00:00:07 Shadow IT and its implications.
00:00:34 The concept of shadow IT in modern companies.
00:02:30 The prevalence of shadow IT in various departments.
00:04:42 Reasons for the emergence of shadow IT in organizations.
00:07:09 Management’s awareness of shadow IT and potential consequences.
00:09:33 Pros and cons of shadow IT, including efficiency and data security risks.
00:11:17 Impacts of shadow IT on data security and real-life examples.
00:13:15 Management perspectives on preventing shadow IT and possible solutions.
00:15:25 The persistence of shadow IT and driving forces behind it.
00:16:42 Encouraging enthusiasm while managing shadow IT direction.
00:17:01 Staying clear of massive blunders and security risks.
In an interview with Kieran Chandler, Joannes Vermorel, founder of Lokad, discusses shadow IT, a phenomenon where employees use unauthorized technology to address gaps in company systems. Vermorel argues that companies should acknowledge shadow IT’s inevitability and manage it effectively. He advises against eliminating shadow IT, as it could demotivate staff and hinder innovative solutions. Instead, organizations should encourage employees to disclose shadow IT initiatives for proper management and oversight. Vermorel emphasizes the importance of maintaining security and avoiding significant errors, such as exposing sensitive customer data. By accepting and supervising shadow IT, companies can prevent major mistakes, ensure security, and foster innovation and problem-solving among employees.
In this interview, Kieran Chandler and Joannes Vermorel, the founder of Lokad, discuss the concept of shadow IT, its prevalence in businesses, and the challenges it presents. Shadow IT refers to IT systems that are installed without explicit approval from management, often as a result of employees attempting to work more efficiently. These systems can be difficult to maintain and may pose a threat to data security.
Vermorel explains that modern companies are extremely complex, and while enterprise software like ERP and CRM systems are also complex, they do not encompass all the intricacies of a business. This leads to operational gaps where existing systems do not meet employees’ needs, or when rapidly evolving technology outpaces a company’s IT department. Consequently, parallel systems, known as shadow IT, emerge to fill these gaps.
Interestingly, shadow IT is not always deployed without management approval. Vermorel shares his experience with supply chain management, where he has seen managers roll out their own shadow systems. In these cases, shadow IT is managed by non-IT department personnel.
Shadow IT is not exclusive to supply chain management; it can be found in various departments, such as marketing and finance. However, supply chain is a prime candidate for shadow IT due to its complex nature, which requires dealing with numerous real-world contingencies. For example, companies may face unexpected situations like flooded warehouses, unusual minimum order quantities (MOQ) from suppliers, or industry-specific compatibility issues, which are not easily accommodated by standard systems.
Typically, shadow IT systems are a collection of Excel spreadsheets and Microsoft Access databases used to address these unique scenarios. They emerge when employees encounter problems that cannot be resolved using existing systems or when there is a need to keep track of information that is not easily managed within the current setup.
They discussed about the presence of shadow IT in companies and the implications it has on efficiency and data management. They explore the reasons behind the persistence of shadow IT and its impact on businesses.
Vermorel explains that one reason for the prevalence of shadow IT is the complexity of reality, which makes it challenging for IT departments to keep up with the needs of their staff. Companies invest a significant amount of money in IT, but often find that their enterprise resource planning (ERP) systems are inadequate to capture the full extent of their needs. This leads to employees resorting to “shadow IT” or unofficial systems and processes to fill in the gaps.
The management of these companies may not always be aware of the existence of shadow IT, as employees often keep their workarounds secret due to corporate policies. Vermorel shares an anecdote about a supply chain director who had set up his own access database to store information about suppliers. This database was against corporate policy, but the director found it useful and kept it to himself. Further down the line, another employee also set up a similar database without the knowledge of their boss. This led to a situation where shadow IT existed at multiple levels of management within the company.
Chandler questions whether shadow IT is necessarily a problem, given that it seems to make employees more efficient. Vermorel responds that shadow IT can be a double-edged sword. On one hand, its existence implies that employees care about their job and want to improve their performance. On the other hand,
They discuss the issue of “shadow IT,” which refers to employees using unapproved software tools to create their own solutions when the existing tools do not meet their needs. Vermorel believes that shadow IT is a sign of commitment, imagination, and drive among employees, but he also acknowledges the problems it can create.
Shadow IT can lead to duplicated work, difficulty in scaling and maintaining solutions, and data security concerns. Vermorel likens it to a technical and organizational debt that needs to be repaid by integrating these ad hoc systems into the mainstream IT infrastructure.
Data security is a significant concern in shadow IT, as employees may store sensitive information on their personal devices or use informal methods to consolidate data. Vermorel cites a recent example of a UK bank experiencing a data leak because an employee stored millions of customer records on their personal hard drive. He argues that if such practices become widespread, data breaches become inevitable.
Vermorel suggests that companies can mitigate the risks of shadow IT by adopting programmatic solutions that offer a balance between the need for customization and the need for control. Lokad, for example, is a programmatic platform that allows supply chain practitioners to write custom scripts to create reports and logic while remaining within a controlled environment. This approach allows employees to address their specific needs without resorting to unapproved tools.
Other companies, such as SAP and Oracle, offer similar programmatic capabilities. By embracing these platforms, organizations can provide employees with a way to meet their unique needs while maintaining control over data security and software maintenance. This can help prevent the growth of shadow IT and its associated risks.
Vermorel advises against pursuing a witch-hunt to eliminate shadow IT, as this may lead to demotivating staff and potentially depriving the organization of the benefits that may arise from employees’ enthusiasm and innovative solutions. He suggests that organizations should encourage employees to bring shadow IT initiatives to light, allowing the organization to keep an eye on them and manage them effectively.
One of the key aspects Vermorel emphasizes is the importance of maintaining security and avoiding significant mistakes, such as leaving sensitive customer data unencrypted on an employee’s laptop. In order to achieve this, he suggests that organizations should allow shadow IT initiatives to exist under the condition that they are supervised by the organization’s IT department. This would enable companies to prevent major errors and maintain control over their internal technological environment while still fostering innovation and problem-solving from employees.
Joannes Vermorel recommends that organizations should accept the inevitability of shadow IT and focus on managing it effectively. By acknowledging its existence and providing oversight, companies can prevent major mistakes, maintain security, and benefit from the creativity and problem-solving skills of their employees.
Kieran Chandler: Today, we’re going to understand exactly why these systems are installed and also understand what management can do in order to prevent them from becoming a threat to their organization. So, Joannes, perhaps you should tell us a little bit more about exactly what Shadow IT is.
Joannes Vermorel: Yes, modern companies are staggeringly complex, and although I would say enterprise software is equally complex, like those ERPs and CRMs, they don’t encompass all the fine print of the business. So, you frequently end up with the main computer system that does a lot of things but not everything. Thus, people face operational gaps where the existing system does not do what they need. Sometimes technology has been evolving very fast, and new needs emerge, such as with smartphones. Suddenly everyone wants to have mobile access to everything, so IT within the company is not always able to keep up with all the things that should be delivered. As a result, you end up with parallel systems that are not exactly completely planned for and are nicknamed as Shadow IT.
Also, from my supply chain experience, what is interesting is that Shadow IT, which may be the mainstream definition, is not necessarily something that is only deployed without management approval. I’ve seen many companies where it’s the supply chain management who has rolled out their own shadow system. Typically, Shadow IT is opposed to what is deployed by the IT department, and sometimes it’s very much in the hands of the management, except that it’s not the IT director.
Kieran Chandler: So these are basically systems that people are creating in order to have a workaround and work a bit more efficiently, but by creating their own systems. Is this just a supply chain issue, or is this something that’s seen around the business as a whole?
Joannes Vermorel: I think there is a bit of Shadow IT in every department, like in controlling and marketing, depending on how extensive the CRM setup is. But I suspect that the supply chain is a prime candidate for Shadow IT. The reality is that the real world is surprisingly complex, and supply chain is all about dealing with the completely accidental contingencies of the real world. We have clients facing bizarre situations, such as flooded warehouses. Do you have a checkbox to say my warehouse is flooded in the system? Maybe not. You can have a bizarre MOQ from a supplier that is expressed as meters of fabric per color, for example. Or maybe your MOQ is just in units or inches but not in meters of fabric. In aerospace, you have those bizarre one-way compatibilities, which are very specific and don’t really fit into any system.
So, you have all those things, and because the real world has an endless stream of oddities, people end up building Shadow IT systems, which usually is a way to describe a forest of Excel sheets and maybe a few Microsoft Access databases in the middle.
Kieran Chandler: Okay, so that’s how these problems actually start then, because we’re entering scenarios where they can’t actually fix them with their current systems. Is that how it would come about?
Joannes Vermorel: Yes, plus sometimes it’s just a very mundane need to keep track of stuff. For example, how do I keep track of the fact that I have 500 suppliers with MOQs expressed in meters?
Kieran Chandler: So, Joannes, can you tell us where you record the fabric numbers for your business?
Joannes Vermorel: I need to record 500 numbers of fabric. I will create an excel sheet to contain them. It’s mundane, but I need to put this data somewhere so that I can retrieve it later when I need it. I need this information when I am passing an order to one of my suppliers.
Kieran Chandler: It seems strange that something so simple would be overlooked in companies with large IT departments. What are your thoughts on this?
Joannes Vermorel: Yes, it is surprising. There is so much money invested in IT by companies, and it is so important. However, IT departments are often behind the needs of businesses. The reality of complexity is often overlooked. Software is supposed to reflect reality, but it is difficult. Many clients we have, have an ERP with several thousand tables, but only half of what they need. The need also keeps changing, making it difficult.
Kieran Chandler: That does seem complex. What about companies like ACP, who try to capture the complexity of all industries combined?
Joannes Vermorel: Even with decades of super heavy investment from the IT industry, the reality is that there are still endless gaps that need to be filled in. Shadow IT remains omnipresent.
Kieran Chandler: Are the management aware of these workarounds, or is it a secret going on under the surface?
Joannes Vermorel: I remember discussing this with a supply chain director a few years back. He had information about suppliers that did not exist in any other system. When I asked him where the data came from, he showed me his own access database. He had set it up cleverly, but it was against corporate policy. He kept it for himself. Later on, we found out that there were suppliers who were not covered in his database, but we still had the information. When we asked the person who was working under this director, he said he had set up his own access database, and his boss didn’t know about it. There was shadow IT within shadow IT. It was funny to realize how pervasive and recursive it was.
Kieran Chandler: It seems like a duplication of work, but is it a problem?
Joannes Vermorel: Shadow IT is a double-edged sword. The mere existence of shadow IT means that people care about their job and want to do things better.
Kieran Chandler: They want to be more efficient at it, like no matter what it takes. And if there are no proper tools, then they are just going to make their own tools, which I believe is a sign that people are committed, kind of driven, and imaginative. I mean, it’s all very positive qualities. So, it’s happening. I mean, many of the companies we are working with that are profitable, fast-growing, etc., they have this kind of appetite for stability. So, I wouldn’t necessarily say that it’s such a bad thing, indeed.
Joannes Vermorel: The problem is that you end up with a lot of the work being duplicated, and it scales poorly, it’s hardly maintainable, and in terms of data security, it’s a small nightmare. There are a lot of problems waiting to happen. The way I see it, it’s a bit like a technical debt that the company has towards itself, an organizational debt where all those systems are making the company work, and there are debts that need to be repaid by actually properly integrating all those findings and processes into mainstream IT in a way that can be streamlined and maintained over the next decades.
Kieran Chandler: You mentioned data security. How can these tools have an impact on a company as a whole? We have seen in the news, I think it was a couple of weeks ago, there was a bank in the UK where there was a leak because one employee had data for millions of customers on one of his own personal hard drives.
Joannes Vermorel: The mere fact that a single employee can have extensive copies of databases containing millions of clients on their personal computer is a disaster waiting to happen. There is no situation where, if you do that once, maybe you’re going to be lucky and there will be no disaster, but if it becomes a practice, the probability that a disaster will happen over time is close to 1. So, it will happen; it’s just a matter of time. As soon as people start to consolidate databases of any sizable proportion and they do that in a way that is completely informal with their own makeshift Excel or Microsoft Access databases, the leak will happen. If it’s a database of suppliers or SKUs, well, that’s okay. If those are leaked, no big deal, it’s not personal, it’s not super sensitive data. Obviously, maybe you will slightly annoy a couple of suppliers by leaking what is part of the deal that they negotiated with you, but overall, it’s still a modest problem. But as soon as you start putting databases of clients, yes, it can be very bad.
Kieran Chandler: So, let’s look at things from maybe a management perspective. Is there anything they can do to prevent this shadow IT from occurring? What can they do to stop their staff from taking these matters into their own hands? I mean, as a shameless plug, Lokad can contribute to the solution.
Joannes Vermorel: One of the ideas is to have programmatic solutions, programmatic platforms. For example, one of the ways Lokad addresses this need is that Lokad in itself is a programmatic platform. What do I mean by that? I mean that a supply chain practitioner, if they have…
Kieran Chandler: Lokad allows users to write custom scripts for reports and logic, making it accessible to advanced Excel users. How does this address the issue of shadow IT needs within a company?
Joannes Vermorel: By offering programmatic capabilities, Lokad and similar platforms enable teams to build their own extensions while remaining within a managed IT environment. This ensures security practices are in place, as opposed to resorting to unsecured methods like sharing Excel sheets or Access databases on unprotected devices.
Kieran Chandler: So, considering shadow IT is a human-driven phenomenon, do you think we can ever completely eliminate it?
Joannes Vermorel: I believe the key is to understand the driving forces behind shadow IT. Businesses are constantly changing, and IT systems will always lag behind to some degree. It’s not that IT is bad, but achieving a completely maintainable, production-grade system takes time. First, we need to accept that shadow IT is here to stay, and instead of trying to eliminate it, we should embrace the enthusiasm of our employees to improve processes. We should guide them towards more managed solutions and monitor their activities to avoid major mistakes, like unencrypted customer databases on lost laptops.
Kieran Chandler: So, companies should allow shadow IT to some extent but under strict supervision from IT departments to prevent significant errors?
Joannes Vermorel: Exactly. If you completely forbid shadow IT and threaten to fire violators, people will simply not inform you about their actions. It’s better to allow it under the condition that it is supervised by IT, so they can prevent big mistakes from happening.
Kieran Chandler: Great, thank you for your time today, Joannes. That’s everything for this week. Thanks for tuning in, and we’ll see you again next time. Goodbye for now.
Joannes Vermorel: Thank you and goodbye.