Technology, Cloud

Is Shadow IT talking over in your enterprise?

Community Video by,
HP Blogger

Christian Verstraete, chief cloud technologist for HP, relates a conversation he had with a bank CTO who was unaware about how much "shadow IT" was occurring in his company. Do you know how much is occurring in your company? And what you should do about it?

(3) (3)

Would you like to comment on this content? Log in or Register.
Robert Litchfield 3 Points | Wed, 11/02/2011 - 15:06

I think what is being missed in this discussion is the fact that IT departments are restricted by the corporate budgeting system and thus every request from the business is measured against the "big picture" and approved based on this.  Funding requests that may help small teams or even individuals, are often not approved, or the bureaucracy is so heavy our business works around IT.

As long as many IT departments are an extension of the department of the CFO, and thus a way to control costs, we will struggle to meet these needs. Obviously budgets are not infinite, so decisions and compromises must be made.  What we shouldn't be surprised about is that there is a Shadow IT, and we need to learn to embrace it and use it to the better good of the enterprise, even if it makes IT uncomfortable.


John Dodge 1535 Points | Thu, 11/03/2011 - 14:12

Clearly some order has to brought to this. It's chicken and egg thing...IT can't provide what LOB wants for budgetary or for whatever reason so LOB goes the Amazon Web Services and expenses it on credit cards. The question is whether LOB should have the latitude to do this. If LOB can show good ROI, who is going to say no. It's a difficult problem.....putting the clamps on stifles innovation. Not putting them on creates chaos. Is there a happy medium? Or just a darn good solution?  


Paul Calento 255 Points | Sun, 10/30/2011 - 18:14

While all of this has been going on, the data and systems available for "shadow opportunities" is enormous. The intent of business managers, though, is strong ... they're bought into the "IT agility" concept and they find (or think) traditional IT is too slow. IT departments (and their CIOs) need to find ways to appease these stakeholders in the short term (to give them what they think they want), while addressing the core enterprise security, data access issues often neglected in shadow projects (to give them what they need). 

--Paul Calento

(note: I work on projects sponsored by and HP)

Doug Goddard 123 Points | Wed, 10/26/2011 - 17:15

Excellent topic Christian. This has definitely been going on for decades now hasn't it? At least since the PCs, spreadsheets and rapid application development tools arrived. The Cloud and mobile devices are just adding to the mix. IT rightly does it's analysis when a new technology shows up and starts calculating things like security risks, the costs to develop new applications or upgrade legacy applications and so on. Those things take time and the costs are always a concern. The Cloud offers a whole new generation of security risks, outside the corporate fire wall, potentially. Business users, on the other hand, start imagining all the useful new things they can do, including those related to business, like social networks, as you mentioned, and they get frustrated with IT taking so long to adopt the new technology. They don't factor in security risks because that isn't what they do and wrongly criticize IT for being too slow.

I suppose one way IT can address the issue is by finding a way to be ahead of the curve, while caefully managing the transition at the same time?


J E Smith
Jim Smith 1 Point | Tue, 10/25/2011 - 14:39

Christian, this problem has existed since the first PC was intorduced into the corporate environment and hooked to a network.  I was a CIO of a large bank in the mid 80's and we were already seeing rBase applications popping up written by consultants. We also saw employees going to the PC stores, buying their PC with their own money and then expensing it, just to get ahead of the queue.

As we moved into client server and Microsoft became a force with Access and other tools, the business agin went out side.  This Bank had a trmendous CEO and he took my advice and created a corporate policy that IT had to sign off on all outside activities with technology.  This wasn't an effort to stregthen IT, it was a risk issue.  If the business had the money to spend on shadow technology, then his argument was that they had the money to do it throught IT.  So to enforce the rule, he held every employee personnaly responsible for any loss of Bank data, interruption to service or any other loss occuring from the use of "shadow IT".

What many miss in this issue is that the dollars are corporate resources, and the company loses leverage when the use of those dollars are used outside the corporate strategy and the risk of impropper use of outside resources represents a risk that that CEO wasn't willing to take.

This is a leadership issue, the CIO should be implementing corporate guidelines tfor the use of corporate technology and and those guidelines are a matter of corporate policy, not the CIO's policy.

How many companies would allow deparetments to buy their own AP or AR systems outside of accounting, the same for HR systems where IT choses to go around HR because they are not happy with the service.  CEO's wouldn't tolerate that for a moment, they shouldn't tolerate it with IT either!  If the CIO can't provide the service that he has comitted to, you get rid of the CIO, you don't just go around the process and if you do and something goes wrong, the business leader is held personally accountable.  Watch how fast shadow computing goes away then.

John Dodge 1535 Points | Tue, 10/25/2011 - 17:13

You touch on something with which I am very familiar, Jim. When I started as the founding news editor of PC Week in 1983, PCs came in through the proverbial back door and were viewed as a threat the mainframes they eventually booted out. Just as interesting was what happened to the Big Iron advocates inside IBM, who were clueless about how the harness the true potential of the PC. How did the high command reward the Father of the IBM PC Don Estridge, who had the potential to set Big Blue on the right course? They booted him upstairs to VP of looking back, it was one worst business side-linings then, CEO John Opel had locked in IBM's nadir which would come eight years later. His four year tenure can safely be stowed in the dustbin of IBM's otherwise illustrious history (only his successor John Akers fared worse as the only IBM CEO to ever get fired).       

Tragically, Estridge died in a jetliner crash in 1985. A succession of unimaginative empty suits followed and IBM almost vanished in the 1993-94 timeframe. As a story that unfolded over decades, it's probably one of the biggest I covered.

Were PCs the first Shadow IT? Nope. Minicomputers were met with the same resistance and derision as the PC.. Some "wild duck" as IBM called renegades will always try to sneak something by the IT gatekeepers. And more power to them! 

Perhaps the difference today is pervasivness of Shadow IT with consumerization and the cloud, which touch on just about everything IT once controlled.    



Christian Verstraete 429 Points | Wed, 10/26/2011 - 11:19

John, very good points, and yes some of this will always exist. However, I believe that the real issue is to do with the protection of the enterprise information. As business becomes increasingly global and as intellectual property is less and less respected, protecting the key information of the enterprise is critical. This traditionally belongs to IT, and it's only in advanced enterprises today that the business people are highlighted their responsibility in protecting the key information and IP of the enterprise. Shadow IT is a way to expose that information unnecessarily. So, it's critical for IT to understand that, take it into account and act accordingly in my mind.

John Dodge 1535 Points | Wed, 10/26/2011 - 12:10

Christian, you've hit on the central role for IT, but there is a precedent and that is the PC. All of sudden, spreadsheets and documents resided on desktop PC hard drives in user land. Users did not have to rely on mainframes, minis or IT to access, store and secure their work. The PC notebook meant these assets could go anywhere. Enterprises and employees benefitted greatly from this. The problem just got a lot more complex with the cloud, a new genre of outside vendors (wireless carriers and cloud companies) and a multitude of devices to secure.

New trends look similar to something that happened before and history gives us the benefit of 20/20 hindsight. But little in IT now is the same as something that happened 10, 20 or 30 years ago... 

Christian Verstraete 429 Points | Tue, 10/25/2011 - 13:17

Joel, I can only agree with you. I'm meeting with CIO's all the time and am really surprised about this. Many of them do not seem to realize what is happening. Like one of my friends told me a while ago, we are like in the late 80's early 90's when Excell appeared on the market. Business people kept requesting changes to their reports and did not get them from IT, so they bought Excell and uploaded the data on their PC's and did it themselves. Results, enterprise data got proliferated everywhere, it became difficult to know what the true numbers were as many copies, taken at different moments, had variations.

Wwell we are exactly there again, with the additional danger it is no longer inhouse, but on the internet. As you suggest, taking a honest look in the mirror is a must. And then it's all about understanding what the business is looking for. Building governance and educating the business people on the implications of the use of the internet are probably the next two steps. Do you agree?

Joel Dobbs 339 Points | Mon, 10/24/2011 - 20:15


A timely topic.  I believe that most CIOs are in a state of denial about the extent of "shadow IT" within their companies. With the availability of SaaS and other cloud-based technologies, such as Amazon's cloud computing environment, and the tools available on most smartphones, tablets and other devices it has become extremely easy to run key components of a business unit, department, or even an entire company using a credit card, an internet connection and an off-the-shelf device.  Add to this the fact that a growing number of SaaS and cloud providers market directly to business users and intentionally avoid IT completely and it is no surprise that the shadow movement continues to thrive.

CIOs need to first be realistic about the likely existence of a significant "shadow presence" within their company.  Second, they need to look in the mirror and ask themselves what needed capabilities their organization is not providing and why.   The answers may be both obvious and painful.