Why the PHB should only be given *minimal* access to any system.
Anything more is asking for trouble.
Nice choice of Battlefield Earth for the picture.
Shadow IT strikes fear into the hearts of many businesses. Unfortunately, most businesses fear shadow IT for all the wrong reasons. It is easy to have a discussion about Shadow IT with different areas of the business by talking about risks that affect them directly. Legal can be made afraid by bringing forth the bogeymen of …
In my workplace, everyone had a clause added to their contract that if they move customer data off official IT systems, they take full criminal and civil liability for protecting that data. There is even a provision where the company can sue said employee if their negligence causes the company to be sued. We bought some very high-priced lawyers that specialize in InfoSec (their most junior lawyer was top 2% of their class at Columbia Law).
These contracts have even held up in Federal Court after a a high-level exec hosted some data on his own systems and the systems got hacked. The company settled out of court with the resultant class-action by affected customers, after which the company sued the guy and the settlement amount out of him plus court and lawyer fees. The guy was senior enough that he had tens of millions in stock, all of which was sold to pay back the company, as was his fancy house, his car, and the yacht. Not that he needed any of those things as he was thrown in prison by the FTC / SEC for gross mishandling of PCI and SOx data.
No one in the company has so much plugged external storage into their machine since the lawsuit, let alone copied anything to them (we implemented some pretty heavy-duty device management software since then).
Strange thing is, DevOps is always the way me and my teams rolled. Not to go all virtuous and all, just that there wasn't any dividing line for the sys-admin side on through all the other facets of IT including development of new capabilities. Different time.
Unfortunately that means that you fail at even the bare basics of info sec. There are times when DevOps make sense, but if your company is large enough to employ more than one or two "IT guy(s)" that is not the case. As a consequence you consistently fail to deliver on even the most basic level of infosec, simply by not separating development from operations.
Quite often, the PHB has been trying to accomplish something for a decade or more. Often this is something that should be easy. Their IT department have been blocking them for one reason or another (usually a lack of time brought on by doing the rest of IT badly), and now finally someone has given them a way to bypass the awkward negative people in IT and just get the job done. One swipe of the credit card later, and they have achieved everything they always wanted, and didn't need IT to help them. The reality is that most cloud computing is better protected from a security and regulatory standpoint than almost any internal IT I've seen over the years, so it's not the end of the world. The main issue here is that IT are being cut out of the loop because they have been unable to achieve the promises our industry has been making.
I'm sure I'll get down voted for this post, even though deep down you all probably know the above is true from the perspective of management.
I'm certainly not going to downvote you because you're at least half right. It's a thing that happens. Sometimes tho, it's not that IT is doing things badly, it's that they're not successfully explaining why they won't do things at all.
Sometimes the reason this happens is that whatever the PHB is trying to get done is stupid and dangerous, IT have said "Not in a million years and here's precisely why", the PHB hasn't understood the "here's precisely why" bit, and then spends ages trying to circumvent the process instead of rethinking the original plan.
Our industry has a bit of a history of promising a pet bear. Sure, it sounds cool, and everyone is going to be impressed if you have one, but sooner or later it's going to bite your face off. Most PHB's don't have the technical understanding to realize that, and most IT staff aren't good at explaining complex problems to people who don't have a technical background.
The reason Dunhumby are a thing is because Tesco IT said it'd take 2 years and £10m.
Dunhumby knocked up a working prototype in a couple of months for less than £100k and shock-horror, bosses jumped all over it.
Anon, because my employer has also pilfered a handful of contracts from companies where internal IT said it'd cost far more than it needed to and fucked the client department around so much that they "lost" what should have been an internal inter-departmental contract and instead got outsourced to us instead of a department just shuffling some wooden dollars into IT's coffers.
Same employer had a habit of going shadow at previous employers - namely when he was in Web Dev and IT insisted that code for the website be delivered to them to upload to the webservers (including the Dev servers FFS) instead of allowing the web team to actually have access to their own dev servers for their own development work. The mind boggles. That place also ended up with his boss buying some external hosting as "office supplies" on the department card, because IT were so resistant to anyone else being allowed to touch anything computer-related, even on the occasions it was actually necessary for their work.
The role of IT is to provide a safe and secure environment for the business to operate in. If the answer to a query about a business requirement is "no", it is generally the job of IT to present an alternative solution - just saying no is interfering with a business process (unless the question is a genuinely stupid/illegal one, in which case a sensible conversation needs to be had to show the asker the error of their ways). I love the idea above of Strategic IT providing stable management, with tactical IT providing the slightly more "edgy" response to immediate business requirements which a stodgy, slow-moving centralised group simply couldn't shift to.
it's going to bite your face off.
We're faced with a multitude of PHB's that don't seem to understand something as plain as this. Or maybe they stop listening when we say "No" because they think someone is challenging their authority. Either way it's frustrating to get asked the same question year after year and have to say, "Yes, I could do that, but we'd all get fired and sent to prison after I did, so, no, I'd rather not."
"Most PHB's don't have the technical understanding to realize that, and most IT staff aren't good at explaining complex problems to people who don't have a technical background."
No, it's more that PHB's aren't willing to listen. All they care about is, "We need X, Y, and Z--of which at least one is a Unicorn--done, yesterday--and yes, he DOES mean yesterday." The instant you say "here's why" your speech is auto-DEtranslated into something like Xhosa, meaning they never hear or understand the why of it, and it's like that everywhere so jumping ship may just mean jumping into a worse situation.
But there might be a reason for IT dragging their heels over certain things. Will a PHB actually listen to their IT staff? [EDIT - Ha! Beaten to it.]
Like the request I just had in to make the staff list on the website paginate by first letter of the surname. (1) What's the point? There's a search function anyway. (2) There's only a couple of hundred names and the webpages paginate in a rather clever way that utilises the height of the browser window to minimise scrolling and the calculations behind that, if the pages are to display where they break rather than just show a number, would have to calculate everything for every page and iterate the arrays four times over needlessly. So if it happens to break between James and Jones do you want A-Ja Jo-Z or A-J K-Z? In which case it shows the first n letters of the surname until there's a difference (and let's hope it doesn't break between A Smith and B Smith).
"Oh, but the such and such institute do that". "Yes, but I know the sysadmin at the such and such institute and they manually edit their staff pages every time someone joins or leaves rather than just lift if off the staff database, and they employ someone pretty much just to do this job. Thus their IT/web-maintenance staff is 12 people and they outsource on top of that for a department only twice the size of ours; you only employ just 1 person – me."
The problem is that having to quietly explain issues like this to PHBs over and over and over again gets bloody annoying in time; PHBs are like toddlers and have short memories. Eventually "No, and here's why" turns into "No, now bugger off and stop bothering the grown-ups!"
My current place of employment tends to suffer quite badly from this, together with management having "good ideas" which would make Baldrick blush, such are their knuckle-dragging flaws. Tricks such as re-developing some storage space to make a huge open-plan office, despite the long-held loathing of all staff anywhere for such space plans.
" (1) What's the point? There's a search function anyway. (2) There's only a couple of hundred names and the webpages paginate in a rather clever way that utilises the height of the browser window to minimise scrolling and the calculations behind that, if the pages are to display where they break rather than just show a number, would have to calculate everything for every page and iterate the arrays four times over needlessly. So if it happens to break between James and Jones do you want A-Ja Jo-Z or A-J K-Z? In which case it shows the first n letters of the surname until there's a difference (and let's hope it doesn't break between A Smith and B Smith)."
Or just do a sorted query on the driver database and use that to drive the website so the data's sorted already?
There's the problem the PHB thinks is the problem, and then there's the real problem.
"you only employ just 1 person – me."
You might want to check your ego a bit there. If you've built a system where it is difficult enough to implement any kind of dumbass sorting that a PHB is *going* to ask you for that you have to complain about it on the internet, you're doing it wrong.
@TRT I hate to say it but what you describe there is what's driving this. If your job is to code the website and they ask you to code it a certain way then your opinion is not important - the business wants it that way and they actually don't have to explain their reasoning to you. Yes, I agree that your way probably is better. Yes, it makes more sense, saves some CPU cycles etc. but is it what the business wants? NO.
IT suffers from a lot of people who feel a driving urge to do things correctly. We suffer massively when some arty or managey type decides to do things differently because we can't accept their requirement - it's not correct therefore I can't implement something inferior. Sometimes the solution is JFDI - save the argument for the big stuff. In your case, pagination won't cause any actual issue so you may as well comply before you are worked around. When PHB asks you to retain customer data indefinitely, breaking the DPA that's a business issue and you would be right to argue.
Amen to the O.P. Working somewhere right now where there are genuine business needs that IT refuse to address. Really unnecessary and whimsical things such as: ensuring all trades are accurately captured in the central trade capture system rather than having supplementary deal information help in countless downstream systems, validating deal capture to ensure contradictory information isn't being entered, ensuring there is a suitable mechanism to interrogate this central data store without needing to resort to direct database and table access thus hard-wiring systems together. At every stage the answer has been no so now the business attitude is "fuck you we'll just get it done ourselves". We already have more highly skilled developers with far deeper domain knowledge. Not to mention that for several things we have requested they have tried pushing us towards "the cloud" despite our protests that systems are far better kept in house especially as we're creating and processing up to 100GB of data per day.
Centralised IT will always be behind the curve which is why you need centralised strategic IT and business-aware tactical IT to help prototype systems and functionality without creating a record macro mess.
"Centralised IT will always be behind the curve which is why you need centralised strategic IT and business-aware tactical IT to help prototype systems and functionality without creating a record macro mess."
Ooh! I like that phrase. It encapsulates in business-bingo exactly what the problem is. Though nowhere does it say "Shadow IT" (whatever that is, it would help if there was a definition in the article) is the answer. Perhaps a better understanding by management would help.
We face similar problems where the central directorate impose change managers brought in from other organisations onto central IT who then declare that "IT provision and administration has grown organically over the years without central coordination and an overarching vision resulting in a proliferation of incompatible systems", like it's a bad thing. The "organic" response to a business need usually results in something tailored and efficient, a tactical response. What we don't need is for this to be ignored and e.g. vLANs ripped out and fully randomised DHCP imposed resulting in expensive network license servers going rogue, walled-garden data capture rigs appearing on the open intranet, VOIP systems falling over, IP-based semi-authentication systems failing.
"Working somewhere right now where there are genuine business needs that IT refuse to address. "
In our case, the IT department was asked eighteen months ago (not an exaggeration, if anything it's an underestimate) if it's possible for them to provide data connectivity for a particular group of mobile devices to the corporate network whenever they are in range of corporate wifi. As we are still waiting for an answer, we're probably going to have to move the "Band Aid" 4G solution into some form of production use. Even if they'd given us a "No", we could have formed a Plan B - but with no answer at all, we don't have authorisation to look into other options as it is assumed central IT will do it until they say they can't - but they have explicitly said they can't answer question yet, and when asked for wifi coverages maps we can't have them as they are "for IT use only".
I find it hard to criticise the existence of Shadow IT in a place where that kind of thing is allowed to happen, and when "end user" departments in the business are hiring their own IT people (because we're being told "this is not an exception, this is the way Central IT works"). Especially as I'm one of the hires ;)
That doesn't mean I support PHBs going off and doing their own thing without some professional input, as that way leads to chaos - but the "official" way of doing things is probably slightly less fun than running a marathon through molasses?.
If your start point is "current IT systems are failing to meet requirements" then yes, obviously IT will be part of the problem. Often it's more a manglement issue, with the symptoms visible in IT, but you may find similar bollocks exists in other areas of the business.
Since you're at the stage where you're solving your work issues yourself, and have your own dev team, I'm a little at a loss why this is an issue. You can do your job currently (presumably making trades) and you already have the tools for it. You'd like nicer tools, that do some of the dull but vital parts of your job, and you've employed people to build them for you. But the issue is that IT weren't prepared to build them for you?
My guess would be (assuming decision makers know the issues) is that there is a suitably slow and comprehensive update planned to solve all these issues, but telling the troops about this is a Bad Idea, and since no-ones bothered to get input from them, it's also going to have a bunch of problems, Which is why it's delayed, and other options to address it are given a "no".
My advice would be:
- document all the change requests, detailed plans and suggestions, along with examples of currently produced solutions.
- show the business case for doing things your way (follow the money etc)
- get some feedback, especially from the hostile groups. That's when you'll (hopefully) discover the real reasons why you've been getting denied
If you've really got things the way you say, then take complete ownership of the systems from IT. Including all support, running costs, and risk coverage.
Just a general comment on traders (which I presume you are). Since they are time and results focused, traders often overlook (or deliberately avoid) anything that can slow them down or stop a trade. This almost always ends up with them getting very close to the line of legality or other complete failure risk. It's also why traders usually hate Risk and Compliance, since all we (appear) to do is shit on perfectly good deals, since no trader believes* they are making bad deals. Having traders who can get around certain checks and balances has led to a number of high profile, and many low profile bankruptcys of firms that should have been rock solid.
I'd presume you where one of the good 'uns, that you're not trying anything dodgy, but it's very hard (from the IT/Risk management perspective) to prevent "tactical" IT solutions from circumventing the strategic ones.
I wouldn't downvote you tho. Even the basic details you've given indicate that a cloud based solution would either be so massivly specialised it wouldn't really count as cloud (maybe hybrid cloud), or someone is telling a pile of porkies to get what they want. Well, more porkies than usual
* or they believe they can pull themselves out of the hole before anyone notices
"....We already have more highly skilled...." Ah, the sweet smell of opportunity! Sorry, but as a contractor that is exactly what I'm looking for in a target company - resource-hiding (if you have higher skilled staff why aren't you sharing them?), knowledge hoarding, lack of tactical and strategic communication, and a breakdown in trust between the business and the IT Ops and Dev departments. And the good news (for me) is employees like you will make it even easier for me to sidle in and sell you something you probably didn't need or could have done better yourself, if you'd only had a better CIO.
All the big consultancy companies, they look out for things like different arms of the business having their own business analysts and/or project teams (guaranteed it will be because they are not sharing and working together) - it screams shadow IT and opportunities!
@Matt Bryant: "....We already have more highly skilled...." Ah, the sweet smell of opportunity! Sorry, but as a contractor that is exactly what I'm looking for in a target company
Sorry dude, buy I am a contractor and have been for the last 20 years. I have the domain knowledge and the skills which is why we now bypass the internal IT team that has zero, and I do mean zero, desire to learn the business they support. We don't share the higher skilled staff because IT are control freaks. As soon as you lend them a resource they'll totally hamstring what you can and can't do, tie them up in bullshit and nothing will get done. It's why all their good people left and we spend IT budget on what we want. Competition, it's a good thing isn't it?
"....bypass the internal IT team....." I'm sure you think you do, indeed you may actually have all the relevant skills, and be employing them in line with your company security policies, but probably not. I remember going to a big corporate in London (a highstreet name) to discuss a centralised and virtualised Windows farm (the Big Thing before "cloud" became the Big Thing). Their CIO assured me they knew everything going on in their network. I bet him a hundred quid he didn't. A quick port scan showed up over 200 unauthorised and insecure MS SQL server instances, set up without the knowledge of his IT team, many with such bumbling flaws as the admin password set to "password", and many holding customer data that was covered by the corporate's data security, retention and privacy policies. Even worse, the numpties that had set up their own database servers had tied them to their own web servers, again with awful security. One web server was also set up as a BitTorrent system! Needless to say, not only did I get my hundred quid but we got the contract and several employees were shown the door.
More often as not, in my experience, shadow IT is a massive opportunity for consultancies to come in and scare management with security and compliance blather. If, as a contractor being paid to look, I come in and find it then it will make you look very untrustworthy (or worse) to management that are often terrified of being sued or fired over privacy blunders, and myself as both more trustworthy and skilled, regardless of how good a job you think you did. If my company aims to supplant you as the trusted technical advisor in the account (which we will do if you are perceived to be the barrier to making business in the account) then don't make it easy for us by putting a shadow IT rope around your neck.
And no matter how cool you think your boss is, when push comes to shove he will probably not put his hand up and stop you getting fired, he will probably have already covered his backside. I would advise that, if you get asked to create anything "off the books", then make sure you keep a record of all the emails (print them out, do not rely on having access to the email server if you are being fired for a security issue!), and make sure you are witnessed asking "Does this comply with our security policies?"
Just too add my tuppenyworth, if you are in a position of responsibility and some internal department is blocking you from an action, there is probably a damn good reason for it. Be it IT, Legal or HR, there is usually a very sensible reason why you *can't* have it.
But those reasons *will* be ignored if the PHB wants their pet project. I've experienced more than one company wrecked by such activities, where the IT requests where denied, then denied with full explanations, then denied with full explanations from Legal as to why an expensive internal solution was essential versus cloud storage. Then it somehow managed to make it to the board, who at least knew a critical risk when they saw it.
PHB still went ahead with a "pilot", which turned out to not only be slower than our internal kit, but also managed to leak trade secrets via AWS. Lots of log ins from Russian and Chinese IPs...
At least that one has a happy ending. Some of those trade secrets where classified as national security. PHB talked his way out of getting fired, only to end up doing 4 years for espionage.
> if you are in a position of responsibility and some internal department is blocking you from an action, there is probably a damn good reason for it.
Which may be a business reason, or it may be the macdonaldisation of IT with skills dumbed down and a large amount of management & coordination of disparate groups eating up the budget, instead of more expensive techies.
Do your PoC in the cloud, but then do a proper analysis of what's required based on the results of that PoC, don't run up cloud PROD at the same time.
Just too add my tuppenyworth, if you are in a position of responsibility and some internal department is blocking you from an action, there is probably a damn good reason for it. Be it IT, Legal or HR, there is usually a very sensible reason why you *can't* have it.
No, actually there isn't. Sometimes in life you just happen to come up against obstructionist pricks in a cosseted position of power and they say no because: 1) they likely don't understand and don't want to look stupid and reveal the tenuousness of their tenure, 2) love the feeling of power they have. Believe me when I say I have experienced this nonsensical bullshit first hand. Some people are just tossers. You might want to believe that everything is done for a valid reason but I'm afraid your outlook is far too clean-room for the real world.
Of course, a lot of people now slapping themselves on the back for being elite system administrators were precisely the PHBs complained of here: they were able to buy a couple of Suns or, more recently, a little x86 server off a local budget and therefore declare UDI from the enterprise mainframe herders.
I was once privileged to be part of a DBA conference call with my clueless colleagues in a more-rural-than-my-site head office who were outraged that their upperest mostest boss had brought in outsiders to do a logical database design. "We've been trained to do that! Why bring in that shower?" they cried in unison.
"I'll hazard a guess" I said, rising to the challenge. "I'll bet it's becuase we have the reputation that by the time we've figured out how to address a user requirement it doesn't matter any more".
I was made to sit in the uncooperative corner. But it was worth it. I was championing Relational Database Technology (all caps because it was A Cause) in an effort to defeat that very perception in our user base, but had recently been told by my head of department that for the next project he wasn't at all interested in discussing speed of delivery, and that relational databases were a ( and I quote) a passing fad.
You can't argue with facts like that.
[Edit: Pretty much says what others have been saying]
"The reality is that most cloud computing is better protected from a security and regulatory standpoint than almost any internal IT I've seen over the years, so it's not the end of the world."
Well external IT suppliers need to be regulated, whereas your own IT department answers only to the needs of your business.
Adding two more external providers to deal with (ISP and Cloud) is not going to make life easier. Oh sure! In the outset, when the provider is hungry, they will bend over backwards for you. What if they can't manage rapid growth and you want/need to leave their cloud? How difficult will it be to do so? Sure! The contract states you "can leave" but that doesn't mean they have to help you. Perhaps you're own IT department can do the work, if short term thinking hasn't eviscerated it. Who has the leverage?
A cloud, used to get a business or new IT application up and running is a good idea; but it should be done with an eye to the horizon. A business needs the ability to take control and sail the vessel with their own crew.
"Well external IT suppliers need to be regulated, whereas your own IT department answers only to the needs of your business."
Isn't it more the case that external providers have a contract, and you get everything in that contract and nothing else, whereas internal IT has to respond to any and all requests at all levels of approval and sanity. Plus if IT says "x is possible" they'll be held to it, whereas if external group says "x is possible, it'll cost y"
For a comparable case, if I'm consulting for a company, and some PHB wants me to do a task he should really give to his own minions, as long as I get paid (and it's legal) I'll do it. Data entry at $200 per hour? Sure thing. Fix your shitty formatting? Why sure, just sign off here. Sure, there's a bit of a stink when they realise their management by dumping shit elsewhere doesn't work so well when they have to pay for it, but the PHB has to own up to it at some point.
If I'm working as an employee, I'd tell them to fark off and have their staff do it, as there is not a simple way to "back charge" the PHB. And I'll get in shit for taking on tasks that should be someone else's problem. So then rather than the "fly tipping" PHB being the problem, you are for not saying "no".
So a lot can depend on the decision the IT department is making is going to set a precedent, or is a one off. Or is the start in a long series of one offs...
Their IT department have been blocking them for one reason or another (usually a lack of time brought on by doing the rest of IT badly), and now finally someone has given them a way to bypass the awkward negative people in IT and just get the job done.
I know, but it IS a real problem. All these managers going off and buying IBM PC microcomputers for their employees on their own budget. Don't they realize that these toys will never be able to accomplish anything like what the mainframe does? Computer time is expensive, and has to be allocated fairly according to the company's goals.
"Quite often, the PHB has been trying to accomplish something for a decade or more."
And failing to explain exactly what they want, to furnish the same attempt at explanation more than once or to answer questions as to the little details they omitted. Not that any of these things will stop them trying to do something themselves nor from expecting someone else to sort it out a few months down the line.
The popularity of the PC is because it was used to bypass having to get it done on the Mainframe. The department could write their own program rather than get the IT department to do it. IT managed to claw that back.
I agree that people doing their own IT can cause problems. I provide email services and build servers that customers can keep their email on yet still they open a GMail account.
Well, there's a couple of reasons on that though.
As others about have (rather exhaustively) pointed out, IT usually says no because what they're being asked to do is fundamentally insecure or impossible. Moving literally all your workloads to the cloud if you make 4K movies is a recipe for disaster which is insanely obvious to IT staff but sounds hugely attractive to management ("hey, we can get them to work from home! No-one will ever have an excuse to miss a deadline again!"). Storing all your data on cheapinsecurecloud.com might save some money too, but will result in your IT staff who actually understood basic infosec training screaming in horror. Having to explain this sort of thing to supposedly intelligent people gets tiresome after the 15 millionth time.
But also, the big delay factor might just be down to overwork and lack of training in your IT department. If you have 15 IT staff and haven't bothered to train them in 10 years then yeah, they probably don't know how to cut down their own workload through modern, rapid automation systems that are built in to most modern kit. If you have 5 IT staff trying to do all the project and 3rd-line support work for 80,000 end users, then yeah, they probably have a 2 year+ waiting list on change requests. These are not IT staff's fault. These are management failures. Blaming IT staff for management failures caused by other management failures is hardly fair, especially given that most of the engineers at the coalface are pulling 12 hour days just trying to keep up with an ever-expanding workload and not getting the training they need to stay on top of the rapidly shifting techs they work with day-to-day.
Basically, if your IT department hasn't done anything about that project you've wanted to roll out for 8 years, then the answer might be that you need more IT staff (not IT managers, IT STAFF), not that you need to go find some unvetted service you don't understand to upload all your sensitive data to.
@naselus most of your assumptions about cloud are incorrect. Infosec on cloud is every bit as mature as on premise, and 4k video is fine in the cloud if you understand the full lifecycle of the data and work with the cloud rather than against. It's not always the solution, but you seem to assume its always not the solution, and to paraphrase your post "Having to explain this sort of thing to supposedly intelligent people gets tiresome after the 15 millionth time."
Funny how no-one here has mentioned the biggest problem with PHBs that I have found, is that THEY say NO, for years and years and years.
"We would like to upgrade the email system, we would like to upgrade the desktop, we would like to put in instant messaging, we would like to automate our patching and monitoring, we would like to develop a better reporting system for end users."
And every goddamned time I've been involved in such an initiative, it's been knocked back - sometimes for half a decade - by PHBs who don't want to spend money. Or who are to chickensh*t to try something new.
And then some vendor comes along with a cloud offering, which actually ends up costing MORE in the medium-long term, and suddenly the credit card comes out. And WE get the blame for management inertia and not being "agile" enough.
how can we get to the boardroom table (or cocktail cabinet or golf club) to pre-empt shadow IT, by campaigning to broaden the services IT proper offers to cover the need that spawned this issue in the first place?
The first problem with fighting battles on who provides IT Services is knowing there is actually a battle going on.
(me, I tend to provide hourly reports when things fail to my manager and his manager, even if it's 3am. That tends to get the root cause analysis focused on making sure it does not happen again.)
Buying kit is not usually the biggest hurdle - its implementing a service on it to some level of standard with all the documentation, revision of poorly defined service requirements, manual authorisations, process, third parties, delivery partners, access controls, provision of support budgets & skills etc. that make it time consuming. The PHB buying a cloud can almost automatically be assumed to have no idea where the issues in his organisation are...
That's what the CC did, whether or not you liked it.
I've been playing with Digital Ocean myself, as a teach myself building servers thing and it is awesome just how fast you can get something that works.
The problem is that the PHB thought that the "one click" install, where he did everything as root and didn't SSL is safe enough for the dangerous data he then puts on it.
A true real PHB wouldn't know what you meant by the term 'root'.
He/she would think that you were referring to plants in the company garden/car park.
One wannabe PHB with an MBA a few years ago told me 'I don't need to know that'. I was telling him about SSL/TLS keys expiring and that we needed to put into place a process to procure and deploy new ones.
'Just make it happen' were his next words. (watching far too much Star Trek IMHO)
'Ok' I said, 'approve this purchase order for the new keys'.
Oh, I need to <expletive deleted> first'.
'How long will that take?'
'About a month. We need to discuss it at the next Steering group meeting'.
'The keys we have expire in 10 days. If we don't have the new ones in a week then there is a danger that the business will go belly up.'
'We still need to discuss this purchase. It is really needed?'
My reaction was to thrust the purchase order at him so he physically has his hands on it and go home.
I quit the next day. I was on a one month rolling contract so it was easy to get the hell out of dodge.
The company went to the wall about 9 months later. The PHB had been appointed MD a few days before it went titsup. Apparently he kept blaming others for the demise right to the end.
We've done it. The internal quote for hardware for a project was 2 million a year.
We put it on AWS, on the boss's credit card. 60K a year. If we move that to bid instances we could have cut that even more, but the cost of doing it was more than the saving. ie. Wait until the requirements go up, then do that bit of work.
So the loser was internal IT who can't put together cost effective hardware. The winner, the business.
So for commodity IT, back up, email, conferencing, phones, its all going to go cloud. Period.
I'd love to know what servers you're using as last time we spec'ed out a cloud environment it worked out way more expensive before you even took into account the large data flow requirements. Machines didn't go that large either - memory didn't go over 150GB or so which is no good if you're running massive simulations between correlated items where structure is required. Think things like simulating half-hourly electricity spot prices from simulated forward curves across linked regions where you need to maintain correlation and market structure.
Which is fine where, off the shelf, non-sensitive, non-business critical data is held. On this I couldn't agree more. However, where we diverge in opinion is where there is customer sensitive data and all the legal, security and other implications of using the public cloud.
AWS have an uptime SLA of 99.95% and a penalty of 10% (in credits) so if they broke that SLA, no matter how long for, you'd get 10% off your monthly bill (assuming it was less than a month). Not really an inspiring SLA.
"What's your internal SLA? If you miss it what happens? "
Depends on employer :)
Varies from "nothing, just fix it" through "You're fired" all the way to "welcome to gitmo".
It's almost never what's in the SLAs that are the problem, It's what isn't in there, that someone assumed would be. With internal, you can at least make a case for intent over wording. With external, it's whatever is in the contract.
"SLAs mean very little. What counts is actual performance."
True. If your work is on someone else's computer and that someone else is N times larger* than your company and something goes TITSUP what priority does your problem get from that that someone else compared to the priority it would get in-house?
*Where "N times larger" is measured in orders of magnitude.
SLAs can mean a lot, but the services they document were often designed in simple % terms for uptime, rather than in performance terms including critical periods, and they can't be scaled at an economical price. Or the business/ financial leaders thought they would underinvest and wait until push came to shove.
Are there still architectural and business purists who believe that IT and business strategy can be perfectly aligned over 5 years? These days 5 months can be a challenge, so Shadow IT (whether cloudy or user-developed including spreadsheets, client/ server or whatever) is always going to crop up. And what starts as a stop-gap becomes an undocumented and invisible legacy risk for businesses with immature asset management.
We all know that major wins can be had by ignoring the boss and bureaucracy. Yes, there's always Mr Clever in HR, Marketing or Sales who never got to work in IT, and who's IT department are smug and inefficient, and now he's going to repay this disrespect by playing games with services and requirements he doesn't understand, just to show everyone who's boss. Proper policy, internal education, and proper conversations would fix this, but building good culture requires that all parties are co-operative and play nicely.
It's a business, architectural, and risk/ security management question. If you're herding cats instead of having these mature conversations aligned to practicable policy because the Richard Heads don't understand "You can have it cheap, you can have it right, or you can have it now. Pick any two", then overall, you're in a disfunctional business. Good luck.
'the Richard Heads don't understand "You can have it cheap, you can have it right, or you can have it now. Pick any two"'
Definitely. I remember some course organised at corporate level but by chance one of the facilitators/instructors/wankers/whatever was a senior manager from the business I was in. He was spouting about having quality, low costs and rapid delivery. I raised the concept of the iron triangle. Not only had he never heard of it, he just didn't believe it.
2 million vs 60k, there's something very wrong there.
But anyway, I know a boss that did the credit card and cloud thing. In went the devs, added disk, processor, web servers, uploaded data, downloaded data, added more hosts, databases etc etc.
Left the hosts on permanently processing with all CPUs, automatic overnight jobs to download and upload the data.
Went on for a while.
Unfortunately I wasn't a fly on the wall for the conversations with finance.
"2 million vs 60k, there's something very wrong there."
Wrong to the point that it's borderline unbelievable tbh. I could see AWS charging you $60k a month for a system with a lifetime cost of $2 million, but not $60k a year vs $2m a year. Every single quote I've ever had from any public cloud provider has barely saved money over a 3-year period, let alone had 97% cost reductions ongoing.
Either the IT department failed to explain the timescale they were spreading the costs over, or else the OP's got his timescales muddled imo.
Being an aged flatulator all of this discussion reminds me of circumstances many, many years ago. Back then it was not some 'cloudy' service that the PHB waved his plastic at, but a Personal Computer and IT were buried in the bowels with their Mainframe. And we all know how that ended.
And we still have staff, both developers and management, going out buying Macbooks because IT seem to think that a 5 year old Dell with 2GB of memory and McAfee configured to scan every IO operation is fine for running Google docs on Chrome.
So the BYOD strategy is working out fine :)
Other than the RAM being a bit skimpy, and a poorly configured AV, I'd have thought that not much was wrong with the 5 year old laptops. Well, new batteries if they've been used.
Having McAfee as the standard AV doesn't bode well tho for sensible IT purchases :)
Honestly though, most corporate IT types have their heads facing inwards and are not aware of the marketplace, alternate vendors, tools, applications etc. out there. This is not a criticism. There are so many and so much BS that frankly they can't possibly have time! Analysts such as Gartner et al focus only on the big players and don't have a comprehensive list with the "fly by night" warning that you need. Thus leaving corporate IT constantly on the defensive.
But likewise, despite the numbers of 'cloud applications' appearing with new fangled technologies and whose slick marketing offer a 'swipe and play' experience, I've yet to see one who remotely understood the challenges and intricacies involved in implementing and integrating a system into a corporate environment. "What do you mean we can't just use our proprietary database integration adapter on the SAP Oracle DB?", "What do you mean integrate with your problem ticket management?"...
No one as yet is working out how to bridge this 'corporate level requirements' vs. 'new wave of technologies' bridge that has opened up. The traditional corporate software vendors want to pretend they play in the 'new cool' space and so you can't get them to admit or address this at all. The new vendors are naive and often surprisingly arrogant about the intricacies of ticking the boxes and implementing something properly.
It's also why cost estimates vary wildly.
I've seen waaaay to many external bids that include the cost of integration, support and user training as nil. The internal bid includes an estimate for time/wage costs for installation, integration and training. Turns out these things are quite expensive, often running to multiple times the purchase cost in the first couple of years, internal bids are bad.
Then after selecting the external bid, all the extra costs end up on the IT department. Who then get pressured to make cost savings, and some meathead will find another service to outsource. Rinse, lather, repeat.
Not only have successive cuts in funding made less community services available for the disabled and disadvantaged in our society, we now have the long shadow of Shadow IT. The none IT trained developer "Shadow_man" appears to have put the boot into some of those management organisations which provide information to the voluntary sector on stuff like funding sources, sponsors and sector oriented Training.
In the last 12 months I have seen another on-line form (built using Survey Monkey) being circulated in this sector, which was so botched that it couldn't take some unique Tax Identifiers. The company type was not available for selection from those proffered via the Dropdown Menu and there was no override option with which to add my own. Upon enquiring, the Shadow_man instructed me to select a different type of organisation from the list and register using that. He also assured me that there was "no software involved" in the development of or in the delivery of, the on-line survey. And certainly there were no scripts involved.
Same shadow_man is now exhorting cash strapped community organisations buy into WordPress.com, enthuesisng that it is "better" than WordPress.org because you never need to worry about updating again.
I tried to register a new .org.uk domain with WordPress.com, but the online form couldn't process domains with this extension, for some reason I have not yet been able to fathom.
Talk about Shadow IT wasting peoples time and their already meagre resources.
Not long to wait now ............
ALF
by "IT by inflight magazine"
Used to work in an organisation where the senior execs spent most of their time flying around the country (yay! out of the office and out of our hair) in planes (boo! becos of exposure to inflight magazines so half baked strategic directions when they landed).
"IT by inflight magazine"
Oh yes, I've had to respond to many a sent-from-the-road email asking why we don't have big data analytics in the cloud. I really wish they'd focus more on the ads for the executive dating services.
Flying from time to time, I've also thumbed through these magazines. It's amazing how many companies place "infotisement" articles, and it's no wonder why things like Salesforce et al became so popular. At the same time, the choice of advertisers and the nature of the content set an interesting vibe. I can just picture a middle-aged sales executive in a suit settling in to his 90th flight segment of the year as the target audience. Not being in sales, I'm not sure how relevant this stereotype is anymore...how many sales guys these days are like the guys you used to see at trade conferences when that was the only way to learn about a product?
Well, you can try being pro-active rather than re-active. I learnt a long time ago from a very good IT manager, a civil servant, about controlling your PHBs' sources of info. As an example, we had a list of PHBs that were not allowed to go to trade events or IT-related training courses. Companies that sent unsolicited invites to our PHBs got a call warning them to desist or be put on our blacklist. Trade rags/mags were surreptitiously removed at the mailroom. Senior PHBs got sent on planes with a massive presentation with the instructions that they had to read through and understand it all, just in case the customers at the destination asked (or, for real effect, suggest you have heard a rumour that the CEO is going to ask them about it). Contractors, consultants and salespeople were identified and kept away from management as much as possible, and tall tales of what horrible things they could do to a PHB's career were dropped whenever impressionable PHBs were around. The personal secretaries to our board members and senior PHBs were carefully managed with the best desktops, phones, printers and services, so they would help keep the unwanted away from their charges. Vendors and resellers were informed that the boardroom was off-limits, on pain of instant removal from the pre-approved vendors list, and were told that our company ethics policy prevented any senior management partaking of events or gifts (it didn't). When possible, our preferred reading and subject material was fed to the senior PHBs to keep them focused on where we wanted them to go. And any instances of shadow IT unearthed were isolated and received the worst support (bordering on sabotage). And, most importantly, we controlled all the reporting mechanisms with a slew of privacy and data-retention policies - knowledge is power, and being the purveyors of knowledge was key. Happy days!
So how do you deal with people who find ways to directly contact board members or have connections to major investors/backers who could make things uncomfortable come next board election? Much as one tries to be proactive, there's always a spanner/monkey wrench in the works, it seems.
This post has been deleted by its author
Thank you for that - it's a perfect way to describe some of the boneheaded, buzzword-driven 'ideas' that have recently popped out of the woodwork at my place of work (and further proof that I really need to get a new job, quickly)
(given that one of the PHBs was recently on a jolly in Las Vegas, it may even cross over into the aforementioned realm of 'IT by in-flight magazine')
AC, because ... (a 'shoot me, now' icon would be handy)
For most IT types, however, losing control of anything is simply antithetical to their nature and they're working double-time to squash it.
None of these issues, however, are the really big reason to fear shadow IT.
Can't agree with you there. A football match without a referee is just a punch up. Losing control is the big one and all the chaos afterwards is just natural consequences of that. Placing your bollocks into another's hands -shadow IT- is bad practice in IT, business and life in general.
About everything. Seems similar to hospital administrators attempting open heart surgery. Please leave things like that to "experts".
My "experience": Long time ago (it was the 80's), the company I was at was getting a new phone system. Lots of training and the like, and I noticed that the PHB had a session of training all to himself. What a waste. His secretary administrative assistant probably needed more training, and he needed a simple phone just to answer questions from the board of directors.
Sometimes those in the trenches need to get things done, but don't have the proper "stuff" to do it, and then they think out of the box. Sometimes this is good, and sometimes it isn't, hopefully those with the expertise will have a say, and help those who need help. For those that don't "get it", there is the BOFH method.
Hmm. If one department is taking on the responsibilities of another (PHB doing IT by credit card instead of delegating it to internal IT), it's probably important to figure out why.
Some folks seem to be saying that if the PHB mistrusts IT, and that mistrust is well-founded, then it's okay for the PHB to make decisions without IT's input.
That sounds like an argument for two wrongs making a right. That kind of thing usually doesn't end well.
Shadow IT is nothing new, we used to call it Guerilla IT and practised it for many years, we did it because in our company IT was The Dept of No. Our dept was basically European Service and if you think IT budgets are tight then think again, we used to dream of the day when we could afford a shoestring ...
Anyway after a long time doing a good IT job outside of IT proper i pushed my staff to go legit, i moved to Projects (sort of devops smokin a pipe and wearing a 50's cardie) and eventually borged into IT as an application specialist and projects lead.
I've seen both sides, shadow IT can be a disaster but if it's driven by proper business need and done right it can deliver what IT can't.
I was often approached by staff in the business about ideas because they knew i would treat even dumb ones (ideas) with respect and try to explain the best way forward and more importantly, not make them feel small and stupid. Avoiding humiliation is a powerful driver of behaviour.
Equally, i've often seen within IT total frustration where we can see that reactivity to business need is key but there is neither resource or money to deliver. We all suffer when IT is just seen as a cost centre and the business couldn't care less about how overworked we are, then the descent to a siege mentality and The Dept of No is inevitable.
Fads and trends are not just a feature of our society, they are our society, so IT by magazine and buzzword explosions is just the way it is. To counter them there are simple questions, does it increase profits, does it reduce costs, does it improve service, does it provide capability? If the answer is yes then counter with "prove it!", politely of course.
Having moved from the shadows into the light, now i am truly lost to the world, the dark has devoured me, i am but a wraith, a parasite, i will suck your IT budget dry and adorn myself with the husk.
Yes, it is true, i am The ITSM Consultant, run, run now...
I don't think I qualify as a PHB, and my shadow IT is at least done in cooperation with the official IT, but they don't know what I need and I do. It involves a Linux VM in the server room which I get to set up as I see fit. I managed to strew a couple of banana skins for the unwary, I forgot that the default set-up doesn't allow root login either via SSH or at the GUI screen, so despite giving the password to IT, they couldn't get in until I set them up a user account with sudo privilege. (IT uses remote desktop to the GUI, I use ssh so I didn't even think of it.)
That's not shadow IT. First up, you did it with IT so they know about it. Second up, it's on-site, behind the firewall and access-controlled. The concern around Shadow IT is that if they're using non-company resources outside our control we can't protect them from their own lack of knowledge, so they may expose the company's data or systems to dangers that they're completely unaware of.
This was long before the cloud. The marketing department at the time decided to build their own database server. We were not consulted and our boss told us to stay away and let them hang themselves, which they did after blowing a big hunk of their budget on a consultant and an under-spec workstation instead of a server.
When other projects came about, we were duly called in for a consult long before they were implemented. Lesson learned. :-)
"Executives and finance people can be made to flinch by showing them the real costs of using the public cloud over a three-year period versus doing it all in house."
I realize this crowd is not going to agree, but this is clearly wrong. Anyone who has ever done a TCO study of cloud vs on prem will know that cloud isn't just less costly... it's way less costly. No point in even having this discussion. As every software provider which has started in the last 15 years is native SaaS and every other software provider's number one goal is to move to cloud, you will have cloud.
IT: Morny. EyeTea sorbeess, Huw may Eye Lelp U?
Worker: Umm, Hi, our antivirus say it is expired. Could you help us renew it?
IT: Tick NunBa?
Worker: What?
IT: Tick NunBaa? Uor Ticky NunBa?
Worker: Err, We don't have one yet.
IT: One Mo mint (5 min later), Wat's Uor Papam? Sir?
Worker: Arr, our antivirus is expired...
IT: K, Any Moar Papam Sir?
Worker: just the renewal.
IT: Wii com on End of Ness Weed
Worker: Umm, we need it as soon as possible.
IT: Sowbee, Owly Ness Weed, OK?
Worker: .... just get it renew as soon as possible.
(Next Week, it never came, and a month later a separate antivirus was install by a shadow IT)
Joke aside, it is based on a true story. While there are plenty of well organized and highly productivity IT support. I have met enough IT supports that I could question the productivity of the company. You see in a company environment, IT employees are like any other employee and may not provide anymore than their quotas, whether it is work load, responsibility or assistance.
On the other hand, most PHB judge events based only on their limited knowledge and often can only see that his employees and/or IT are not helping him, even though they may be busy assisting in reinforcing the company's infrastructure or limited by management. There, Shadow IT is the fill-in for issues that came in between IT, employees, management and PHB.
The better way of seeing them is as separate IT contractors, who may or may not be compliance with company's requirement but it will be under whoever (employee, PHB) contract. You may think it is a loss in control, but in truth it is more about existing issues in the IT system in correlation with employees, management and PHB. If the employees and PHB never had IT issues that cannot be resolved in the company, Shadow/Rogue IT is never needed.
If you want your company rid of Shadow IT, you need to fix the issues employees and PHB have with their productivity correlated to IT. The more you limit the IT services required, the more you encourage highly skilled hacker contractors into the company just to fix an existing issue. Unless the issue came from higher management, then you can either convince the management to an alternative solution that all parties agree or let the company rot (those are the type with management that likes H1B IT support anyway)
(meanwhile, the previous antivirus is expired for 1084 days, you can see why we need shadow IT so badly when we can't even get an up-to-date antivirus to scan attachment for virus)
I'm not a PHB, but a 'umble teacher , having been in Software Dev for 30 years before that.
Our corporate IT department has no idea how a school operates - we have just been taken of our own domain and put onto the mega-corporate domain.
Access to printers is determined not by person, but computer"role" (student or teacher) and room. Which is fine - except on a typical day I will teach out of 2-3 rooms - if I want to print to my staffroom printer from a room that is not assigned to that printer - tough.
The @!#$@s have decided that students don't neeeed to have their "documents" folder mapped to a network drive so when they save their work it is on that machine only. , I am most annoyed that f'wits with no clue are telling me what I am allowed to to teach with (I use as much FOSS software as I can so the students can access it from home ).
I would like to apply the Rabz Doctrine (normally said of government departments) "Sell the staff into slavery, Kill it stone dead, , burn it with fire, salt the earth containing its ashes".