re: The Shadow IT Threat
As an IT manager that needs to support 300 users, manage over 40 different systems (including SAP), run a helpdesk, and implement solutions and manage projects (all with a staff of 2, including myself) I can tell you that I do not allow rogue IT groups to exist. Why? Because I am the individual who is personally *accountable* for the control of IT. All of IT, I might add.
For those who favor the existence of such groups, I ask the following rhetorical question: When the rouge "IT" group in Accounting has one of their analysts, Fred "The Database Expert", implement a solution in the Accounting "silo", who supports the solution when Fred leaves the company? You can bet that no one in Accounting will know how to support his solution, nor will they want to take ownership of the problem. Who do you think gets a phone call when this happens? I can tell you, it's not the Accounting manager. Allowing the existence of rogue IT groups is bad policy. If there is an IT solution to be crafted, then IT needs to be involved. If the company realizes a valid business need for this solution, then the company will find the assets and resources to get it done...with IT's oversight and management. To combat the "spawning" of rogue groups, I have implemented numerous network access controls, procedures and policies at my company.
Imagine that a user wants to put a USB color ink-jet printer on their desk because it will make them "so much more efficient". However, the *company* (not a single group within the company) made an earlier business decision to centralize print services to control costs and save money. Why spend the time to centralize print services just to let groups do what they want? Doing so creates support issues and increases cost, because now that group is buying ink cartridges and has limited expertise (or time) to work on problems. And when the printer breaks, who do you think they will call? That's right, the IT group. To combat this at my company, IT controls access to all ports on all PCs. If a user should decide to buy a desktop printer on their P-Card (or bring one in from home) they will not be able to use it on company IT equipment. This is communicated to the users during orientation and throughout the year. It has been very successful in eliminating a rouge mentality as it pertains to print services.
What if a user wants to put their new personal laptop on the network? The answer is no. IT has the network locked down via IP reservations tied to MAC address. Nothing gets on the network unless IT has allowed it. For security purposes, no personal computer equipment is allowed on the company network. IT policies and controls also prevent any user from installing software of any kind on their company workstations. All software distribution is managed by IT, as it should be.
Why behave in such a Draconian fashion? In a word: control. Control of processes, procedures and policies. Businesses are at risk if they are not in control of their processes. Money can be stolen, equipment can be damaged, and people can even lose their lives if there is a loss of control over processes. In addition, companies need to operate as a single organism. People need to view the business as an enterprise that moves forward as one unit. Successful businesses do not operate in separate silos of activity. Anyone who has implemented an ERP solution, such as SAP, will tell you this. This mentality goes for groups within an enterprise. You cannot have a singular vision for IT and move IT forward as one unit if you have these rogue groups operating outside the scope of the mandated IT organization.
I also look at this from a personal perspective. I was hired to run IT for the company. I cannot be in control of IT processes or infrastructure if I allow rogue groups to exist. How can I be in control of my network and its related security if I allow anyone outside of the IT group to add a device to the network? The answer is simple: I cannot. Assume I allowed a rogue group to operate and implement a solution in Marketing that somehow caused the network to crash. Does anyone actually believe the president of the company will ask the Marketing manager why the network crashed? Of course not. She will ask me. And what do you suggest I tell her? "You need to talk to Marketing's IT group"? Give me a break.
Allowing these rogue groups to exist is bad for your company, bad for your legitimate IT organization, and potentially bad for your career. It is not how an enterprise should operate, at least an enterprise that wants to move forward as a collective in control of its processes.