Comment by Arcanum-XIII
8 days ago
My CTO is quite adamant that he hates shadow IT. Especially those with mac, full of... well software used by those artsy employees. Or with strange software not validated by the IT.
Well.
Other departments ask for equipment, but only hear no back. Management product like Monday? No. Dedicated solution for jobs they don't understand? Hell no!
It's tough to be part of this. I know security is hard. Budget limit stuff. But we can, and should do better.
My company is the same, but it's not necessarily about it being "hard." It's about not hiring the right people.
My company's IT department is Windows clickops people who hire other Windows clickops people. When something goes wrong that requires the command line, they spend five figures on a consultant to fix it. Ditto for the few dozen Linux machines in the company.
Some of our departments, including mine, run Macs. I can't count the number of times I've had someone from IT tell me "OK, now click 'Start'…" or whatever the Windows convention is these days.
All they'd have to do is hire one guy who knows the command line, and one guy who knows how to support Macs. There must be a hundred people in the IT department, but they keep hiring the same type of people over and over.
I wish it was unique to my company, but there was an identical situation where I worked a few years ago.
As someone who has worked in IT support: The problem is that people using that shadow IT will come running when they produce real tangible damage, because they lose data or some totally ridculous workflow stops working and you now have to reverse engineer some undocumented database format to extract at least the most urgent data. I am not a fan of IT GESTAPO, and everything should be measured, butbif I learned one thing it is that people will do the dumbest, riskiest shit if left tontheir own devices.
Also: if you work with certain customer data a good way to not only loose your job, but a ton of money would be to e.g. put that data into your shadow IT that might be running on some servers somewhere. E.g. people constantly asked us to use Zoom "because it is free and works", but we were in the public sector and a contract with them that guaruantueed the privacy of our clients would have costed a significant fraction of our yearly IT budget — and we are required by law to have such a contract.
When you then ask those people if they want to part with that money suddenly nobody is so adamant anymore.
This is true. I suspect that a lot of these massive breaches, was because some less-technical person loaded the customer data onto an unsecured AWS instance, while they were running measurements on it.
We wrote optimized C++ software.
We had all kinds of scary tech, like custom-compiled metrics software from Intel.
They insisted that all of our machines run their malwa- er, security software.
It would totally screw up our measurements.