#ExplainIT – Shadow IT and tech debt

Harley: Welcome to episode two of ExplainIT. I’m here with the boss today, Steve Edwards, just a two-man show. Steve are how you going?

Steve: Yeah very well Harley, thanks mate.

Harley: A few takes for us to get to this point this morning, just to get started, but hey it’s Thursday, the new Friday in the COVID world.

Steve: Exactly

Harley: So last week we did a post for activIT systems, more talking about shadow IT and it’s dangers, and a little joke we made was that it’s a bit like a horror film titled ‘Shadow IT’, like ‘The technician from the dead’, but no it’s actually something completely different. So we’ll just start off just to talk to our viewers about what is shadow IT?

Steve: You’re pretty close on the money there, it sounds like it’s a horror story and it can be, but at the time from I suppose the end-user or the company perspective, it could be it sounds like a great idea. But effectively shadow IT is when the individual staff or departments within a company, they take IT decisions under their own wing and they start to run with them without actually consulting the IT department, or you know they outsource to IT provider. So a classic kind of example that we see is, people will be having trouble with sharing files amongst each other and what they’ll end up doing is go and sign up for a Dropbox account or a OneDrive for business account, and then all of a sudden you end up with all these we call them silos of data. So you have a little bit of data over here, a little bit over here, and none of that is cohesive anymore within the general IT environment.

The second kind of factor that comes out of that is now you’ve got this little bit of data here, a bit here this, one over here is no longer secure because someone has just gone and set it up and they haven’t taken in anything else into consideration, so things like your IT or your cyber security. The staff within the company are looking for a quick fix, maybe IT is busy or needs to run through a process to get to that stage. So we quite often see things like Dropbox or OneDrive for Business etc set up very very quickly, but incorrectly. At the time it’s a great idea, for those staff that are doing it they think they’re saving money and getting things done fast, but what happens is that leads to other problems down the track which are a lot harder to deal with from our IT perspective.

So that’s it in a nutshell – end-users taking the IT into their own hands and they’ve got the best intentions, but long term it doesn’t work out the best for the client.

Harley: Absolutely and we obviously we find ourselves in situations sometimes in business, where you know we get busy and IT can’t jump in. And you think that doing something yourself, a lot of businesses have this perception that doing something themselves can be the better option, but as you said it accumulates, creates problems. So what dangers what happens to these end users if they do shadow IT, let’s say for years and years even if they’re unaware of it, and what happens when the individuals do their own thing rather than look at the organisation?

Steve: Some of things that we see quite often is because it’s easy for people to sign up to cloud services, they tend to do it kind of like on a trial basis? You know it’s let’s sign up for this particular service, see what it’s like. Then they find that it’s quite good for their business, but word doesn’t get back you know up the chain as such, either to their management or the company managers or owners, and quite often doesn’t come back to the IT team either. So all of a sudden you’ve kind of got these rogue applications out there which hold confidential data, you know you might be in breach of a compliance issue, a privacy issue. The end user or the staff member has the best intentions, but it’s not in line with the overall kind of IT strategy. We will quite often be asked the question “are you backing up all of my data?” I’m like yeah absolutely, you know we’re backing up servers, backing up your emails etc and no problems. But then if you’ve got this pocket of data here which twelve months ago was set up by someone in the company and they’re using it on a day-to-day basis, they’re inviting their work colleagues in but IT doesn’t know about it, we can’t protect that information because we don’t know that it’s there effectively. That scenario doesn’t happen too often, but when it does happen, that’s when you’ve got these big implications. So how do you go and safeguard that information, how do you make sure it’s secure, how do you make sure it’s backed up, what do you need to do to make it a cohesive environment again, and you can get into what we call tech debt or technical debt from that as well, which is a whole other kettle of fish, but that’s where it can kind of start in many cases. You’ve got a little bit of info here, bit of info there, different people controlling it, and it starts to kind of cascade and become bigger than Ben Hurr.

Harley: And you mention that term tech debt. That’s something I say most businesses, ninety-nine percent of businesses wouldn’t know that means. So what’s a tech debt, and by having tech debt, what does that mean for a business?

Steve: Yeah so basically the underlying – to make it really simple, it’s hanging on to old technology and not keeping it up-to-date at the core of it. Those type of things can occur because management doesn’t want to upgrade technology, and they might be getting bad advice from the IT department or from the IT provider. If you’ve got a bit of a mentality of “if it ain’t broke don’t fix it” that’s generally where it kind of comes from. We’ve got I suppose, as we go out into the market and have a look at prospective clients, we see a lot of tech debt in a lot of places and to the point where they’ve been hanging on to this old technology because it’s been working okay, but in order to get those clients into the current decade, there’s a lot of work that needs to get done. As a bit of an anecdote, we had a client where they came on board about twelve months ago, they were sitting with this very very old technology. The process to get them upgraded from their technology into the new, you know, into 2020 – had they started that process two years ago it would have been so much easier, but two years later the upgrade path is gone. We have to do an intermediary step to get them, so basically we have to do an upgrade project twice. Whereas if they did it before, you know it’d be a lot easier. So a lot of it is “ if it ain’t broke don’t fix it” mentality which can cause a lot of problems, some kind of old-school thinking that goes behind it, but really it’s when you’re hanging on to this legacy type of equipment, software systems etc, and it becomes a mission and a half to get rid of it and upgraded into the current decade.

Harley: Yeah and you know that sort of cost that you get from not making those moves. Do you find it becomes exponential the longer you leave it, both in time and in resource?

Steve: Yeah absolutely. So I suppose a classic example is where you see folks or companies where they’re running this old gear and it could be things like bunky old Windows 7 computers, or really really old servers. All of their staff are really struggling to actually get things done in the modern kind of workplace, to the point where their productivity is diminished. Management may not actually see this because it’s very hard to quantify productivity easily across many people, but you’ve got people running old computers, running old systems, their Word documents aren’t compatible with the newest version of Word for example. It starts to cause a lot of problems, people work slower. So not only do you have I suppose that the business productivity cost of people forced to do things slower, or find workarounds to do it, which can also lead back to shadow IT as we’re talking about before. The process to get that all upgraded is no longer piecemeal. If you’re replacing 10 computers a year out of a fleet of you know 100 it’ll take you 10 years, but if you did you know 30 machines a year or 50, you’ve got a bit more of a cycle going on. It becomes easier to make those changes and keep up with the times the more kind of momentum that you have behind it. So technical debt, we will sometimes find a client that is so far behind they have to overhaul everything. There is no method to neatly upgrade them. And all of a sudden what would otherwise maybe be a $2,000 project, you’re looking at $20,000, $30,000, $50,000 because everything needs to be redone, you almost have to start from scratch. And you have to do it in a way that keeps them running whilst you’re doing it, and it becomes a very very complex scenario from that. My advice would be upgrade frequently, small bits at a time, and try keep up to date.

Harley: That’s quite harrowing if you’re picking up a bill for that, when you really could have just taken an earlier action to fix it.

Steve: Yeah that’s exactly right.

Harley: One thing that’s come out in the COVID era Steve, is phishing attacks and a lot of cybersecurity concerns. Does this building of tech debt and shadow IT open the door to these hackers?

Steve: Yes spot on, because if you have a lot of these legacy systems in place, so things like Windows 7 is no longer supported by Microsoft, really as of the start of this year you’ve got a lot of server environments no longer supported, they’re not getting security patches you know, you’re kind of sitting there quite vulnerable running a lot of these things. Actually, so I think Windows 7 was even before then with end of support. It’s kind of like running a car, and if you don’t get the car serviced and maintained, you know you replace the tires or the brakes etc, the cost to fix it later is going to be a lot greater. When we’re looking at IT from the usability perspective, and the cyber security perspective, having those frequent intermittent you know little upgrades. Maybe once every six months you do something small which has large impact. There is a hard to quantify benefit but it is definitely there, where if you’ve got staff running on very old systems and you start to upgrade some of those, those staff can be more productive straight away because they’re running on faster computers, they’ve got easier systems to work with. So the benefits compound themselves very very quickly. The cost to replace everything at once is sometimes a big mountain, it’s astronomical you know, but swapping out a little bit here every three to six months or 12 months, bitesize little pieces makes it a lot easier. I’d definitely recommend that that’s the way to do it, and also you’re lowering your cybersecurity risk at the same time.

Harley: You will have some businesses that will be listening to this or hearing about shadow IT through what we’re putting through our social media and thinking “right, I’m interested to know if I’ve got tech debt or if there’s shadow IT existing in my business” or if they do know, the main thing all these businesses will be wondering is what can I do? So in kind of a methodical way of looking at it Steve, what would you recommend to both businesses to start the journey of eliminating shadow IT and becoming more centralised?

Steve: Yes, shadow IT is I suppose the easiest one to implement, because all you really need is, it’s a bit boring, you need one policy document which basically says that no one in the company is authorised to sign up for new cloud services or you know purchase new software etc without first getting approval from management or running it past the IT department. It costs like next to nix to have a policy like that, then you send it out to the team, then all of a sudden they understand ‘okay, well I can’t do this because it has these wider implications,’ and it’s very very straightforward. So we’ve got this policy document available and ready to go, it doesn’t cost anything, an hour or two of someone’s time to sit there and run through it with them, and then basically a client then has this kind of set of rules for their staff – that they can’t go rogue and sign up for things without first having it basically vetted by IT or management. So that’s the easiest way to deal with shadow IT.

On a tech debt side of things, it’s kind of policy, but also a bit of mindset. So businesses have to keep up with the times, after this coronavirus situation a lot of businesses are pivoting and readjusting to the ‘new normal,’ all those types of things. But effectively they’ve got to go and try and keep up to date with what their competitors are doing; you’ve got to be ahead of the game in many aspects. An easy way to do that is you can you can basically lease equipment, so if it’s laptops, you need new laptops, you can lease them, you can rent them, you can go out and buy them for example. You’re gonna have inherent benefits from that, from productivity of your staff, but if you implement that into like a very boring ‘asset lifecycle policy’ or sometimes a ‘hardware refresh policy’ (sorry I’m doing lots of air quotes today), then at least you’ve got the rules behind the scenes, so management can go “okay well this computer’s three years old or four years old, doesn’t have any warranty anymore, should we bother persisting with this or should we look to replace it?”.

So they’re very very simple things to do, most of our clients are following that kind of path you know, two, two and a half years for a laptop, have a look at getting a new one. It may or may not be justified at that stage, but the question gets asked. Desktops last a little bit longer, but generally it’s a pretty good way to run things, because at bare minimum you’re having a review of what you do have in the fleet of equipment, and you can spot it. We had had one client that were hanging on to this laptop, for I think it was for nine years. It was like “guys you need to have a look at replacing this, it’s running really slow” and they go “well how? I only got this like the other year?” like no no no no, you bought this in 2011 and they’re like “are you serious?”.

So that was the first one to go you know, that was replaced and that user is now so much more productive.

Harley: Yeah absolutely, I bet you that a few businesses would hear that and kind of do the “uh oh”. A lot of businesses have the old computer stuck in the corner there, and you know, it could be a little danger to them. Just to cap off, as a service, as an IT provider activIT systems – how do they approach it when you go and come in to help a business that says “hey can you have a look” and you realise tech debts an issue. What’s your sort of approach?

Steve: So everything has to be done on a case-by-case basis. Where we have a specific look at first is what’s the core infrastructure here? Some businesses, they run purely in the cloud, some of them still have a lot of on-premise servers and infrastructure and things like that. So the clients which have a lot of things in-house and on-premise, we have to determine what are the critical elements within this IT environment that if it fails it’s going to have big impact? So a classic example is we would come across an old server sitting in a cupboard somewhere, or a server cabinet that is five years old, doesn’t have a warranty anymore, and it’s got a failed hard drive in it because the former IT provider is not keeping an eye on basic things like that. So that’s the first thing we go and we say to the client “look, we’ve identified this problem” even before they come on board with us. “We identified this problem, this is something that is going to need to be addressed pretty quickly, because it will shut down your business if it has a problem”. We quite often come across things like that which shouldn’t really be left by any IT provider, but the longer you leave it, it costs more to get it replaced and the urgency goes up to get it done. So having like this hardware refresh kind of policy in place, or not policy but guideline as such, just makes life a bit easier, and easier to make decisions for the business managers and owners.

Harley: Yeah and this is obviously something that I think everyone will have to have a look back at their businesses, see what little pockets of data have popped up and make sure everything centralised and sorted.

Steve: That’s right.

Harley: Thanks for your time today Steve, that’s another episode of ExplainIT down covering shadow IT today. If you have any questions, please feel free to get in touch activIT systems, the contact form is on their website at aitsys.com.au. Thanks everyone.

Steve: Thanks mate, cheers.