IT folks all know the drill. Someone calls the Help Desk to report that some spreadsheet or program isn’t working. The Help Desk can’t solve the problem and escalates it. After much conversation, we realize that we have discovered another Shadow IT orphan. The creator of the complex spreadsheet or, worse, a VB6 program, is long gone. The users have been using it for years, not knowing it is a time bomb.

The expectations on IT at that point are to become the adopting parents. Sometimes we can get lucky and foist a spreadsheet off on Finance to have them try to figure it out, but that doesn’t work very often. But the programs? Sigh, those we have to deal with.


I know it is fashionable in many IT departments to fight against Shadow IT. “What do we do about the problem of Shadow IT?” The discussion centers on detecting and exposing Shadow IT in order to eradicate or control it.

These same people try to keep the tides from going in and out.

I agree it is a problem, a big one in some organizations. But it is not a problem we need to stamp out completely, like a disease. Rather, it is a symptom we need to understand. And it is an activity that we need to manage, not eradicate. In fact, it isn’t hard to turn it into a force for good in our organization.

According to Wikipedia, at the time of writing, Shadow IT refers to information systems that are built and deployed by departments other than the IT department because of shortcomings of the central information systems.

There is always a gap between how good of a job we think we are doing and what the organization perceives. The speed of IT will frustrate those that don’t have the top priority projects. This gap has been at every company I have worked for and heard about. The gap may be big or small, it may grow or shrink. Upper management may be concerned or not. But the gap is real and we will never eliminate it.

This gap provides a motive for Shadow IT.

The ever-changing technology world provides the means.

You can fight against it, or you can figure out how to make it beneficial to the company. Or at least remove much of the problems it can cause.

  1. Create a data repository focused on reporting and analysis that enables self-service for spreadsheets and other popular tools. Having a central set of validated data models will ensure that everyone is looking at the same data and measures. This makes sure that everyone is using the same definition for scrap, revenue, or other terms. When new reporting tools sneak in, at least they will go against common data models.
  2. Document the architecture and make it available to anyone that asks. This should not be a document that is just tossed at the requester through email and forgotten about. We know the areas that are likely to have Shadow IT. Be proactive about getting the architecture information into their heads with conversations, presentations, and other communications. This becomes the roadmap for doing Shadow IT the right way.
  3. Ensure the basic security model is available to anyone. Instructions on how to hook into Active Directory (or whatever) properly can go a long way to making sure that fewer security risks get added to the environment. If we can design it so they need a simple token or key to connect, and IT hands those tokens out without a lot of red tape and approvals, we enable basic security and we know who is developing these applications.

To be fair, you can still do all these things and still end up with orphans at your door. But at least the orphans will be well-behaved.

Leave a Reply

%d bloggers like this: