Shadow IT Management – Which Pill Morpheus?

By Geoff Smith, Sr. Solutions Architect

 

The term “Shadow IT” has gotten more and more people thinking about the challenges we all face as we try to reign in our IT management and operations.  Recently, I caught a few minutes of the movie The Matrix…now, that movie is a bit of a visual trip, but once you get past the effects, the underlying dilemma it presents is intriguing.

It seems to me that if you accept the notion that people will gravitate towards the easiest ways to get their jobs done, than you have to wonder if the tools and procedures you have in place are likely to encourage compliance, or force rebellion.  As in the Matrix movies, what appears to be happening under the surface may actually be something completely different once you have peeled back the false construct you assume is reality.

It has long been known that IT people are an innovative and, well, curious lot.  We will try just about anything once, and if we find something that allows us to “better” manage our environments then we may cross over from the fringe into the shadowy world of the truly obscure in search of the truly arcane.  It’s almost a badge of honor to demonstrate how to solve IT challenges without relying on the industry best practices or accepted solutions.

The real question is, is this really a bad thing?  If you think back to The Matrix, the false construct did have its advantages.  Sure, you were effectively enslaved by machines, but at least they gave you a good fantasy to operate within.  You had juicy steak and cool clothes and the slickest cars (BTW that is a 1965 Lincoln Continental with the “suicide doors” in the movie).  And as far as anyone else in that reality was concerned you were as legitimate as they were.  So what’s wrong with that, especially considering everyone else is in the same boat?

Shadow IT, especially as it applied to IT Management, may have its benefits, but it also carries a lot of risk.  For every off-the-grid tool that performs a function within IT, or for every service you rely on that may not be fully vetted, you may have exposed your organization to potential abuses, both internal and external.  Where do these tools come from?  How reputable an organization was it that developed them?  Does their use create security vulnerabilities?  Do they violate standing policies or put at risk compliance?  And is the information you’re getting reliable?  How critical are they to the underlying functionality of your business systems?  Who on your team really understands their purpose and use?

So if we have accepted the fact that these tools and services exist, and that in all likelihood their use is prevalent in our industry, what do we do about it?  To blunt their use is to shut the door on creative innovation within our teams.  And frankly it’s not that easy to stop. To lower our standards and policies and embrace their use could lead us into situations where our lack of control and enforcement results in bad things happening.

Red pill or blue pill?  Do we accept the risks, and tell ourselves that those bad things are so unlikely to happen that the benefits outweigh the risks (or – hey I might just be the equivalent of a Duracell battery but since I don’t know it I’m happy)?  Or do we drop into a harsh reality where getting things accomplished might be more difficult and frankly less visibly rewarding (or – I’ve traded steak for Tastee Wheat but at least I know what I’m really eating).  What if there were a “purple” pill available?  An alternative to the options of pure fantasy or brutal reality?

There is a purple pill, and it’s not an answer but a question.  That question is why?  Why does my team feel they need to “jack-in” in order to accomplish anything in our environment?  Why can’t they get done what they need to with the approved tools and service already at their disposal?  Why do these policies and restrictions exist in the first place, and are those reasons still legitimate?

It’s about structured enablement and inclusive decision-making.  Gather your teams and work from the inside out.  Start with what they feel needs to be accomplished to meet the organizational needs.  Understand the gaps between how they work and the policies and procedures that are in place today.  Are there areas of consolidation or elimination of steps that can be taken to improve efficiencies and render some of the shadow services useless?

As you re-architect your approaches, also look for ways to improve the working environment for your teams.  Are there tasks they are required to perform that have become so rote and uninteresting that they have fallen into the shadows?  If so, rather than re-populate your teams with these tasks, look to move them into a more tightly controlled environment.  This may be accomplished by automation or even by out-tasking to a provider (under a strictly defined and controlled contract with full auditing and reporting).  And don’t forget that these “basic” functions are the foundation of a well-oiled IT machine.

In all transparency, I have watched The Matrix a number of times, and while my attempt to tie this concept of Shadow IT Management into the movie may have fallen short, I do think it’s not whether you choose the red pill or the blue one, but it’s the fact that you have the ability to make that choice at all.  There is a difference, after all, in knowing the path and walking the path.  Fate, it seems, is not without a sense of irony.