wisely. That is not something I've ever seen them do in 20 years of cleaning up user created office solutions.

      2. Anonymous Coward
        Anonymous Coward

        Re: I'm going to stick my neck out here...

        A good IT dept will take the time to tease apart Want and Need

        that is if the IT department is fully staffed and funded. so has the time and resources to achieve that laudable goal

        The IT departments i have been in have been understaffed and under resourced as they are seen as a cost drain rather than a profits generator. So requests for anything that is not on the company or department list of approved programs or hardware was usually met with short shift as the person being asked "normally me" has already been asked for more ram a faster / lighter machine this new software, access to facebook or Twitter at work etc many many times before so the usual answer which i got in trouble for "my inter department or inter personnel skills" was NO or (sarcastically) NO Problem if your director would like to fill in the IT hardware/software request form we will generate a budget request form that I will take it to my director for approval. knowing full well that 1) i wouldn't get a form and 2) if i did my director wouldn't approve it.

        at my last job i did manage persuade management to spend some funds after a number off attempts and getting the negotiated support from some other department directors on the quiet to upgrade ALL the laptops and 80+% of the desktops and all monitors and roll out Win 7, money for hardware and software but no extra time or staff to manage the testing, software compatibility or rollout.

        with the new kit some of the staff were happier but you cant please everyone all the time, they still asked for their iTunes library on the laptops and for smaller faster machines or iPads.

        I think that a lot of IT people would like to be more helpful and accommodating to users wants and needs but a vicious circle of being forever ground down does not help. which results in them taking the line they know will be least difficult to achieve and to manage and with less risk and that is to just say "Its not Possible"

  4. Vinyl-Junkie

    There are reasons why IT departments insist on particular applications...

    “49 per cent [of employees] are more familiar and comfortable with the unapproved application, so using it helps them get their job done more quickly and easily”.

    Whilst the application spaffs employee and customer data over unencrypted connections; stores it in locations not subject to data protection laws (and I very much include the USA in this category), and with no means of enforcing retention policies; and is hosted on sites with minimal password protection, few or no backups of customer data and where security patching is tardy or non-existent.

    Of course it is unlikely that a single shadow application would do all of these things, but any one of them is a good reason not to use it. Unfortunately that 49% either don't know or, more likely, don't care about data security.

    1. RISC OS

      Re: There are reasons why IT departments insist on particular applications...

      yeah, has nothing to do with what app is best for user or best for the job but what is easiest for the IT team to rollout across their network automatically leaving them more time for quake online deathmatches

      1. Bluto Nash

        Re: There are reasons why IT departments insist on particular applications...

        Two points:

        1 - WTF? Who plays Quake any more?

        2 - Of COURSE “the unauthorised app met needs better than IT’s alternative" - the user picked it, without any thought whatsoever to the impact it could have to the rest of the business, the licensing ramifications "Free! (for individual use - corporate use requires a $money/year investment," interoperability or any other things that we actually OD think about before turning them down. The fact that it can be done in the time it takes to suck one's teeth is irrelevant.

  5. Jagged

    Of Course!

    “the unauthorised app met needs better than IT’s alternative.”

    Of course it does. It doesn't need bother with annoying things like governance process, data protection, or "God Forbid" that little matter of being in any way supportable!

    If you don't have to bother with any of that stuff it will look cheaper too! Only "look" of course.

  6. Palpy

    Yes, well, guilty as charged.

    The non-shadow IT -- uh, "clean, well-lighted IT" -- at my workplace installs MS Excel. We need to trend 1,000,000+ data records, often in multiple scales, with full scroll-'n-zoom capabilities. I installed KST 2. It works for the purpose and Excel doesn't. IT uses Sequel Server, but common-mud users are limited to MS Access. We use SQLite for our 5-gb, 500,000-record multi-table database, with a simple .net front-end. Etc.

    The point is, unless "clean, well-lighted IT" actually knows what users need to do, and installs the right software to let them do it, then shadow IT will not only persist but expand. In my opinion. *shrug*

    1. Anonymous Coward
      Anonymous Coward

      Re: Yes, well, guilty as charged.

      Who supports that database?

      Who fixes it when you're on leave/under a bus/moved on to pastures new?

      Who ensures that the data in it is maintained in line with corporate and statutory retention policies?

      Who carries the can if it breaks?

      Just wonderin'

      1. Palpy

        Re: Yes, well, guilty as charged.

        Exactly right on all counts.

        One alternative: no process data when construction engineers ask for it. Make multi-million-dollar decisions based on seat of pants.

        Another alternative: spend a few years and $50,000 for an IT-supported "professional solution". Actually, we did that. Aside from being achingly slow and clunky, the "professional solution" became inaccessible to users two years after it was installed. And IT cannot fix it. Apparently. Nobody is "carrying the can" on that eff-up, as far as I can tell.

        Perhaps our problem is incompetent IT personnel? :)

        But yes, I've got a succession training program. And it's not like the database and front end are especially complicated -- it's a large but very simple db. And damned fast, if I do say so.

        But the point stands: if IT can't support users, then users will attempt to support themselves.

        1. Hollerith 1

          Re: Yes, well, guilty as charged.

          Yep, me too. I finally went to SaaS, doing my utmost to lock down, secure, etc etc, stuff that was still not much of a risk. Got told off regularly by IT. Told them that I had to deliver to CFO, COO, CEO, and when I asked them they did not know what could do what I needed, so I asked the c-suite is they would approve me going off-piste and I would have something for them in three weeks. Approval given. Delivered in three weeks. Kept notes and manual to hand, plus email of helpdesks, just in case IT wanted to step in at any point. They didn't.

    2. Anonymous Coward
      Anonymous Coward

      Re: Yes, well, guilty as charged.

      Instead of SQLite you could have installed SQL Server Express. It allows for 10GB db size and, once your schema was more static, could have easily been moved to one of the enterprise servers. Sure, they didn't help you, and I have to put up with similar shit every day, but meeting people half way or at least considering the future helps build bridges that may well get you better responses in future.

      Not sure about the plotting of live streaming data but R is a damn fine data analysis application with the nice RStudio front-end. It also has the bonus of the CRAN library of peer reviewed statistical packages. ggplot is pretty cool too.

  7. Anonymous Coward
    Anonymous Coward

    I sit on both sides...

    ...I work in IT, but I often run programmes I not "supposed" to do.

    I need audio editors, although we provide none.

    I need to edit XML files, but we don't give out notepad++

    I need to use multiple browsers to deal with he applicances and websites, which refuse to all work correctly in a single browser.

    I need VNC a remote desktop is not suitable

    I use a different network monitoring tools as ours it specc'd for my team or suitbale

    and on and on.

    On the flip side, if it goes tits up, I fix it or beg for help on the forums, not go running to an IT department demanding that a programme they have never heard of gets fixed.

    The REAL issue is the THEM vs US mentality with a dash of corporate lethargy thrown in. OT doesn't ASK what the end user needs, the end user doesn't say what they would like to do, so each forces their own solution on each other, neither working particularly well.

    1. Anonymous Coward
      Anonymous Coward

      Re: I sit on both sides...

      The REAL issue is the THEM vs US mentality with a dash of corporate lethargy thrown in.

      Tell me about it! Similar role to yourself.

      We have discovered a number of "production" database instances not in production environments. Ask to get them in production - nothing done. Operational risk up the whazoo for months and still they do nothing. These databases need no support other than availability and backup. Still nothing done. This will end up on the CEOs desk as they are crucial systems. Who gives a shit about what happened in the past, this is the here and now?

      It is so them vs us it is untrue. They treat the infrastructure as their personal property that we are unable to use. Seriously, where do they think the money comes from to pay for it and them? It's the bloody business. the bit they seem to actively despise.

  8. Metrognome

    Speaking as a proud member of the shadow IT brigade, I see this as a never-ending saga.

    The same article could have been written 10 years ago and most probably would apply 10 years from now.

    The reason at the end of the day is that authorised, properly secured apps tend to be cumbersome whereas unauthorised ones trade in the security for ease of use.

    One tiny example: file sharing with external partners. Our corporate app works on a rather difficult to type URL, requires registration by the outsiders, only accepts *.zip files that contain the company name in the filename otherwise summarily deletes them and has a 50 MB limit.

    Compare with box/drive/onedrive/whatever and you get a shareable URL, 15 GB size limit, 2FA for added safety and you can re-designate a file as no longer being shared after the external has taken it.

    I may accept and respect our policies but my external party doesn't have time to faff on with mindless registrations just to get their hands on a single file, not to mention the amount of times externals have sent me their drawings in a zip folder only to be spaffed by the system.

    1. Ashton Black

      To be honest, it sounds like the policies haven't changed for 10 years.

      At least 10% of the IT department I work with at the moment are involved in assessing new products, re-writing policy and procedure and basically, trying to continually improve. (which does involve retiring old apps!)

  9. Anonymous Coward
    Anonymous Coward

    It is possible to eliminate shadow IT

    In our organisation there is almost no shadow IT because:

    *No-one except developers and software teams can run any application that is not on the approved list.

    *Changes to the approved list even for developers have to go through change control

    *Access to sites designated as "personal storage" is blocked by the coporate filter

    *Rights to make changes to your corporate PC are almost completely blocked; other than minor preferences like mouse settings, screen settings and so on.

    *These policies are applied to everybody from the MD to the mailroom staff. Even IT staff logins are locked down in this way. IT staff who need to make changes to the system have to do so under special logins on which all activity is logged.

    Far from causing a user outcry this has led to users being much more specific about their requirements than previously, as a result of which they get software which does what they want, because they have to take the time to specify the requirement clearly instead of spending the time to develop a workaround.

    1. Nunyabiznes

      Re: It is possible to eliminate shadow IT

      This is us except for the last paragraph. Our users still stamp their feet and demand their preferred solution (which is sometimes the correct one!) rather than work with us to determine a solution.

      We would love to help - really - if the user would simply contact us and tell us what they need. We will go find set of possibilities, screen them for security, compatibility, etc and then forward the finalist(s) to the user for eval. We strive for "best bang for the buck" when we source solutions so it isn't always the cheap/free solution or the most expensive one that wins. Usually we find that some feature of Office will do what the user insists it won't, and if not that then some other program we are already supporting will.

      We still have a lot of pushback on not allowing users to have admin rights on their stations, but that isn't going to change.

    2. Hollerith 1

      Re: It is possible to eliminate shadow IT

      I must have worked for your company or a clone. And I ended up doing a lot of work from home via my own PC, using stuff online and various things I downloaded. Because while my own IT were locking everything down, they also brought everything* to a halt.

      *Wild exaggeration, but not insanely exaggerated

    3. Anonymous Coward
      Anonymous Coward

      Re: It is possible to eliminate shadow IT

      You will find that:

      1. Productivity in your company is shit compared to competitors. Companies that are nannying control freaks seldom have great productivity or staff morale.

      2. You do have shadow IT, chances are that it's just not occurring on your hardware. Laptops, tablets etc.

      I've worked for such a company in the past. Stuff didn't get done, and they were unproductive and moving ever further behind the competition. I jumped ship to a more agile setup where stuff got done and things didn't break because they hired competent staff - that last bit goes a long way.

    4. Metrognome

      Re: It is possible to eliminate shadow IT

      Yo, Mr. Lock-It-All-Down, don't be so smug. Look around and you'll find that all your lock down twattery has resulted no so much in shadow IT but in a shadow working environment.

      I'm willing to bet you that your poor users have resorted to way more ingenious and far fetched to override your control-freakery than you are complacent to realize.

  10. Anonymous Coward
    Anonymous Coward

    Hardly a rebellion

    But most users are revolting.

    1. Hollerith 1

      Re: Hardly a rebellion

      Users are the people you are hired to support. Who are running the business and making t eprofits that pay for your wages and kit.

    2. The Quiet One

      Re: Hardly a rebellion

      "But most users are revolting."

      Tell me about should see some of the keyboard i have to use at users's desks.

      Remote Assistance is my preference, purely for my own health.

  11. channel extended

    Me and My Shaow.......

    Speaking as a 'shadow' IT user, my experience is a little different. Long long ago we went from dumb terminals to PC's using a 3270 emulator. My department needed to connect an IBM 3890 to a Z series mainframe. We had been using the IBM version of a terminal emulator for years, when the new director of IT decided to use a third party package. The company approved software worked for almost everyone. We had a PC fail and needed to be reloaded, instead of the emulator we HAD used they loaded the new program. Turns out that this emulator did not quite emulate a 3270 terminal. Close enough for most purposes but not correctly. I requested the correct software and was denied, it was too expensive. After 3 days of the 3890 being down it was finally approved. Apparently losing 3,00.00 a day was enough to pay for the software. I later found out that price diff was about 50.00. It seems we had not done the right paper work to earn an exemption. All it took was the Senior VP of Operations.

    They DID NOT ask us if the new emulator would work when they were deciding what was to be the standard.

  12. Jim 43

    If your users are able to implement shadow IT in an enterprise environment you've got bigger problems than shadow IT.

    1. Mark 65

      Most likely the attitude of your IT staff.

  13. BleedinObvious

    Easy - Allow shadow IT, and full liability for any fuckups or fallout

    Let users install what they want, as long as they agree to complete liability when their non-company-approved software damages the company.

  14. Arcy

    What could possibly go wrong with it

    All well and good, until I have someone standing by my desk with an application that I've never heard of doing something with data taken from some impenetrable spreadsheet, with a bug I've never seen, demanding that it must be fixed by lunchtime. Notwithstanding the real work with supported applications that needs to be done.

    Thats why we have these rules, as shadow IT always fails , often at a point where it is most inconvenient. Normally after the 'expert' has left the company.

    Perhaps I can acquire a new expence system, and demand that Finance use this for paying my expenses, and see where that gets me, or maybe I can go and hire a few people and see what HR say.

    As a point though, IT does not define the business purchasing process.

  15. The Quiet One

    Easy to Avoid

    There is no excuse for having Shadow IT. It's the job of an enterprise IT team to serve the company, not hold it back. This means restricting your users to the lowest rights they need to do their jobs (yes, even devs should have a separate "<user>_a" logon for admin rights), implementing web filtering to stop access to file storage sites etc, technology like applocker GPO's for software restriction to stop unapproved apps from even running if you get then installed.

    The flip side of this, for IT staff, is to make sure you damn well listen to users. If they have a new tool, let them evaluate it, if it does the job for them, and you are happy with it. Let them use it.

    Users need to look at IT as being here to enable them, not to stand in their way for the good of their own stats and KPI's.

  16. Law

    We have a very decent IT department, there just isn't enough of them to get it all done... Including supporting the supported tools.

    Hilariously we use IBM everything... Notes, connections, doors, jazz, sametime.... Fact is the reason we have additional unsanctioned tools is because the IBM ones are so bad, which makes them sponsoring this guff all the more appropriate.

  17. Disko


    You need to up your game to keep control over your business, your staff and your data, and stop blaming IT for your own lack of commitment...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like