Can the opposing camps regarding Shadow IT be reconciled through changes in organisational culture?
- shaun9968
- 16 hours ago
- 13 min read
This paper by Richard Henson takes a historical view of the development of Shadow IT in organisations, and
looks at the roots of the contradictory arguments of “Shadow IT good; Shadow IT bad”. It
then explores the use of organisational culture as one of four types (Cameron & Quinton
model) and suggests a possible role for tweaking the culture in order to reconcile these
two apparently opposing realities.
What is Shadow IT?
One simple definition of Shadow IT could be “the use of unauthorised software for
organisational purposes”. In the early days of computerised systems this was not an
issue, because software was only written for large systems, and only large organisations
could afford either the hardware or the software to run on them.
However, the invention and proliferation of what were then called microcomputers
made it possible for software to be written and sold at wholesale prices. The use of
microcomputers and what became known as end-user computing became acceptable
to organisations in the late 1980s. This was very much against the wishes of IT
managers, and very much because of demand by computer-literate employees named
“cocky novices” by experienced practitioners (Yourdon, 1990). Worse still, IT managers
were no longer in control of which software was used in an organisation. If they argued,
they were called dinosaurs. Dark days for some, which probably gave rise to the term
“Shadow IT”. Much more recently, IBM defined it as
“... any software, hardware or information technology (IT) resource used on an
enterprise network without the IT department’s approval, knowledge or oversight.”
(IBM, 2022, p1.)
IT Managers, Senior Management and Shadow IT
In 1990, acknowledging the changing role of IT within organisations, the British
Computer Society suggested a new type of employee: The Hybrid Manager (BCS, 1990).
Such a person understood computing and understood organisations. The thinking
behind this was for IT Managers to get a place on the board. Although the term did not
catch on, the principles underlying the need for such people gradually became
accepted in large organisations. Now, such organisations employ individuals to
carefully manage all aspects of the software used within their organisations.
The coming of networks, email, the Internet, and the world wide web made the role of
the IT Manager even more crucial, because all employees needed to use those facilities.
By the end of the next decade, it was almost a case of deja-vu with innovations such as
the cloud, smart phones and mobile apps. Employees had, and used, their own devices
again providing demands on IT Managers to exercise control over software use. Once
again, Shadow IT in Organisations became a major issue for organisations.
Throughout the quiet revolution to a “hybrid” IT Manager in large organisations, smaller
organisations (SMEs) failed to properly recognise the urgency of getting use of IT under
control, through boardroom involvement. The issue of Shadow IT second time round
was a much greater issue for them. The matter came to a head with concept of BYOD
(Bring Your Own Device), which encouraged employees to bring their mobiles to work,
without considering the consequences for IT management. Organisational
management liked BYOD because this encouraged higher productivity, and employees
could work anywhere and even be contacted at home. Shadow IT was seen as a matter
for IT management to sort out. Each organisation, being unique, sorted it out their own
way. In 2018, Samsung, funded a survey of mobile phone use in organisations
(Samsung, 2018), which showed that BYOD had not been as successful for
organisations as had been hoped.
There are still two distinct camps regarding Shadow IT:
1. It is a security hazard (i.e. bad)
2. It encourages employee Innovation (i.e. good)
There is plenty of evidence in favour of both sides of the argument, depending on the
perspective of the observer (Silic, M., Silic, D., & Oblakovic, G. (2016)). So, is there a
“middle way” that would reduce the security hazard effect, whilst not stifling employee
innovation?
How much Shadow IT is happening today?
The matter was first brought back into the public gaze by a study on BBC employees in
2010. Some felt that the BBC was a particularly creative organisation, and that such a
study was not representative. However, the % of employees prepared to go against IT
policy was indeed disturbing. A much tighter definition of Shadow IT is necessary so the
researcher can clearly ascertain whether a specific employee activity is Shadow IT, or
whether it isn’t. Various researchers have subsequently tried to ascertain the degree to
which employees are prepared to violate organisational rules to use their own software
to fulfil organisational goals.
A simple series of questions for employees to anonymously complete may partly
provide an answer, but the responses must be weighed against the organisational rules
for use of software. As each organisation have their own rules about approved software
an activity may be seen as Shadow IT in one organisation but not in another. Some may,
for example, turn a blind eye to use of Shadow IT on personal mobiles, as part of a BYOD
policy.
It should be possible to use these two processes to gather scores that give meaningful
data about the extent to which Shadow IT is happening in a particular organisation.
Why is Shadow IT considered bad?
It is accepted by large organisations that they (should!) have a policy of only using
software that has gone through a senior management process of agreeing to purchase
licenses. The most obvious reason is that software installed on organisational
computers is illegal if a license for use has not been paid for. There is also a general
acceptance that updates to such software occur regularly and will need to be
downloaded within 14 days of release by the software producer. This will often be an
automated process controlled by the IT manager.
In smaller organisations without expensive hybrid management, there may be a
tendency to carry on using off the shelf software running on laptops using departmental
budgets. The lot of the IT Manager in such organisations was not a happy one!
Employees are generally not aware of the security aspects associated with the use of
any software and therefore do not see the downside... that software installed without
approval breaks the rules and may even be illegal, and that any out-of-date software is
open to cyber-attack. Shadow IT may (should?) also be a matter for discipline because
9despite the arguably noble cause) it requires flaunting the organisational rules.
However, it is the cyber security angle that is most worrying to IT Managers and
therefore worrying to Senior Management.
Why is Shadow IT considered good?
Employees do get frustrated with the organisation’s authorised software, and for a
variety of reasons may find a way to use their own software without management
noticing what they doing. They do this because they may not hold IT management staff
in high regard as regards choice of software, but also because perceive that as better for
themselves in the job they have been asked to do, and better for the organisation
because they get their job done quicker. Plenty of research has been done in this area
Silic, M., Silic, D., & Oblakovic, G. (2016), Entrust, (2019).
“Culture” in an organisational sense
I’ve heard “How we do things round here” as a working definition of organisational
culture, and it’ll do as a starting point. Each organisation are unique, so it is to be
expected that there will be a wide range of interpretations of “how we do things round
here”. A more formal way to define culture is as the unspoken rules of an organisation.
“Fitting in” depends at least partly on how well an individual can understand and come
to terms with (i.e. accept) these rules. Organisational culture affects many aspects of
organisational activity, including employee performance. It is therefore considered to be
an important factor in overall productivity.
One influential study from the 1980s (Quinn & Rahrbaugh, 1981) suggested a competing
values framework, including three value dimensions. The model was refined (Cameron,
1988) using just two dimensions to deliver four identifiable types of organisational
culture: planned, adhocracy, market, hierarchy. This became known Cameron and
Quinn’s Competing Values Framework (CVF) (. The researchers had a firm methodology
for choosing two specific polarities for categorising each of internal/external orientation
and degree of internal control, when describing an organisation's cultural typology.
These are:
• organisational focus (degree of flexibility v controlling behaviour)
• organisational behaviour (internal focus v external orientation)
Taking high and low for the extreme ends end of these scales of measurement, creates a
model based with four distinctive types of organisational culture. Cameron and Quinn
used previous research labelling of clan, adhocracy, market, and hierarchy as the four
extremes. Typical features of the internal/external focus extremes are:
- Clan “Do things TOGETHER”
(internally focused, collaboration, sharing ideas, like a family, teamwork etc.)
Dress quite casual. Open office workspace. Flexible hours, giving individual
freedom but employees accountable. Mentoring not managing... not “orders”
- Adhocracy “Do things FIRST”
(externally focused, and flexible). Dress very casual. Flexible working hours.
Creation oriented. Users do what they please as long as its legal. Prominence...
be the best! Innovative but chaotic. Motivated by being at the cutting edge. Stay
ahead (of competition). Multidimensional communication. V. little
micromanagement. Self-driven individual. (e.g. Apple)
Features of the Controlling/flexible behaviour extremes:
- Market “Do things FAST”
(externally focussed but more concerned with constitution and control)
Objective/goal-oriented. Deadlines/targets/getting things done. Top-down
communication/info flow. Competition
- Hierarchy “Do things RIGHT”
- (internally focussed but one information flow (top down). Business casual. More
strict business code. Strict hours, and for breaks, time off. Decision-making
completely top-down. Offices private, cubicles etc. formal work relationships,
micromanagement. Rigid Control of IT users? Confusing for new employee who
considers themselves as smart with IT and used to working on their own
initiative. (e.g. govt, local govt, public sector, etc.)
What Type of Organisational Culture does your organisation have?
It is useful for an organisation to know what their current culture looks like to an
outsider. Whilst Cameron and Quinn developed the model, others developed methods
for utilising it. It is accepted that, in practice, components of all four types may well be
present at once in an organisation, so it was considered essential to develop a scale to
differentiate between organisations.
An Organizational Culture Inventory (OCI) was subsequently developed (Cooke &
Lafferty, 1989) to enable an organisation to be more formally categorised as
predominantly one of the four CVF types. OCI has been used successfully to categorise
organisations for a variety of purposes and would be a suitable tool for the purposes of
this research. In 2005, the final complete model was published (
Software and Individuals
People used software relatively little in their everyday lives before the world wide web
allowed home desktop computers to download software, often free of charge. They also
downloaded malware in all sorts of ways, but that’s another story.
Nowadays, most people have mobile phones, which are themselves powerful
computers, and smartphone operating systems support a bewildering array of apps
(applications software). People are often unaware that apps should only be used if they
are on a “tried and tested” list, but they download, install and use such apps
successfully in their everyday life. Many of these people will also be employees.
Employees often use apps effectively on their mobiles outside work and wish to
continue using these to complete their work tasks. This practice has accelerated since
the concept of BYOD (Bring Your Own Device) was suggested as a way to improve
employee satisfaction and productivity in organisations.
Choice of Software by Organisations
Applications software has been constantly evolving from the first computers through to
present day. The consequences of such evolution became the subject of scrutiny as
long ago as the 1970s (Lehman 1997). In those early days, software was almost entirely
bespoke. However, as the author pointed out, for any such evolution to be successful,
the software released needed also to be appropriate for tomorrow. Nowadays, although
most organisations use “off the shelf” platforms and applications that same principle
looks to be a sound one. Software can rapidly become out of date!
There is another dimension that Lehman didn’t anticipate – vulnerability of software to
hackers. Not only does software need to be future-looking in terms of functionality, it
also needs to strive to be vulnerability free.
The only way these two factors can be supported is through careful choice and very
regular update of software. In order to keep their software as vulnerability free as
possibly, it is standard practice for an IT Manager to decide which applications are used
to serve the business, and for other applications to be kept well away from the
organisation’s digital systems.
How much Shadow IT is happening?
The other focus of the study is “how much Shadow IT is happening” in a given
organisation? How can Shadow IT be measured if it is illegal and therefore hidden?
What constitutes an action of Shadow IT? People generally don’t go against the code
without high motivation to do so. They choose to do the job in radical ways (i.e. without
management permission) to get the job done faster.
It may be that an organisation embraces a full BYOD culture, in which case very little
Shadow IT will be taking place. There will, however, be consequences in terms of risk
management because individual employees which be more open to cyber-attacks.
On the other hand, if an organisation has a strict policy about BYOD not being allowed at
all, or only allowed using strictly controlled organisational devices, there may be a
much higher incidence of using Shadow IT using their own devices. Individual
employees will be much less likely to experience cyber-attacks using organisational
devices, but they (and by implication their organisation) will be very much at risk if they
do work-related activities on personal devices.
How can Organisations reduce Shadow IT and sustain employee enthusiasm?
The author(s) are of the opinion that Shadow IT is caused mainly by good people getting
frustrated by what they see as obstacles in the path of “getting things done” and finding
workarounds that may take them outside the company code. What is at fault here, the
employee or the organisational code? Probably neither... in theory it should be possible
to negotiate a “happy place” somewhere between the two.
One way to reduce “Shadow IT” behaviour is to have stronger sanctions on employees
getting caught. This is most likely to be associated with the “Hierarchy” culture. Such
organisations may be seen as “risk averse” and this would also apply to cyber security.
An opposite approach to Shadow IT is, in practice at least, to ignore it, allowing
employees to use IT as they think fit in order to do their job successfully. If they are
getting results, that’s good, and that’s what is important to management. The security
risk may be played down. An Adhocracy culture is more entrepreneurial in outlook and
likely to tolerate a higher degree of risk.
Neither of these cultures will change user behaviour. The hierarchy employee may get
even more frustrated and even more devious. The adhocracy employee getting results
keeps using Shadow IT to the hilt without any management intervention causing cyber
security problems. They are likely to be extremely surprised when they personally get
hacked, and their organisation is equally perplexed that this could happen to them. The
organisation may well try to pin blame on the IT manager. Not a satisfactory way to run a
digital business from either standpoint.
Which cultural approach is most effective to maintain cyber security?
It goes without saying that most organisations are not full-blown hierarchies or full-
blown adhocracies, so the situation is not as bad as this worst-case scenario. However,
there are problems for both types, which could be solved through the more enlightened
management approach seen in the outward facing “market” culture and collegiate
“clan” culture. The principle of flexibility in choice of organisational software, as
suggested by Lehman right at the start of the world-wide-web revolution (Lehman,
1997), still holds good.
Organisations are already aware of cyber security issues, and practical measures have
been taken over many years in all organisations to promote safe and secure IT use. Most
significantly, most now have an IT Usage policy (“dos and don’ts” when using
organisational IT), and obeyance of this policy is often a condition of employment. At
face value, this requires employees to use the software provided and use it in an
approved way in order to fulfil their work tasks. Of course, the trend towards BYOD has
complicated this. Given that many employees, particularly younger employees, are
familiar with the use of apps that an experienced IT manager may not be familiar with,
and are reluctant to stop using them, just having a policy that covers official
organisational IT is insufficient.
Such aspects of other two types of culture such as “what software are our competitors
using” (market) and “how can we work together better” (clan) would provide scope for IT
managers to discuss software choice directly with employees. It may be that an
employee-preferred solution would cost more, or it may actually cost less, but at least
there would be employee-IT Manager dialogue on the matter, and a negotiated and
informed best choice could be put to senior management.
Conclusion
Organisations often see IT as a drain on their financial affairs and wish to keep
overheads to a minimum. Senior Managers therefore may take decisions based on
factors that may be too simplistic. This may be perpetuated by an organisational culture
that may be counter-productive to the organisation’s future prospects.
Senior Managers are not necessarily IT experts. Nevertheless, they should wish to be
wise in their choice of software, and efficient in their processes for choosing the
software that is approved to be used within their organisation. These processes should
be transparent and provide focus on such matters as training for the software, how
effectively the software helps the employee to achieve their objectives, and how
expensive it would be for the IT manager to manage the secure use of that software. This
may require a shift in organisational culture that acknowledges IT expertise of
employees on the one hand, and the need for organisational control of security on the
other.
This is a speculative paper, and a great deal more research needs to be done. However,
organisational culture research is now mature. Once an organisation has good evidence
as to how much Shadow IT is going on in organisations resembling their own, and realise
that this issue is more complex than perceived at first sight, it is to be hoped that they
will consider adjust their culture accordingly to give their employees more power over
the choice of organisational software whilst providing more scope for training so that
software can be used in a cyber-secure way.
References
BCS, (1990), “From potential to reality: 'hybrids' - a critical force in the application of
information technology in the 1990s”, BCS, Swindon, UK. ASIN: B001AB3JBK
Cameron, K.S. (1988) “The Conceptual Foundation of Organisational Culture”,
Cameron, K S, & Quinn, Robert E, (2005), “Diagnosing and Changing Organizational
Culture: Based on the Competing Values Framework”, ASIN: B00OL3UR0U
Cooke, R. A., & Lafferty, J. C. (1989), “Organizational culture inventory.” Plymouth, MI:
Human Synergistics.
Entrust, (2019), “Shadow IT Report Reveals Evolution on Risk and Opportunity”,
and-opportunity
IBM, (2022), “What is Shadow IT”, https://www.ibm.com/think/topics/shadow-it
Lehman, (1997), “Laws of Software Evolution revisited”, https://www.rose-
08/Handouts/LawsOfSoftwareEvolutionRevisited.pdf
Quinn, Robert E., and John Rohrbaugh. (1981) “A Competing Values Approach to
Organizational Effectiveness.” Public Productivity Review, vol. 5, no. 2, 1981, pp. 122–
40. JSTOR, https://doi.org/10.2307/3380029.
Samsung, (2018), “Are the Days of BYOD Over? Exploring the Value of Employer
Provided Phones in the Next Mobile Economy”, https://news.samsung.com/us/days-
byod-exploring-value-employer-provided-phones-next-mobile-economy/
Silic, M., Silic, D., & Oblakovic, G. (2016). “Influence of Shadow IT on Innovation in
Organizations”. Complex Systems Informatics and Modeling Quarterly, 8, 68-
To download the article please click the link below:
Comments