What Makes a Great Blog?
Elementary Kids Teach You How to Podcast

The "Shadow IT Department": Do IT Staff Help or Hurt IT Use in Organizations?

I've been thinking lately about organizational barriers to Web 2.0 and one of the thoughts I had was that the IT department can get in the way of implementing a lot of social media and Web 2.0 tools.

It appears that Ben Worthen of CIO Magazine is seeing this too, as he reports in a recent article, Users Who Know Too Much (And the CIOs who Fear Them). In the article, Worthen introduces the concept of the "Shadow IT Department" that has developed as a result of users having unprecedented access to Web 2.0 tools that make them more productive on the job:

"An April 2006 survey by the Pew Internet and American Life Project found that 45 percent of adults who use the Internet said it has improved their ability to do their jobs “a lot.”

These are your employees, and their message couldn’t be clearer: Technology, at least in their eyes, has made them significantly more productive. But CIOs shouldn’t be patting themselves on the back just yet. For this productivity boost the study credits the Internet, not enterprise IT, not the technology you provide, not, in short, you. And while Pew’s finding undoubtedly includes people who use the Internet to access your corporate applications, Lee Rainie, the Pew project director, says the research is not pointing to what a good job CIOs have been doing. . .

According to Pew, 42 percent of Internet users download programs, 37 percent use instant messaging, 27 percent have used the Internet to share files, and 25 percent access the Internet through a wireless device. (And these numbers are all one or two years old. Rainie “would bet the ranch” that the current numbers are higher.)

Does that sound like the tools you’ve provided your company’s employees? Do you encourage them to download programs and share files? Do you support IM? Have you outfitted a quarter of your company’s employees with wireless devices? (My emphasis added)


Ben goes on to suggest that we're experiencing the growth of a "shadow IT department" that is the result of the "fundamental disconnect that has always existed between those who provide IT and those who use it."

"Users want IT to be responsive to their individual needs and to make them more productive. CIOs want IT to be reliable, secure, scalable and compliant with an ever increasing number of government regulations. Consequently, when corporate IT designs and provides an IT system, manageability usually comes first, the user’s experience second. But the shadow IT department doesn’t give a hoot about manageability and provides its users with ways to end-run corporate IT when the interests of the two groups do not coincide." (My emphasis added).

The culture that has developed in many IT departments is one that says that when users want some new functionality, there's usually a reason why it has to be done IT's way, or else they promise they'll make a change . . . eventually.

Worthen suggests that IT departments shouldn't even bother trying to fight Shadow IT. It's a recipe for stalemate or outright defeat, he says. Instead, IT should be following the "golden rule":

“There’s a simple golden rule,” says David Smith, a vice president and research fellow at Gartner. “Never use security and compliance as an excuse for not doing the right thing. Never use these as sticks or excuses for controlling things. When you find that people have broken rules, the best thing to do is try to figure out why and to learn from it.”

Other strategies that IT Departments should use to deal with Shadow IT include:

  • Find out how people really work.
  • Say "yes" to evolution
  • Ask yourself if the threat is real.
  • Enforce rules, don't make them.
  • Be invisible.

Worthen concludes that "Messy but Fertile Beats Neat But Sterile." I couldn't agree more.

How does this apply in nonprofits? Well I'm not sure how active the Shadow IT department is in many organizations. It's been my experience that nonprofit staff are much less likely to be pushing things like IM, wireless devices, etc. although I think this is beginning to change. And as it does, I think more and more IT departments will find themselves dealing with Shadow IT.

Even if they aren't doing so now, though, I think that these are issues for organizations to start considering.  There's a reason that users in companies are drawn to Shadow IT solutions--they help them get their work done more efficiently and effectively. To me, it seems that one of the responsibilities of IT staff in an organization should be to act as  technology stewards rather than technology gatekeepers. Worthen's article is a great way to re-think IT's role.   


Feed You can follow this conversation by subscribing to the comment feed for this post.

I'd like to be an advocate of this kind of progressive thinking, but as an IT support person at a sizable hospital, I see all too often the negative - and costly - effects of rampant end-users.

In spite of some fairly restrictive policies on our corporate PCs, our users still routinely download and install software that cause all sorts of grief for IT. For example, like many other companies (I suspect), we might like to allow the use of alternative browsers, 3rd party toolbars, or the like, but the web-based apps that we rely upon for mission-critical operations are geared towards Microsoft's Internet Explorer. Version 6.

End of discussion. Other browsers need not apply. Google toolbar. No sir. AOL Instant Messenger? Can't happen. Latest Java or Flash plug-in? Massive headaches! We're straight-jacketed by what our vendors will support. Period.

So everytime a users installs some new goodie like Yahoo! toolbar, we're stuck dealing with the aftermath of some innocent-sounding, fun little program interfering with applications that are quite literally tied to patient care. Do you really want to give your users the latitude to experiment when it could mean that Mrs. Johnson in room #512 might not get her meds on time by doing so?

Or even with a less extreme situation, can you really afford to allow Sue in Purchasing to install Google desktop when doing so will mean that she won't be able to issue purchase orders for medical supplies until we go clean up her PC? Or Cindy in Finance can't cut payroll checks because of pop-ups she got by way of playing online poker?

So, yes, I like the idea of giving users the freedom to experiment, learn, and grow in their computer literacy, but if we don't retain some fairly tight controls over this stuff, there are immediate and costly effects.

On the topic of instant messaging: Given that most users don't yet make efficient use of email - which is virtually instantious within our campus - I have yet to see any real need or practical use for IM. Were we to open up this capability, I'd bet that it would simply become a means to circumvent the accountability of phone use logs.

Rob, you make a number of good points here and I appreciate you taking the time to reply so thoughtfully.

Obviously you have to consider the havoc that's wrought when apps that people download interfere with the kinds of mission critical activities that you describe. And certainly I wouldn't say that the aftermath of online poker or a "fun" toolbar should be on the list of "acceptable uses" of the system for workers. But I do think that the notion of looking at people's work processes and determining what it is about certain productivity apps that's appealing is a good one.

I also wonder about the issue of communication. In my own experiences, IT often acted like users were idiots, never explaining to them or anyone the impact of downloading programs. Instead, a problem would arise, IT would come over to find out what had happened, find out it was because the user had downloaded something or whatever, give the user hell, and then disappear to try and fix it. Often the IT staff wouldn't bother to calmly explain what had happened so that the user could learn from the experience. Instead, the user was made to feel stupid for having made essentially an innocent mistake.

If nothing else, I wonder if this doesn't point to a need to improve the quality of communications between IT and user staff. I'm not suggesting that this is the case in your situation, Rob. Just saying that in my experience, this kind of thing could be handled differently in many organizations. And I do believe that the fact that Shadow IT departments are on the rise indicates that something isn't working with the systems.

I do agree - why just patch up a problem when, by educating the user, you may be able to prevent it from happening again? At the very least you can hope to make the user a part of the solution so that they understand just how much effort goes into fixing the end results of their mistakes or (in some cases) misdeeds.

Oddly enough, the users' efforts often seem misguided. That is, they're off downloading the latest cutesy animated emoticons with which to jack up their Outlook, all the while I'm practically begging them to allow me to help streamline cumbersome and wasteful legacy processes and they turn a deaf ear.

And while I've tried to be an advocate for some newer, cool tech - like tablet PCs in appropriate settings - the users will often ignore very good advice that comes from a couple of decades of experience and squander money and efforts on junky or inapplicable technology instead.

Somehow we tech stewards and the users we support need to sync up... And probably you're right - the starting point may be for us to acknowledge that end-users aren't always bumbling and insidious newbies and IT guys don't always have to be demeaning, control-freak geeks.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name and email address are required. Email address will not be displayed with the comment.)