Shadow IT: You, me and BYOD

Shadow IT: You, me and BYOD

Summary: BYOD and working in the shadows: A mandate for change or juvenile rebellion?


Did you ever know someone who just has to break the rules no matter how many times you warn him or threaten him? Did you also notice that he's the type of person who skips through life and work, often relatively undaunted, but his manager thinks he's the bomb? Sure, we all know the guy. A lot of people see him as a guru, as a quirky genius or even as a prima donna but we, his irritated coworkers, see him for what he is: A disruptive goon who makes life harder for us all.

That's the typical picture in your head when you hear the term, "Shadow IT" but that isn't always the case. Believe it or not, I could be talking about you.

There's a good chance that I am talking about you. But, there's an even better chance that I'm talking about you and a lot of people you know.

I've been there myself. I was once one of those renegade types who walked the fine line between acceptable limit testing and complete corporate IT anarchy. And unfortunately for me, there was always one of those do-gooder, dirtbag, tattletales* around who wanted to cozy up to the boss by exposing my innocent shenanigans.

An extra workstation

For example, back in 1995, when I worked at WorldCom (Yes, that WorldCom), I was the Lead Tech of a Desktop support team who supported several hundred Windows desktop computers. During my tenure in that position, I found myself in possession of an "extra" workstation on which I installed Linux. I setup the system from scratch, installed Slackware on it and used it for training and storage for support files for our group.

I gave our team members and helpdesk team members access to it so that they could all learn UNIX commands without using a production server. It was brilliant. Or so I thought.

I was told by my manager that we didn't need any Linux on our network and that it isn't an approved operating system. Of course, I ignored that statement. I was also told by a guy who was viewed by most as some sort of a guru that I need to get that system off the network because it wasn't approved. I also ignored that. They never did anything to me for having it except launch a little irritating dialogue every now and then in my direction.

My responses were centered around their shortsightedness and their lack of understanding of my need and my purpose for having it. To be frank, I didn't really care what they thought of it or me for having it. If I couldn't be fired for having it, then they needed to leave me alone about it.

During this time, I started the local Linux User's Group. I was also criticized for that by coworkers and by the head of the UNIX Special Interest Group (SIG) (That's what they used to call User Groups). He wanted our Linux folk to be part of the UNIX SIG. I said, "No." He was mad because we had more members than his group did. I think I might have also suggested that he visit the salad bar for all future meals. I digress.

About two years later, I, again, found myself in possession of a brand new Gateway workstation that I reimaged into a Red Hat server (4.0, I believe). Again, more rhetoric from the kingpin of my new group (Wintel Domain Administrators) about how we didn't need that system, blah, blah, blah. I think I might have suggested that he pay homage to my backside for his insolence.

What was particularly interesting about the Domain Admin group was that the entire group was a Shadow IT group built in part to snub the regular IT department. We ordered, imaged, deployed and managed our own separate domain. We operated outside the corporate rules. So, it was really a case of my team lead wanting to bully me for his own personal pleasure. He was never successful in making me give up my Red Hat system. In fact, I installed Samba on it, joined it to the domain and ignored his empty threats.

Experience and expertise

In the end, I was right. Linux is now an accepted operating system in the world's data centers. And, being a Shadow IT person, I gained experience and expertise that left the rest of those folks choking in the dust behind me.

My point is that operating in the "shadows" isn't necessarily bad. Often, the shadowy figures are the ones who make the real difference in an organization. However, instead of being praised for my ingenuity and resourcefulness, I was reprimanded. But, really, who cares? It's not like there's this great "ladder of success" that was being denied me for having a Linux system hidden behind my cubicle's desk drawers. And, insofar as the entire corporate mindset at WorldCom was concerned, my offenses were pretty minor. Especially compared to those who, you know, scuttled and destroyed the company.

The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man.

--George Bernard Shaw

Perhaps I'm unreasonable but my opinion is that there should be no need to work in the shadows. BYOD is not really a new thing. It is now a newsworthy thing but not really new. Employees have always brought in their own technology. But, now, it seems to be more acceptable to do so. At least in some companies it is.

BYOD is about productivity

Frankly, I don't like working in the shadows. Bringing your own devices into a corporate network isn't a blatant disregard for security nor is it insubordination. It has to do with productivity. Employees feel more productive with their own devices. I've said that many times before. Employees are also more productive with operating systems with which they're familiar. Hence, the messing about with Linux, even though it wasn't the "corporate standard."

Standard Shmandard. Let me be productive. Let me be happy where I work. There's nothing wrong with employees who're happy in their jobs. There's nothing wrong with employees who feel empowered in their jobs. And, there's nothing wrong with employees who are more productive by using their own devices. I know it sounds crazy to think that an employer would want to hinder productivity but you'd be surprised to know that there are.

Often, the unknown makes people afraid. The unfamiliar makes us uncomfortable. Linux made people nervous at WorldCom. It still makes some people a little edgy. The thought of an employee bringing his own device into the company network seems scary too. In some cases, it is. In most, it's not. You do have to have some rules. You have to have standards. But, remember there are always those, like me and you, who will work between the lines of the rules, who will walk the fine line between what's accepted and that which is unacceptable and those who make progress by being unreasonable.

*Not that I'm still angry about it or anything.

See also:

Topic: Operating Systems


Kenneth 'Ken' Hess is a full-time Windows and Linux system administrator with 20 years of experience with Mac, Linux, UNIX, and Windows systems in large multi-data center environments.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Wow I cant believe youre actually trying to deny that your willful

    installation of linux on two servers at worldcom isnt precisely what cratered the company. Surely that you got away unscathed for your behavior was what lead the higher ups to think that they could likewise break the rules. How many untold thousands of lost jobs and emptying of widows retirement funds did that linux install lead too? Shame on you Ken. Repent.
    Johnny Vegas
    • I know...

      I singlehandedly brought down WorldCom. I'm surprised that I'm not sharing a cell with Bernie. I didn't really break the rules, I improvised. I always play by the rules.
      • you dont break the rules?

        you admitted that your manager said, take it off the network, that it wasnt an approved system and you ignored him. Sorry to break it to you, installing an un-approved system is breaking the rules, ignoring your manager would get you fired at my company.

        You felt like you knew more than anyone else, so you would do whatever you wanted to do. That is how companies have issues and get breached or more.
  • BYOD and me

    In your WorldCom story I'd say so long as the time used to install, configure, maintain, and play with Linux was not on company time then it would be fine. The problem in your account is that you used company time and materials, that is theft. For some reason you equate learning something, that has no relationship to the task you were hired to perform as beneficial to the company, that is ridiculous, it is an example of what is wrong in most work places today. The company that hires you is not doing that out of the goodness of their heart. A company is in business for one reason, money, and if you are not performing the duties you are hired to perform you are costing the company money. You took the job for one reason, money, any opportunity to do something other than that task allows you to make money by not doing something you are expected to, rather to do something you want to do.

    BYOD can be a great thing if people respect their employer, at the same time the employer must respect their employee in the form of compensation for the employee using their personal device to perform the duties expected of them.

    Employees need access to the corporate communication system be it email, messaging or VOIP but beyond that BYOD is primarily used by the employee to stay in contact with friends and family rather than perform duties as assigned. It is a distraction in most cases and has little to do with increasing productivity.
    • Well, that's certainly one opinion

      I didn't steal but that's an interesting take on it. They hired me for support and part of that support is to check out products that would make work better. I have another story at WorldCom related to my job that would make you cringe in the other direction.

      If smart employees only did their jobs, no real progress would be made. No promotions, etc. My purpose in doing the things I did was to provide extended and needed services to myself and my coworkers, to help foster learning and to do some projects outside of my standard work tasks. I'm not a robot. I don't follow a script. If you want creative, interested workers, you allow them to be fruitful and productive. If you want robots, hire robots. I hear that they're going for a very reasonable price these days. Innovation has to be worth something.
      • Those "Frontier Days" are over

        Large companies now have departments regulating interior IT security. A rogue server on the network would have corporate compliance breaking down our door with a fire axe in no time. While we could theoretically setup a laboratory network in our office that is isolated from the corporate network, today's reality is if we had the time to do that, then we have too much staff and someone is gonna get whacked.

        One thing I discovered in more than 25 years of IT... companies do not have an interest developing skills that aren't in immediate need, and they are not inclined to spend resources on what they perceive as training for a job elsewhere. One place I worked as a contractor cut me loose when they decided to switch from Novell to Windows -- I was told "they have no intention training me to support their environment; they don't even want to train their long-incumbent network engineer." Sure enough, the engineer was on the street a week later.

        Small, progressive, tech-centered companies might allow it, but large corporate behemoths...not so much.
        • "companies do not have an interest"

          And that's precisely why those companies do not do so well in the long run and get perceived as dinosaurs making product or providing services from yesteryear.
  • I disagree that it's newsworthy, even.

    "It is now a newsworthy thing but not really new. "

    Bah, it's really not. It's just one of those things that takes the front page because they know it will get controversy.
  • Funny thing is..

    Most who run windows only think *nix is just an obscure, command-line driven OS. Everyone who own's a mac has no idea they've been running a *nix fork for as long as Apple has made OSX. So in reality, sometimes neither side has a correct idea. In terms of getting the job at hand done with what you are comfortable using (BYOD) is a great idea, just not right now. I say this because of a few proven facts, in short, there are too many in this world that do not understand the concept of updates and security. Flame and it's capabilities now made public should make everyone nervous about BYOD. The next infection may not be state sponsored now that the "cats out of the bag" so to speak. So what's to say a serious infection is brought onto your network from a machine your IT department was not aware of because of BYOD. We are all aware that "Mac's do not get infected" is a joke and Surprise, you are vulnerable after all. Hopefully in that scenario there is no sensitive data on your network.
    • What's so funny?

      So because someone *might* bring in the next black plague of the network we should cut off all non-approved devices and close every non-essential access point? There was a comment above about robots.... go hire some drones and then you don't have to worry about it any longer.

      Why not instead work to make policies and procedures to protect the network and the users. How hard can it be, really, to set up the securities required to prevent the wrong things from getting into or out-of the network regardless of the device?
      • My Way

        For several years I managed a support group in a high-tech company. They used a management by objectives evaluation system. So I assigned to each of my people an objective of using 10% of their time on a project of their choice with some potential value to the company. My various bosses bought into the concept as a valuable growth mechanism for both technical and business training for me and my people.
      • it is a lot more than that...

        People tend to forget that the problem isn???t what gets through the network, but what gets on the network. In addition, even with encryption, mobile devices are a huge security issue. ipads and mobile devices especially need to be managed from a single point... many device owners don???t wanted their company to remotely manage their device. Company email on a mobile device??? device is lost??? now the company has to depend on the device owner to remote wipe the device? This concept doesn???t sit well with the big fish. Ok, so we introduce a product like good so that we can remotely manage devices. Now, the user loses a device, they tell IT, and then IT wipes and locks the device from the server. Done.

        The fact of the matter is that we need to still have the ability to manage BYOD devices in order to keep company data secure. BYOD will never be for everyone.

        Remember, people always break the rules and harly ever adhere to policy... this is an area that has to be centrally managed.
        • Really?

          Try "manage with some intelligence" then the requirement for a single point of contact goes away and stops bottlenecking the system. Everyone seems to think a network has to be this monolithic pipe connecting every device together. Not so. BYOD can be effectively managed and deployed if domains are used properly. As for "viruses" and "trojans", the single point of vulnerability there is us, the users, not the devices. Adobe Flash, WMP and many other multimedia apps that can run advertisements or scripts autonomously are 99% or more of the non-human engineered entry methods for malware. Human engineering, fooling the user, fills the gap. That's what IT needs to deal with when it comes to BYOD.
    • Easy man..

      I own a Mac and I know it's running UNIX. In fact, the primary reason I got an Mac is because it runs UNIX and that Apple has managed to convince software vendors to support that UNIX with their applications. I run everything on UNIX for the past 20+ years so nothing else is of interest to me.

      Your assumption, that Windows might offer any security (as compared to Mac and UNIX) is pathetic at best. It is the most insecure environment around.
      Windows computers are only secure when disconnected from the network and switched off. :)

      By the way, I don't believe BYOD is good idea in general. BYOD also has nothing to do with what is described in the article, and with shadow IT. Or with learning new skills.

      BYOD, as described in "bringing non Windows device to work" is the result of "IT staff" that lacks knowledge, being brainwashed by Microsoft and the need for the enterprise to get some work done, any way. Despite Windows.
      The mere fact that BYOD exists demonstrates that corporate IT is disconnected from the real world.
      • hit the nail on the head.

        "The mere fact that BYOD exists demonstrates that corporate IT is disconnected from the real world."

        EXACTLY. There are so many devices out there that are enterprise class now that there should be no reason to BYOD if your employer is listening. The company I work for does not allow BYOD for security purposes, however we will issue you any MID/smartphone you like as long as you get results.
      • Most of the "I gotta have this..." devices I have seen...

        Most of the "I gotta have this..." devices I have seen at my job are forgotten when the novelty wears off. They never needed them. Palm Pilots and Clie's (which I had BTW), iPaqs, the first smart phones, and the sales guys whining that the don't have BlackBerrys, have all come and gone. The basic Windows desktop and laptop infrastructure is what our software is designed for and that is where it runs. (We could have used Linux, but mixing Windows and Linux would be awkward in our environment.)

        I am curious how the current crop of smart phones and tablets will come into play. I just bought myself a Galaxy Note, and I can see how it could eclipse the laptop for some uses, (but our software doesn't run on Android either.) I love it because it is a Cell Phone AND a Tablet. If our software were ported to Android (or some other platform,) and a tablet had the cell phone integrated, it could replace some of the laptops in use.

        The biggest thing holding that back is the time and expense of porting and integrating new devices running a new OS. Time is Money, and getting BYODs working with the existing software and network takes lots of time. Without taking the time to implement AND secure it, it is a data breach waiting to happen.
    • inflammatory

      >>Flame and it's capabilities now made public should make everyone nervous about BYOD.
      Get rid of the network/OS that is susceptible to malware. Here's one suggestion: use GNU/Linux
      @Sumbich, what a strange name of yours you put in the title of the comment :)
      • Idiot

        None of the third party apps my company uses would work with Linux.
  • Not BYOD

    At what point did you bring your own device? Never. You took corporate devices and installed YOOS (your own operating system) on them. Your article describes how short sighted they were and how you knew better.

    I was under the impression that the BYOD issues was all about employees being required to supply (bring) personal (their own) phones, tablets, laptops, etc (devices) to function at the beck and call of the company, instead of using company supplied devices.

    What part am I missing?
    • did he know better?

      since it was on the network and information could be stored there, how was the non-approved system encrypted? how were passwords and accounts monitored? how was access controlled?