There is an ancient Chinese proverb about a farmer who loses his horse. For those who have not heard it, the story goes like this: There is an old farmer who lives close to the border with his son. One day, his horse runs away. Their neighbors come to console them, but they only say, “How do you know it’s not fortunate?”
A few months later, his horse returns and brings back a magnificent stallion with him. His neighbors come again, this time to congratulate him. He tells them, “How do you know this is not unfortunate?”
Later, his son falls while riding a new horse and breaks his leg. His neighbors return to console him, but the father then says, “How do you know it is not fortunate?” Then a war ensues, and all capable sons are prepared to fight. Most are killed in battle, but the farmer’s son survives because of his broken leg.
The thing about this story is that sometimes things that seem unfortunate at first can actually be a blessing. The objection is also true: sometimes things that give blessings can actually be the opposite.
The reason for bringing this story here is that this venture is a useful depiction of something happening in IT. Sometimes there are things that seem undesirable, but they can actually be beneficial when viewed in a certain light, when approached in a certain way, or depending on the circumstances.
For example, this may be true when it comes to “shadow IT” – in particular, the adoption of technology without IT organization involvement or knowledge.
The Shadow It Struggle
For the past few years most IT professionals have struggled to adopt “shadow” technologies. Consumer-oriented technologies, cloud services for free or pay with “you go” value, mobile applications, etc., all of this relatively easy for individual users and small groups to adopt technologies without including IT in their deployments. Can make
This practice can be problematic in many ways. First, without central oversight, it can be difficult to ensure that technical risks are addressed.
Second, shadow IT weakens standardization efforts. Individual departments or users can choose different solutions to the same fundamental problem, creating complications in support and processes, as well as challenges of integration down the road.
Third, if several different groups adopt the same technology, this can lead to sub-total pricing – when purchasing is negotiated with a focus, volume pricing may come into play. Lastly, it can lead to waste of organizational resources and overall inefficiency.
However, there may be circumstances in which Shadow IT can be commissioned – in part, at least – for the benefit of the organization. Now, don’t get me wrong – I’m not suggesting that IT professionals go out and actively cultivate shadow technology in their organizations.
The problems and risks associated with this are very real and should be considered and approached with seriousness.
That said, it’s not necessarily the opposite all the time. If shadow IT is going to happen anyway – and it will – then it is important that we learn as much from it as we can. In fact, depending on how you choose to respond when you encounter Shadow IT, you may find that it can actually be somewhat beneficial.
What can we learn
The first thing to note is that there is an underlying root cause for the adoption of shadow technology: no business need. Why would individuals or business units get into the trouble of finding and using new applications, technologies, or services if they felt they already had everything at their disposal to be maximum effective? They won’t, right?
When faced with shadow IT, it means that there is something that these people want to do that they feel they cannot. This may be because they want something new that IT does not provide.
This may also be because IT offers it, but they either do not know that or there is anything less attractive about IT offering – eg, speed, flexibility, differentiation, etc. Shadow IT tells us something about what we can do better – or other services we can offer – to make sure people have what they need to be effective.
We need to show what may be needed there, Shadow IT can help inform us about important new technologies that are coming down the pike. This can directly inform decisions we need to make about those security controls such as the things we need to implement, how we allocate budgets, and how we optimize equipment and processes.
For example, if we are seeing an increase in SaaS, what might we need to do to keep data stored outside our periphery? If we are looking at a pocket of dockers, will our existing asset management processes and equipment remain relevant in the container-centric world?