Any thoughts on "Shadow IT"?

Hey guys,

I’ve been in some kind of IT role for the past ~20 years. I’ve worked for a couple of Fortune 500 companies, but most recently I have been acting as an outsourced IT Manager for mostly small to medium sized businesses in the SF Bay Area. I’ve heard a lot of other IT Managers / Directors complain about “Shadow IT” which is often blamed on developers / software engineers.

If you haven’t heard the term, it usually refers to non-IT members installing and using their own tools without the approval or knowledge of the IT department (Correct me if I’m wrong here).

Personally I think “Shadow IT” can lead to technology innovation within an organization. For the companies that I’ve worked for in an IT support / management capacity, I try my best to be on good terms with everyone and offer developers and other non-IT people a path to use the tools that help them get their jobs done without negatively impacting the performance and security of the network.

I realize that while this may have worked in the organizations that I have managed / supported, there may not be a one size fits all solution to dealing with “Shadow IT”. That said, I’m curious what others think about the term “Shadow IT” and how to best introduce new tools / software into organizations without breaking things or compromising network security.

I’m all ears!

-IT Dave

Hey Dave,

Great topic! As a software engineer, I hate the idea of not being able to install the software I need on my machine. I understand this makes life difficult for IT, but having been on the sysadmin side of things as well, I think IT should make life easier for developers, not the other way around. Obviously I’m biased but I agree, “Shadow IT” can lead to innovation. It encourages developers to be scrappy. If we have to jump through hoops just to install a new Node.js version, or upgrade a browser, that creates unnecessary roadblocks (at least, unnecessary in my mind) to actually building stuff.

Now, having been on the sysadmin side of things, let me play devil’s advocate: how can IT manage to keep things in order and keep the network secure if these pesky devs keep installing random software on the network? There have to be processes in place, or the system will descend into chaos.

My question is: what should those processes be? Should they make life easier for IT, or easier for developers? Ideally, we would have both – I don’t want to make life unduly difficult for IT, at all. I just want to get my job done.

I guess I’m just begging the question here, as you’ve already asked: how do we introduce new tools and software without compromising network security and operational capacity in general? I don’t have the answer to that question, but I’m hoping my perspective will spur someone into responding. I’d especially like to hear an IT perspective that argues against my point of view.

This concept sounds so old - even for an old fart like me (my first computer was a Sinclair ZX81). It is a concern from the PC era.

Nowadays even Fortune 500 are going BYOD, aren’t they? And does it even make sense with remote-friendly and remote-first companies?

As a remote software engineer I work from anywhere. Anywhere in the world. I pick my own hardware, OS and IDE. I work on my own time. The company stack is FOSS and everyone collaborates over cloud-based solutions. And when everything is cloud-based, the computer is little more than a glorified computer terminal - like this one I used 40 years ago:

image.jpg2776×2464 1.75 MB

The PC is dead. Long live the Shadow IT.

Hey Paul,

Shadow IT is and old concept but I can tell you that it is still a thing. I agree that organizations are increasingly moving toward cloud apps based apps, however there are still many companies with on-premise servers and / or hybrid infrastructures that run legacy applications and services that are accessed by connecting directly to the corporate network or via a VPN connection or some type of secure remote desktop / app solution. In this case, it is important for IT to have some control over the devices that are connecting to it so they can ensure the security and reliability of the network as well as enforce standard configurations and policies across all corporate devices.

While many companies do allow BYOD, if a company has legacy on-prem servers or applications BYOD devices do not always and typically should not (for security reasons) have the same level of access to network resources as a corporate managed device. I have seen some companies that allow authorized users virtually unrestricted access to their corporate network, however is not a IT or security best practice as you might imagine.

I mostly agree with your point about computer becoming more like glorified computer terminals, however, the PC is not dead just yet. So until that time, I think that IT departments, developers and other end-users should work together to maintain a frequently updated list of supported tools and applications. If someone wants to use a new tool, there should be a quick review process to determine how the new tool will be licensed, supported and whether or not it will have any negative impact on the business’ network or systems.

I realize that every organization is different, so my suggestions may may not work for everyone, but I think its might be a good place to start as opposed to your comment about “Long Live Shadow IT”. My problem with your approach is that as an organization grows, if everyone can install whatever tools they want, licensing and support can quickly get out of control.

Hey Austin,

Thanks for the response. As I mentioned in a reply to another user, I think it would make sense to have a formal process in place to get a new tool added to the approved / supported tools list.

The review process should be quick and take less than a week (hopefully more like a day or two). It could be a simple as a short justification form that you submit to your manager. Once your manager approves, the form would then be sent to the appropriate person / persons in IT to approve or perhaps ask for some additional information. Does something like that seem reasonable?

Hey Dave, thanks for starting the conversation! I worked at a company that implemented a more informal version of what you’re describing, and for them, it made sense. For a startup, I’m not so sure – developers at startups have to be empowered to choose the tools that make sense, that allow them to move quickly. Even with a 1-2 day turnaround on requests, this process would be a major blow to productivity and would likely kill a smaller company. At the same time, an informal process would likely kill a larger company.

This raises an interesting question: at what stage should a company start moving away from informal IT and towards a more formal system like the one you describe? What are the “tiers” of IT? In other words, if IT is a spectrum, from informal to formal, what are the major milestones along that spectrum?

I guess there isn’t a definitive answer whether Shadow IT is good or bad. It all depends on how innovative and technically motivated the engineers and the IT team are.
For instance, in one of my previous organizations, I know an engineer who wasn’t very experienced and he went around the IT controls and updated network settings on his machine and when he couldn’t connect to the corporate VPN, he escalated the issue and IT team had to firefight because that machine was supposed to be at CES next day.