[usrbinbash]

I can find bad examples of how things work in basically every department I chose if I look long enough. Are there IT-Managed things that border on insanity? Oh yes. Are these a good excuse to build a shadow IT? No, they are not.

Don't get me wrong: I'm not bothered at all when a couple analysts get together and hack away at their own little tools in VBA. Kudos to them for getting into the spirit of things, and maybe they will understand my day to day better as a result.

What does bother me, is when these analysts suddenly expect my systems architecture to somehow accomodate their private projects in whatever capacity. When I ask for documentation (there isn't any), an architectural overview (nope), or even access to the repo for that abomination (access to a what now?).

Because, why shouldn't their spreadsheet inject data into my processing pipeline? Why shouldn't I write a controller that accomodates whatever tidbits of REST they bothered to watch half a youtube video about? When suddenly I get asked this in a meeting: "What do you mean we need authentication? Why does IT always have to make things so complicated?!?".

So yeah, please, people should absolutely build their VBA, lowcode or whatever tools. I do the same thing, the only difference is, I call them shellscripts, and they live in git repo.

But same as I don't let my CLI tools lose on the production server, I won't let it happen with things that have never even been through one code review.

[7thaccount]

Shadow IT exists for a reason and that's the dysfunctional bureaucracy of IT.

The "Circle of IT" is real. Small companies start out nimble, but then stuff gets crazy and someone decides to standardize it all under one department. This works for awhile, but eventually this organization becomes so useless that it can't serve any functions of the business anymore, so a shadow IT group is built that the business SMEs love as they just "get stuff done". This works for several years, but the executives in IT hate this "rogue" group as it is a constant reminder of their incompetence. Eventually they re-absorb this group and crush them with beauracracy until it all starts again.

[FuriouslyAdrift]

The "bureaucracy of IT" is driven by legal, compliance, and security reasons. The reason why small companies are "nimble" is they are flying by the seat of their pants and one investigation/ransomware/insider threat away from ruin.

Not saying that isn't normal (been there, done that... thanks FINRA), but that's the reason.

[jimbokun]

Yep.

The core data should sit behind some kind of service that enforces legal, compliance, and security policies.

Then tools that access the data in a compliant way should be given a lot of flexibility for what tech stacks they use to process the data.

[usrbinbash]

> the dysfunctional bureaucracy of IT

I am not here to talk about management-bureaucracy, of which IT depts; same as all other branches one can find in established corporate culture, have more than enough.

I am talking about the perceived "bureaucracy" of us tech guys here, aka. following established procedures to ensure smooth running of mission critical systems.

Yes, I want things to run through code reviews. Why? Because these things go to a production system that our customers (and thus the companies income) depend on. Yes, I want authentication standards. Why? Because there are a gazillion cryptolockers, and worse, out there, who would love nothing more than to run rampant on a nice and juicy production database.

[dalyons]

Do you have a customer focus? Are you trying to unblock people as fast as possible to solve their legitimate business need? Or are you using these as excuses to effectively say no to anything anyone proposes?

If yes to the first, you’re a unicorn in an ocean of IT departments that do nothing but block.

[rockooooo]

When I started work at a higher-level IT job where I can start saying yes or no like this, I wanted to say yes to everyone and never be that guy blocking people. I still end up saying no very frequently because people will not want to think about anything not relevant to their specific use case at all (how are you authenticating/who controls the app/what happens when you/the owner leave?/is there a project plan?).

I can't count the number of integrations/projects I've already dropped because I asked a few follow-up questions and never got a response. Any business that actually wants to follow the law and reduce the risk of massive data loss or other embarrassing cyber event needs to screen things, ask questions, and sometimes prevent one very smart person from setting up an undocumented rube goldberg machine that will drag down an entire team if they leave and it breaks.

[usrbinbash]

> Do you have a customer focus?

Indeed I have a customer focus.

My customers are the people and businesses who rely on the fact that the production servers run smoothly. And I serve their legitimate business needs, among other things, by not allowing some gung-ho hacked-together unvetted magic spreadsheet to kill runtime performance by performing a blocking query with deep joins that forces the DB server into running a full scan over 10E9's of records.

Again, as I said elsewhere, I have nothing against non-IT departments building their own private software. I do the same. But as soon as this software wants to touch the prod-server, or any other part of the infrastructure I am responsible for, it is my job to ensure they meet the same standards as everything else in the stack.

And yes, saying "No." when it is appropriate, is part of that job.

[dalyons]

The real answer is "ok, that is a bad idea for XYZ reasons, what problem are you trying to solve? is there another way we can help you solve for it? Maybe a cheap replica would work for you?"

And look, i have nothing to go off but the justifications and choice of words in your replies. But in my experience this attitude of "high priest protecting the gates of production from barbarians(company staff)" is strongly correlated with obstructionist IT departments that everyone resents and tries to work around, and chokes the company. Resulting in the creation of the shadow IT mentioned in many other replies - because IT doesnt serve the customer needs of the employees. You might not care , or see that as your job, but thats exactly the problem that so many threads on this post are discussing.

[usrbinbash]

> The real answer is "ok, that is a bad idea for XYZ reasons, what problem are you trying to solve?

That's the answer that I give immediately after the "No."

Look, I get what you are saying. I am not trying to keep people away from the capabilities they need to improve how the whole show works. The problem is, what people in my business "guard" are often complex, critical systems, which themselves don't always meet the standards that their "guardians" would like to implement (just ask about legacy software :D). We have to say "No." and we have to enforce standards and procedures.

Because there are a lot of really clever people around in tech, and clever people love to tinker. And that's wonderful! That's the entire spirit that got me into this biz! Take a problem, and build a solution.

But things have to work. And they have to work tomorrow, and 2 years from now. And they have to be safe, they have to be compliant with a gazillion regulations, they have to pass audits. They have to be patched, they have to be maintained. And all that still needs to happen even after the guy who built them leaves the company. And they have to work for many many many people who are not tinkerers, who just want to click a button on their phones, and rightfully expect the whole shebang behind that button to "just work".

That's why there have to be people who say "No." from time to time.

If that happens indiscriminately, and without a care about why these clever people tinker up their solutions, then that's not good, I fully agree.

[jampekka]

What bothers me as practically 100% shadow IT worker (to the point of buying my own devices and internet connections with my own money) is that IT-departments don't care about the users, usability or productivity almost at all (and security people are especially bad at this). And that a lot of IT people frankly don't understand IT very much.

Without shadowing it, I couldn't get anything done. I have to install new (open source) software or packages more or less every day, but IT would expect me to wait for a week for some bureaucracy for each package. IT fights me getting a computer with a specific GPU although it is required to use a library that I need. IT forces a reboot of my laptop in a middle of a conference presentation. IT blocks me from sending Python source code files over email. IT makes my computer boot to take ten minutes. IT forces me to use OneDrive that often simply doesn't work.

Maybe the abomination is not the private projects? Maybe it's the systems architecture?

[2devnull]

And the software that is installed is always 4+ years out of date. But oddly there are no “security concerns” about running 4 year old conda install that has had zero updates ever.

[jampekka]

I don't think it's often even about actual security concerns as such but rather about following "best practices" (i.e. what some company sells) so nobody in the org can be blamed when the security fails.

This happens in physical security as well. It's rather common to have door accesses set up so that a person may not have access to go through a door, but can access both sides of the door from other routes. But there was a door-based access policy so nobody is to blame.

Sadly the main concern in many/most organizations is to avoid getting blamed for bad things, so rather than actually trying to prevent bad things, a lot of effort is used to just dissipate the responsibility away.

[zztop44]

I’m loving this thread. I feel like Hunter S Thompson reading the gonzo review: “okay, that’s what I do. Shadow IT.”

[Qem]

> IT forces me to use OneDrive that often simply doesn't work.

Also happens to me. OneDrive sucks. It can't even generate proper zip files. Any zip files over 2GB or so I download from it shows as corrupted when I try to extract under linux. IIRC is because OneDrive puts some invalid flags in the files.

[jampekka]

Oftentimes the download just is left short. And I recall it not even giving error, just sending a part of the file, which of course is a corrupted archive.

OneDrive sucks and organizational structures that buy OneDrive sucks and the company that produces it really sucks.

[f1shy]

If IT people would only understand they are giving a service for the rest of the company… and not the way around.

[usrbinbash]

> they are giving a service for the rest of the company

That is very true. And part of that service is to ensure that things run smoothly, securely and according to industry standards.

How well would an IT guy provide that service if he were to let some unvetted, undocumented script hacked together by someone who isn't a professional software engineer, run its merry way across the production database?

[pillefitz]

Don't give access to a DB, the same way you wouldn't give access to any other external system. Instead you ask what is needed and provide a restricted REST API.

You come off as condescending and remind me of why I (ex dev who joined our business department) dislike our IT so much and do my best to encourage shadow IT where I can, while keeping sane best practices around CI/CD, security and testing.

I'm so fed up seeing working Excel solutions cobbled together over 2 weeks, that served business well over years with 0 incidents, get replaced by shitty cloud apps that cost millions to build.

[usrbinbash]

> Instead you ask what is needed and provide a restricted REST API.

Happy to. Problem is, that API has to be built, and tested, and vetted, and maintained, and who's going to do all that work? Because I know a lot of software devs, and none of them lack for tasks.

[kbelder]

If it needs to happen, and your team can't do it, somebody else needs to. Your best bet then is to give them the access to do it properly instead of forcing them to hack it together.

[ropable]

I, on the other hand, am tired of being called in to investigate why the janky Excel macro written four years ago by an ex-employee doesn't work for all the external stakeholders this manager just sent the spreadsheet to, only to find that the hardcoded database and local admin user creds in the VBA script are now leaked and in the clear.

A lot of people pushing shadow IT "solutions" wildly overestimate their own ability, while maintaining garbage-tier information security standards. That doesn't sound like you, but it's the far more common situation those of us in "IT" are forced to protect the wider organisation against.

[FredPret]

God forbid code gets written to solve a business problem rather than conform to a spec sheet right?

Businesses - and jobs - only exist to solve economic problems in the real world. Everything else, including traditional accounting, IT, legal, and HR functions are just there to make the real work easier, not harder.

[jampekka]

From security people's perspective things would be smooth if all computers would be plugged off and their batteries removed. Oftentimes it's not that far from that solution.

[ethbr1]

> or even access to the repo for that abomination (access to a what now?).

Did someone give the analysts access to a repo?

Because I'd hazard ~80% of the companies I've seen don't allow "non-development" users access to the corporate version control system.

[usrbinbash]

I'd be happy to put up a repo for them, if they ask. Problem is, they often don't.

And not to make too big a deal out of it, but using github, gitlab or anything along these lines, is mostly free, not exactly rocket science, and private repos exist.

[ethbr1]

> I'd be happy to put up a repo for them, if they ask. Problem is, they often don't.

No doubt. But that requires them knowing you exist, and what to ask you for.

The companies I've seen do this well (1) make it self-serve (anyone can click a link, without knowing who to reach out to) & (2) remove as many dumb organizational roadblocks as possible (e.g. company-wide repo visibility and search, no job role filtering to who can use tools, etc).

> but using github, gitlab or anything along these lines, is mostly free, not exactly rocket science, and private repos exist.

Putting internal files on an external third-party service under a personal account?

It solves the technical issue, but it creates some security/data issues.

[hooverd]

> The VCS docs were on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard.

[dzolob]

You make very good points, but I think you miss the mark on shutting down intent.

You wouldn’t ignore an excel produced by a competent ceo or cfo (those that know all the shortcuts), so why, instead of helping ppl refactor and release their work properly, you gaslight them as incompetent just because they are not IT?

[gwervc]

> When I ask for documentation (there isn't any), an architectural overview (nope)

As if any of those were present in the average web project lol. I complained about those points in sprint review this morning, and this is a big project made by IT companies.

[sancarn]

To be fair, as an SME, I do have documentation and an architectural overview. In my experience when I have provided these, they have been ignored anyway. I do not have access to git, because why would IT give me something useful? I think many users would use git purely as a VCS if they had access, but nope...

It shouldn't be a spreadsheet. The IT departments should democratise the tools which devs use, so even end-users can use modern tools for the job at hand. Then popping a user-made tool into your processing pipeline would be fair enough, and code can be collaboratively maintained. In the end, just as IT wouldn't want SMEs making changes without their knowledge, SMEs wouldn't want IT changing their core system without their knowledge either.

In my opinion, the more people who know and understand the core systems, the better.

Edit: for what it's worth, I do use github (https://github.com/sancarn/stdVBA), but you won't see nearly any versions of any corporate codebases, why? Git doesn't work great with VBA spreadsheets at all. I'm not going through a 10 step process to upload the updated file to the github repo every time I update a macro in a spreadsheet. This is why on-board git is important.

[jimbokun]

Security is the non-negotiable.

If they want to play with whatever tech tools to get their job done, have at it. They can ask for help when they really need it.

But if they are taking short cuts with the security of the data, that needs to be cracked down on immediately, as they are putting the entire company in jeopardy.

[jampekka]

If security is non-negotiable, the only solution is to destroy the data so that it can't be ever recovered by anybody. Or even better not having any data in the first place.

Securing some data is very important. Some data indeed shouldn't exist in the first place. But for a lot of data it matters very little. Most security breaches have rather mild consequences.

Treating all data as megatopsecret and all security breaches as end of the company produces not only unproductive systems, but bad security.

[jimbokun]

Well, I work for a company that processes Private Health Information, so a breach is a potential existential threat.

[jampekka]

Breach to private health information that can be linked to an individual more exactly? Is this kind of information all around the organization's computers?

[rainonmoon]

Something that seems often forgotten in these discussions is that it's not just putting the entire company in jeopardy, but the customers, clients, and vendors as well. Security seems to be some magical obstructive force to these people because any concerns besides their own convenience are purely abstract. Well, ask anyone who's had their identity stolen from the hundreds of breaches in the last couple of years if that concern is abstract. Staff who can't see past their own desk to understand the role of security are a serious danger to society.