‘Shadow Tech‘ – we IT folk do enjoy our cool-sounding names don’t we?
The term Shadow Tech refers to the use of consumer technology by the workforce, usually in a way that is not sanctioned by ‘Corporate IT’.
Generally speaking the IT department does not like the business to use any technology that they (IT) haven’t selected, procured and learned how to support. The instinct of your average IT team is to declare shadow tech verboten, often citing ‘security’ as the reason.
Today’s shadow tech manifests itself in the form of iOS and Android devices. Our employees have them at home, love them and can see how they will help at work – but the IT team says “No, it’s not safe“.
‘ICT as Denier’ is a dangerous role to adopt. I’ve already written about the battle with pernicious ‘security’ but when it comes to shadow tech the real threat is to the IT department – the threat of irrelevance.
We can illustrate the risk by casting our minds back to Shadow Tech 1.0. Less than 30 years ago the IT Dept. was about number crunching and centralised computing – the mainframe was still king. Then in the late 80s and early 90s the Personal Computer (PC) started appearing in people’s living rooms. “Wow!” the people thought “These PCs are great, I can see how this would really help me with my work.”
The IT Department said “No – that’s not how we do it – if you want some computing doing come to us and we’ll sort it out for you”. So the business promptly ignored IT and went out and bought PCs.
PCs proliferated on desktops throughout the organisation and a person in each area would often adopt the mantle of ‘the guy who knows about computers’. Within a few years we had mini-IT Departments all over the place, less control at the centre and an uncoordinated ad hoc approach to technology exploitation.
Wind forwards 20 years and many organisations have now managed to wrest control of ICT back to the centre. The PC (laptop) is ubiquitous but that’s OK because it is now approved and controlled by the IT team. Meanwhile, in the data centre, the mainframes have gone and Windows servers hum away contentedly – all is well with the world.
But hark! Here comes Shadow Tech 2.0 the iPhone and iPad started appearing in people’s living rooms. “Wow!” the people thought “These mobile gadgets are great, I can see how this would really help me with my work.”
The IT Department said “No – that’s not how we do it – they are not safe. If you want some computing doing come to us and we’ll give you a proper computer”. So the business promptly ignored IT and went out and bought iPads.
We know what happens next because we’ve been here before.
(There’s something here that needs exploring around the importance of ‘Institutional Memory‘ in helping us avoid repeating the mistakes of the past – but that’s a post for another day)
Again Corporate ICT loses control – but this time the stakes are far higher. Both the volumes of data and the sensitivity of the data in use are hugely increased compared with 25 years ago. If the end users succeed in bypassing the IT Department then there’s a real risk of a security breach (and near certain compliance problems) – and the users will find a way to use these devices at work because people are clever.
The CIO’s role in this is to act as a trusted advisor to the business. IT should be a door-opener not a gate-keeper. The IT team need to get ahead of the curve and work out how to use these amazing new devices safely. Buy lots of different models and trial different management software then go back to your business users and say “Hey, look – we’ve worked out a way that you can use these things at work.”
But it doesn’t stop there – Shadow Tech 3.0 is already upon us and its name is Software as a 
Service (SaaS). I am a huge advocate of cloud computing and SaaS and I’ve written about this before. SaaS is so good (easy to use, cheap and easy to deploy) that your users will already by eyeing it/using it. Most SaaS tools require little more than a browser – your users are able to purchase their subscription and be up and running on the new application without IT ever knowing about it. This represents a serious threat to the organisation’s data as it is unlikely that the user will have checked that (e.g.) the data is being stored in the EEC.
The CIO’s job here is not to issue a diktat “Staff must not sign up to cloud based software tools.” rather we need to educate staff as to the risk and request that they run all such proposals past the ICT Governance Team so that they can do the due diligence/legwork around security. Sometimes there will be a genuine reason why a SaaS application should be blocked in the corporate world (e.g. DropBox *shudders*) – but usually this stuff is safe to use.
This is ICT adding value to the organisation and it’s a pointer towards ICT’s new role (the inexorable movement from the management of tin and wires to the management of data and risk).
So, be a door-opener not a gate-keeper because, guess what, Shadow Tech 4.0 will be along any day now…
Door-opener not gate-keeper
Richard Copley MSc, BSc, SMSITM (and CIO) 