Cloud and Shadow-IT: It is forbidden to forbid

During his keynote at HP Discover, Chris Anderson, chief editor of Wired Magazine, described the choice he had when getting into the office. Either he could plug into the corporate network, would receive excellent service for a limited number of applications, or he could tap into the internet, getting access to everything he wanted, but with lower service guarantees. He told the audience the same day he received a message from internal IT that his mailbox size would be reduced to 1GB, he got one from Google telling him his Gmail box was increased to 10GB.

In these short examples he described clearly the traction of “shadow-IT” and the current issue IT departments are faced with. One word of wisdom from him: “If IT wants to tackle shadow-IT, IT better be competitive".

The traditional approach taken by many IT departments is different though. They tend to cut down on access to external services, use tools isolating access to the corporate intranet from the content of notebooks, making it difficult to import off-line developed work on the intranet etc.

Is that the solution to limit shadow-IT.? I don’t believe so. Actually this brought me back the motto of the May 68 Paris student revolution, which had a lasting impact on the evolution of mentalities in Europe. One of the student leaders, Daniel Cohn-Bendit, today a well-known EU parliament member, and others told the crowd: “It is forbidden to forbid” (Il est interdit d’interdire).

Trying to kill the use of Shadow-IT by cutting access to services is in my mind a lost battle. New services keep becoming available and users are increasingly sophisticated, finding ways around your barriers. So it’s not worth spending any time or energy on such fights. Shadow-IT should be recognized as a fact of life. But then, what should we do?

I would focus on two things, education and service improvement. Make users understand what the implications are of the use of shadow-IT and become competitive as far as the services you deliver. Let’s look at both in a little more details.

Education

Frankly some services are harmless while others may put the company in danger from an information disclosure or compliance perspective for example. What is important is to make the users understand the implications of what they are doing. Actually I’m all in favor of a better education on the use of the internet at all levels. When you see what some youngsters share on the internet, you understand education is a must.

Focus on a couple key topics:

• First describe what the internet & cloud is all about and how free applications typically fund themselves.
• Make sure they see the difference between a genuine application and a hoax
• Explain them how data is actually handled and tell how hackers can get access to it
• Then review the enterprise information and highlight what data is critical for the company. Point out the potential damage if it would be made public. Describe not only the measurable implications but also the loss of reputation, the damage to the brand etc.
• Having said that, discuss with them which service they use, how they use it, what they share etc. so you gain a good understanding of what is at stake and they realize the potential implications of their current actions.

It’s good to hold such discussions on a regular basis so people are reminded. Make sure you have somebody available if questions rise in the interim period. I believe IT can play an important role in this education and the associated risk prevention. I’ve actually seen a couple CISO’s (Chief Information Security Officer) picking this task up, combining awareness sessions with poster campaigns and short videos to drive the point home.

A second benefit of such approach is that it starts the dialogue between the users and IT. They are able to tell IT why they are using these tools. If IT listens carefully it will see what needs to be done to bring the usage back home. Communication is of the essence. Why not develop an internal marketing campaign to make users sensitive to potential risks related with the uncontrolled use of external services. But make sure they do not see it as a way for IT to regain control, but rather as helping protect the enterprise.

Service Improvement

The other day I was talking to a CIO who explained to me that his users were exporting most of their messages to Gmail because the search engine was much better than the one of the version of Exchange they used (2003).

Now, that’s not difficult. Rather than trying to stop access to Gmail, isn’t it easier to improve the search capabilities of the internal mail system. In this particular case it could be done by upgrading to a newer version of Outlook. The search engine of Outlook 2010 is actually quite good. Or there are external tools existing ( e.g. Xobni)  that have a good search capability and complement Outlook.

It’s a simple pattern, users are looking for extra functionality, this one cannot be found internally, so they go outside, potentially exposing the enterprise. Understanding the requirements in the first place and addressing them may solve the problem once and for all. Remember Chris Andersen, IT better be competitive.

Many users, and I have to admit, myself included, use dropbox, filemail and other public services to share large files as there is a limit on the size of files you can send with the corporate e-mail system. Why not set-up an easy to use file-sharing system internally?  And I could go on like this.

Shadow-IT often has to do with collaboration & productivity improvements in the day to day job. Occasionally more advanced users are looking at compute capabilities to run sophisticated models and call upon IaaS services to do that, but that’s a small minority.

So, through education sessions as the ones described above, through surveys or direct conversations, gain a good understanding of what the users are looking for and why they are going outside. Don’t start an argument, but listen. Often there are perception issues, lack of knowledge of existing internal tools etc. resulting in going outside. What does this mean, how can it be addressed.

Once you know what is required, look at your current offering and how it can be improved to address the expressed needs. Realize you are in catch-up mode, so make it even better if you can. It will help you getting the users back.

Then communicate widely about the new service, include it on the enterprise internal portal first page. You may want to ask the help of marketing to run a true campaign so the users notice the tool exists, but more importantly, they realize that IT is listening to them and has a different attitude. And that is key. It will drive them to ask you advise on the next area they are struggling with, making it easier for you to collect the needs and address them.

The first step is always the hardest.

So, if you have two things to remember from this post, I would suggest you to remember it’s forbidden to forbid, and IT better be competitive. Listen, deliver, communicate.