The term "shadow IT" has become a bugbear for IT organizations in recent years, an unknown that brings to mind security vulnerabilities or even suggests IT's creeping irrelevance to the business. But CBS Interactive CIO Steve Comstock says that's the wrong way to think of shadow IT. Instead, he says, IT should view shadow IT as an opportunity to understand the business and how to be an actual partner that understands the business's needs.
"I used to call it dark IT," Comstock says as he opens his keynote presentation at Interop New York. "It was basically the scary monster under my infrastructure, the data going somewhere that we didn't know about, the software being deployed that wasn't being managed."
"The press was saying it's the final nail in IT's coffin," he adds.
But shadow IT is not a new phenomenon, he says. In the late 1990s, he says, employees were using email filters to forward their company email to webmail accounts and departments were asking summer interns to set up departmental servers without IT's knowledge that hosted everything from important company documents to pirated music, videos and Internet cat pictures -- but no backups.
"When things went wrong, what did they do? They called us," he says.
A few years later, he says, it was rogue wireless routers connected to the corporate network without corporate knowledge -- no encryption, no authentication, just a clear and easy path onto the corporate network.
Shadow IT in a Different Light
The newest form of shadow IT is different, Comstock says. All an employee needs is the ability to use a credit card and to click a service agreement without reading it.
"You can build out any IT service or SaaS service," he says. "I can do this from my home, from my mobile device, and no one is going to know."
That might seem scary, but employees in the business are turning to these alternatives to solve very specific business problems. And they can do so without having to deal with lengthy review processes that inhibit their agility and flexibility.
[Related: How to Bring Shadow IT Under Control]
"The old form of shadow IT gave me so much heartburn, but this doesn't bother me," Comstock says. "I see it as an opportunity to help transform us with the business."
To explain, Comstock refers to his first meeting with a line-of-business manager. After asking about the problems the business was struggling with, he received a stream of jargon that he couldn't decipher. He didn't speak the language of the business.
"We didn't know how to talk to the business," he says. "No one told us how. We were given a mantra with no instructions."
[Related: 6 Tips to Help CIOs Manage Shadow IT]
But shadow IT provides a lens into the world of the business.
Lessons From Shadow IT
"I see shadow IT as my Rosetta Stone," Comstock says, referring to the Egyptian stele that gave nineteenth century scholars the key to understanding ancient Egyptian hieroglyphics. "It can help me figure out what they're trying to achieve."
"If we don't understand the business, we don't actually add much value," he adds.
Essentially, he says, when IT discovers shadow IT, they have two choices: They can come in "hot" and tell the perpetrators they've violated policy, or they can ask those who deployed the shadow IT how it helps them improve the business.
The former approach, Comstock says, lets business partners know that IT is watching them and teaches them they need to hide their future deployments better. The latter approach leads to real discussion between IT and the business.
"We can now use our rock star IT skills to help them refine their process," he says. "And you might find that they'll introduce you to another business partner."
"It's still our job to secure our data," he adds. "But how we interact with our customers is our choice. IT without culture is just IT. We need to choose what that culture of IT is going to be. Many people outside of 'us' see us as a culture of fear, a culture of no. This culture gets us nowhere. We need to change this culture."