The Chronicle

of a ColdFusion Expatriate

Shadow IT Is the Canary in the Coal Mine

June 13, 2015

In the early 20th century, long before “information technology” was a phrase anyone had heard of, coal miners brought canaries into the mines with them because the birds, being warm-blooded and more sensitive than humans to most environmental effects, would become ill from carbon monoxide or other toxic gases found in the mine long before the miners would, giving them a chance to escape or take protective action.

Such “animal sentinels” saved many lives by acting as an early warning system for dangerous conditions that the humans could not sense themselves (carbon monoxide in particular being entirely without scent), and the phrase “canary in the coal mine” came to be used as a general term for something that provides a signal of danger.

“Shadow IT” is a term used to describe systems put in place within organizations without explicit organizational approval. A very simple example would be some team deciding to use their personal Google Docs accounts to track project data in spreadsheets rather than Microsoft Office documents on an internal file share. Shadow IT is generally perceived as a security or privacy risk because the organization doesn’t have the access and auditing controls built into approved solutions.

Nevertheless, Shadow IT is a sign of danger. It’s an indication that approved solutions don’t meet all of an organization’s needs. It should be treated not strictly as a departure from the acceptable path, but as a strong signal that existing solutions are inadequate.

For example, collaboration tools tend to be adopted as “shadow IT” resources because so many free SaaS solutions exist and it’s fall-down easy to sign up for and start using them. When your organization already has an internal, approved, secure collaboration solution, why would a team start using some “freemium” external tool? Are they trying to sabotage the organization’s success?

Hopefully they are not, but why would employees use a tool with less integration is the correct question for the IT department to be asking. IT departments should be treating other departments within the company as clients and constantly re-evaluating whether they are providing the tools necessary for those other teams to be as productive as possible.

Here are a few specific questions that an IT department should consider asking:

  1. What feature or features does this external tool have that existing internal solutions do not?
  2. What is the cost basis of these external alternatives; would a hosted solution be more or less expensive than existing internal solutions, taking into account maintenance and operational costs?
  3. When the approved internal solution was put in place, were alternatives evaluated and were key participants polled for their feedback?

Essentially, “shadow IT” can be a source of innovation and advancement within an organization’s IT infrastructure, but only if it is welcomed as a proof of concept and used to start productive conversation among separate teams to discover what their motivations are and how the organization can provide approved solutions that make everyone more productive.

After all is said and done, an approved solution is almost always preferable to some third-party solution. With the full force of the organization’s support structure brought to bear on it, the integration with other tools, reliability and availability, and adoption across teams will be superior. What IT leaders need to understand is that the approved solution is not automatically the superior one.

As another gratuitous example, just because your company uses Lotus Notes doesn’t mean it’s automatically the best e-mail client or collaboration platform. It will likely be the most broadly adopted, but I guarantee there will be employees wishing they had Microsoft Exchange or Google Apps instead.

Effective IT departments structure themselves as service organizations and internalize instances of “shadow IT” as oversights to be remedied.