Business Tech Playbook

#13 – Shadow & Rogue IT

1 year ago
Transcript
Robbz

This is the business tech playbook your source for It help for your business. EJ, you're looking fantastic in that blue shirt today.

BJ

Thank you. I really appreciate it. I actually bought a bunch of new polos because my old ones were kind of getting a bit used, so cole's thanks. I wanted to make sure cole's It. I am the perfect cold sized gentleman.

Robbz

I am your host, Rob Zolson.

BJ

And I'm William Poet. Etop technology cold opens are difficult. Yeah, apparently speaking is hard today. I apologize. It's been a very interesting and busy week. So the fact that I'm even here is kind of amazing to me right now.

Robbz

Well, we're here to demystify it. And if you've ever heard different terms of Shadow or Rogue It, this episode's for you.

BJ

Exactly. We thought it would be a good chance to kind of talk through what Rogue It is. What shadow it is. Last week we talked about what should it do for you, and so at this point, it's what you should do for it.

Robbz

Right?

BJ

Exactly.

Robbz

Come on now.

BJ

For It, you got to help us out. Exactly.

Robbz

All right, so first, let's get over the definitions and demystify this. So Shadow It is using tools that are not backed by the company the company doesn't know about. It is not something given by the company. In most situations, whether it's software, hardware, or even just a method or practice, it is using your own solutions, wherever they may come from, that don't match the company's given instructed solution. So this could be using your personal laptop when you're supposed to be using a company one. This could be using Dropbox personal account that you get for free that isn't managed by the company. This could be finding some sort of third party application to work your documents, PDFs, or whatever else when the tools that the company already offer are paid for and ready for you. Shadow It is doing something the same task in a different way that's unapproved by the company.

BJ

I don't like the company CRM, so I'm going to use well, this next one might actually be more of a Rogue It.

Robbz

Yeah.

BJ

Here, I'll let you explain that. Yeah, good.

Robbz

Segue. Shadow It is that now? Rogue It is you knowing you're supposed to be using this tool, deciding you're not going to, and doing it anyway. You know better, you've been told, you've been educated, and you feel like you're what's the word that I'm trying to get? A positive conundrum. You think that you call the shots in the company and you can be the exception. Shadow It is always what we call it when we give the benefit of the doubt. Rogue It, even when we've diagnosed it, we're never going to tell the user that they're doing Rogue It. We're just going to capture the person's information and tell their manager. I mean, it's not our job as an It person to slap people's fingers tell them what they can and can't do. All we do is make sure that they're working. We document it and make sure that the people in HR that get paid for that do that. That is not our job.

BJ

It's amazing to me how much of it is actually just policy procedure in HR. It's the amount of times I get asked, what can I do to track my employees behaviors, monitor them, et cetera, et cetera. And it's like I always try to turn the conversation back to, have you had the HR conversation with them first? This has nothing specifically to do with Rogue or shadow It, I suppose, but it's just kind of an interesting thought based on what you just said, because it's so often we end up having that conversation with ownership, HR, wherever, and it's well, how do you deal with the problem?

Robbz

If you see that someone's doing shadow it and you show them how to do the process and they move on, great. That's step one. But if it moves into Rogue, it where they know better than they're doing it. You have to have the question pose the question. You have to confront the person saying, hey, this is the tools we have. You've been told, sorry, but we need to do this. This is part of compliance and required by your work. Instead of telling it and saying, hey, I need you to make this person do it, I need you to watch everything they're doing, and I need you to come report back to me when they're not doing it. Whoa, whoa, whoa. We already have tools in place that you can already see what tools they're using to get that done. We're not going to be a fence for you. For what? You should have a real human conversation for adult to adult.

BJ

Well, and that's so much of it. The initial part of the conversation in my mind should always be just have a conversation, write a few notes down. Hey, we're seeing some struggles here. This is what's going on. This is the direction the company's chosen to go, and you need to cooperate, have a good HR conversation. I mean, you pretty much have to start with that first, and then it's a lot easier for it to enforce policies that the company has as a whole than it is to keep dealing with one off exceptions. Well, Bob wants to use HubSpot, but the company uses salesforce. Well, now we're making an exception for Bob.

Robbz

It's going to cost the company more money. The data is not going to be owned by us and not going to be controlled. There's many, many reasons why using a shadow It methodology just can't be done. And especially if you're in a sizable medium to large business, there's no way you can't be the person going left and right trying to support 18 different applications to do the same thing that everybody should be uniformity really. I mean, it doesn't sound like you get to be an individual, but Uniformity really produces a good product, and the company the most efficiencies it should have.

BJ

Well, and so people using consistent tooling allows the company to build consistent processes. Consistent procedures build automations. The more you have consistency, the more you allow people to have constraints. But those constraints allow them to be creative inside of the guardrails. And so how do you empower people to have thoughts and ideas and bring efficiencies to the table? You give them constraints because if you say literally you have an empty whiteboard well, then people are going to start drawing stars when you really need them to be typing on the computer. So I mean it's like how do you give them a wide enough window or wide enough guardrails to do the job well and to have some freedom and autonomy inside of those rails? Versus people are suddenly off in far right field just doing whatever they want and people don't their manager doesn't even know what tools they're using in their day to day business.

Robbz

Imagine putting yourself in 1950s era at McDonald's in California. You started something as a small business. This is where you get creative. You had a lot of creative people in there and you came up with a better method to make a better burger. You had it. So you walk up, order 60 seconds, you got your fries, coke, and a burger out there the same way, the same consistent way every time. And then they wanted to grow and expand that across the United States. Now imagine if they had their own shadow methods of doing it. That means every McDonald's would be doing different things. The costs would be all over the place because those different methods would not be supported by corporate and the products that they're sending. And the quality control is out the window. Every single location that they would pop up doing different things, using different tools, using different software gives and leads to an inconsistent product and having no control over that product. So instead, McDonald's spread across they purchased the land and mandated that these stores use their policies. And if they have new ideas, they have this wonderful outlet to submit them and adopt them rapidly across all locations. If you have a good idea, your company shouldn't be much different than that idea. If you have a way of doing things, you're not just telling them no, you're telling them if you have some other way. Here's an outlet here's, we want to know about it, we want to test it because we don't want just you doing it, we're going to want everybody doing it.

BJ

Exactly. Well, I used to think that it was kind of a hundred different ways to get there. And the reality is that is true. But what I've started reading last week, you mentioned the Phoenix Project and the Unicorn Project, both excellent books on it. It's amazing to me how similar It and development is to like a manufacturing floor. You have to have really good consistent processes on a manufacturing floor to have a low defect product, the same thing applies in It. You need to have consistent processes, consistent tooling, you need to know where you're so in your manufacturing floor, you have different areas, different machines where your blockers would tend to be and you might have things build up in front of it. It can be very similar where you have especially if people are running different processes and different tooling around their organization. So maybe purchasing is doing using Monday for managing all their tasks and workflows and then Sales is using HubSpot and Salesforce, and then you have accounting using Asana for task management, you have three or four different tools. And so training somebody in is going to be very frustrating. And it does need to document and track all these tools. But then now you're having to build process documents for each different tool. And so you might have replicated processes across Monday, HubSpot, Salesforce, Asana, your ERP, whatever the tooling is. Now you're duplicating effort. And I've seen people have such tool sprawl, lord knows we have some of those issues ourselves. But when you start having all that tool sprawl, if things aren't integrated, well now Sales closes a deal and it has to go to purchasing. And so you're doing double entry and then it goes from purchasing over to accounting and now they have to enter it. And so you have 34567 different tools versus having one tool or a preset of tools that are going to flow things back and forth natively. So the more you can kind of think through these processes ahead of time, the smoother data moves. And so to me that's part of why having It in that conversation and then treating it in your business technology much more like a manufacturing floor. Now you can know how a product goes from raw materials at the entrance all the way to a finished product at the very end that you can sell and make money on.

Robbz

Now one part I wanted to loop back around at is the conversation that we had of HR talking to an individual when you're having those conversations with an It person of what I should do about this, what they're looking for, and the things that the tag words is compliance. Use that as a negative connotation that you need a follow order. But we're looking at how to enable compliance in those situations. And we have tools to audit what software is on their computer, who's allowed to install what on their machine, and other audits, like where did they log into their tools, was it on a different computer that wasn't part of the network? So we have tools to help with those conversations to ensure that shadow and rogue It aren't happening. But the thing that an it technician will be looking for is the term called Big Brother. Big brother tools is what he wants to stay away from if possible. There are applications for Big Brother tools but the term Big Brother is just like in your siblings. The Big brother watches over the sibling, the little brother auditing everything they do and reporting back to mom and dad. We don't want to be that. No It person wants to sit there and go through any of those reports. Yes, there are tools that he has to do, we get it, there's business cases for it, but that is probably the worst part of his job if he has to do a lot of Big Brother tools.

BJ

To me I like that thought process and that terminology because employee monitoring ultimately isn't our job. We might be there. We are there always to support the company, right? But my job isn't to say what the employee is doing is right or wrong because even if I was an internal employer, an internal employee at somebody's organization, it's job is to help enforce policies and procedures of the company and to add value which just falls under that mitigate risk conversation we've been having. But then we're there to install the tools, make sure that they're functioning and then hand it off to somebody who's supposed to be owning that role. And we don't like installing monitoring tools. So it's funny you say Big brother, we say we install monitoring systems in all of our clients and they're like oh what, are you watching us? No, we're paying attention to performance. We're paying attention to things that help us see what's causing problems for you. At the very end of the day, our goal isn't we care what people are doing, but we don't really care if that makes sense. The goal is to keep that person working effectively, not to watch what they're doing.

Robbz

Here's an example if I may. We'll have a customer. The customer is concerned that people aren't getting their job done. They say that I want you to tell me who's going on Youtube.com and wasting all their time during the day. One. That's a big brother tool. They can use YouTube for a lot of things, a lot of self help details. They can use it for music in the background while they're getting their work done. That's what we at least in my mind would consider a Big Brother issue. If you don't want them to go to YouTube, we instead would rather have the conversation of compliance. Are you wanting to ban YouTube? We can block it. So it's not a conversation. But me using my time, using your time, trying to audit, this is the term that I love to beat home dollars. Chasing pennies is me. You paying me or yourself going through a bunch of logs to see is it music that they're going through? Really the sense of value that you're bringing to the company? Is that bringing dollars through the door? Is that keeping things efficient? It really doesn't seem to be. And when people say that we have monitoring tools, that we are the big brother to them, trust me, that's the last thing we want to do in our job. All we're doing is ensuring that your machine's working, what you're doing on it is your business. And the only time in my mind that you should be micromanaged and it should be a conversation is when you're not performing.

BJ

It's funny that you say that because we had a very interesting situation with a new client we brought on a couple of years ago. One of the partners or somebody pretty high up in the company sent in a pretty heavy duty ticket, unblock my web browsing, blah, blah, blah. I need to do research. And it was quite the I won't say caustic, but you need to unblock my research. And we'd already had a conversation with management ahead of time on what we were blocking for content filtering. And effectively, we typically block what I would call liability things. Porn, sometimes alcohol, tobacco, sometimes firearms. We'll call them real strong liability sites, like malware sites typically like very new things because those are more suspect. Otherwise we're pretty open. We generally don't block YouTube. We generally don't block streaming site sites because the internet has become fast enough and cheap enough that it's really not impacting the business anymore. To have people listening to Spotify or Pandora or streaming YouTube in the like, I don't really have a problem with that and as long as it's not impacting their job. So fast forward this conversation. We went and spot checked this guy what was being blocked on his computer. And literally every single site that was being blocked was like porn, tube pornhub. Just every single one was a porn site. We replied back with a nice we were like, okay, we don't need to embarrass them. We're not going to unblock that because we already have.

Robbz

I just want to clarify just so it's point blank, a user submits quest saying, my websites are getting blocked. You look into it. The only thing that's blocked is porn. And now you are still being nice to the guy and trying to be dainty with him and not just going to flat out tell him you're a gentleman. You're a gentleman and a scholar. So how did you handle this? What verbiage did you put? Are you sure you're having problems with block sites and you're giving them any chance?

BJ

Well, so anything going in a ticket is going to be documented, right? And so this is going to be something that goes effectively into our permanent record on them. And so we made an internal note of what they were seeing because we needed to document what had happened. We were trying to give grace because multiple people were Cc'd on this email in from this person.

Robbz

Even worse. Oh, man.

BJ

The owner, the operations director, and I.

Robbz

Bet he Cc'd them. It wasn't even you he did that.

BJ

Oh, yeah.

Robbz

We didn't to make a scene.

BJ

Oh, yeah. It was very much, you need to unblock my research. And we replied with a pretty graceful, hey. According per management, we're only blocking sites that are basically this has already been a pre approved block list. We're not changing anything. And he raised some ruckus, and I finally talked to the operations director, and she was like, hey, please just unblock him. Like, he's causing a big ruckus over here, please. It's not like he's looking at porn or anything. And I was like, yeah, he is, actually. Like, literally every single block every single block that we've made has been a porn site. To which she replied, okay, can you send me the list? Sure.

Robbz

This is exactly what we don't want any part of. None of it. This is not what we wake up in the morning for to be like, I can't wait to start the day. This is not the first ticket we want to deal with. And at the end of the day.

BJ

You do what you have to do. We're there to support the company. But honestly, if they had forced me to unblock porn, we probably would have dropped them as a client, because it's not a safe thing for us to be doing at work. What people do at home is not our business. I don't care. But on work stuff, absolutely, I care, and it's a real problem. It causes a lot of liability for companies to deal with this kind of thing on their company equipment. Well, I sent her over the list of very creative sites, and we've not heard anything else about it since then. We'll just leave it in the it got handled. And suddenly, all of his research was still able to be accomplished without us. Just unblocking and whitelisting everything. I'm like, no. Right again, what you do at home on your own stuff is your business, and I'm not here to judge. I'm not even here to judge at work. I'm literally here just to make good decisions for your company.

Robbz

Now, in this, we talked about two different things. We talked about the issues at hand and a couple of options. Deal with it. We talked about compliance and Big Brother. But even first and foremost, if you're a technician listening to this and you get these issues and you immediately tell them you want to tell them off, but that's not helpful. You're trying to build a bond. It's already hard for people to call in and ask help. Why would you burn that bridge? So if someone's doing this, even if you believe it's rogue it or you know it's rogue it, you need to have the conversation and give them the benefit of doubt, because guess what? That's not your job. Your job is to encourage them. No matter how you feel about the request that they're still asking. So if they came in, you figured out they were doing a tool, you'd be like, hey, I have this great way of using it. That's what the company offers and you help them and educate them. If they say no, I'm going to still stick with it. You don't take that head on. You don't tell them no, please don't go to this. You've already explained yourself. You explain that it's a company tool, then escalate. But you don't need to confront the person. They need to trust that it is going to be there to help be helpful. You don't need to tell them no. You're going to say I'm sorry, but here's a better option. Instead of no, no should be so far down your vocabulary list, you just try to ignore it and be like, hey, I want to use Dropbox for this. You don't tell them I'm sorry, you can't. No. Instead you go, well guess what? We have this great solution to do that same thing. It's kind of the sales pitch. You don't want to be in the negative in the conversation, you just want to show them a path forward.

BJ

So I will say that I think this somewhat depends on the industry that you're in. I believe that there are strongly some industries where no should be the first thing you say because of the compliance regulations and just the extreme amount of risk that rogue or shadow it can have to the organization. So if you're a HIPAA based organization or an organization that requires to have some kind of HIPAA compliance, if you're dealing with like FINRA, if you're dealing with DFAR, CMMC, any of these really heavy maturity models for compliance, no is a completely valid answer. And in fact, they shouldn't have the rights to create these accounts. They shouldn't have the rights or ability to make any of these decisions on behalf of the company. And the reality is most small companies should be like that too. Whether you have a compliance or not, you do want to be collaborative and you do want to help the company move forward. But you also need to be careful not to cater the entire conversation to every single user is a unique snowflake. Because when every single user is a unique snowflake, how are you going to support that? Well, you can't. It's a big part of why across our client base we're sitting in high 90% standardization for computers, firewalls switches, access points, AV span filtering, like all of our tools look exactly the same. And the only variance between customers is typically line of business applications.

Robbz

Right.

BJ

The reason being is because as It, our job is to be there to support you and help you do better. And so obviously we're dealing with this at a different scale than possibly an in house It person. But we need to be collaborative and help your business reach its goals. But it's also sometimes those goals are saying, hey, I really appreciate the idea, but let's not do that right now.

Robbz

So here's a method that I handled with one customer. One customer that I dealt with in the past. It was part of a bank. This bank is under the same scrutiny and compliances, much like HIPA. Not the same compliances, but mind you, banking industry is very neat on government compliance.

BJ

To be honest. Yes, I would rather deal with HIPAA compliance than bank regulators.

Robbz

Right. So this particular person was a director of the chain of banks. Chain of banks got an upgrade. They were all to get this business classified like Surface Computer. And they were all issued it out with their full encryption, just their software, everything's locked down. Everything's exactly how it should be for this director. Then one director literally chose and says, I don't really like it. Went to Walmart, bought his own computer. And me panicking, knowing the amount of legalities that if that data went to any other place, the steps that we have to do, the insurance company, that has to be called just the level of importance, the fines that that could really generate. And this being essentially the director, there's really no one higher than the president himself doing this. And the director just did this on the Whim. So of course I can't be the one to tell them no. I would love to tell them no. They should be better. They've gone through probably a decade of training on why this should be a hard no. But I captured the I figured out they're using it. I put our software to monitor on it and immediately went through protocol. I just said, okay, well, I took down his notes of what his requests were, what wasn't working. I said, we'll get back to you, and immediately that had to go under lockdown. Compliant shops have a completely different ballgame. Good point. Good point. So suddenly this rogue It thing became, how do we isolate this gap in security and roll this back in?

BJ

Well, and so here's the problem with just using a free account. Well, first off, all of these companies providing these free tools are suddenly starting to try to charge for it or shrinking the amount of value that they add, or they're really reeling back in the freebies. So they're either increasing the amount of ads the data in there is potentially public. Lord knows there's a lot of things that have been changing. Well, so if Bob signs up for that free dropbox account and shares your law firm's data with a client, well, sure, they achieved the immediate goal of sharing the data easily. But now you have this dangling bucket of information out there that is out there. You can't control that data anymore. And so much of our job is helping the client understand that faster is not always better. There's a lot of conversations in our space about DLP digital loss prevention or data loss prevention. And this happens that if you go to any Ross store in the country, they have a loss prevention person standing there where the goal is literally just to keep stuff from walking out the door. That same you wouldn't want shrink of clothes walking out the door. So that's why they put a loss prevention guy there. Our job as the digital loss prevention is to help keep your data where it should be going, keep your data documented as to where it lives, and to have really clear guidelines on how to treat it, like what data should be shared outside the organization. Actually, a really good tool that you can use to classify data is the TLP Traffic Lights. I'll come up with what the TLP stands for in just a second, but it was released by CISA, which is one of the government organizations. We're using it internally now.

Robbz

Traffic light protocol.

BJ

Dub okay, that was easy enough.

Robbz

The red, yellow, green, everybody knows it when they go to a four way.

BJ

And so they're trying to use very easy guidelines that everyone understands on documents. Okay, this is a green document. Anything TLP green is literally open for public dissemination. So this could be marketing. This could be the documents we share on our university site. How to guides, things like that, things that have no ramifications to the company's data. It's good to have shared. Then there's TLP Amber, where typically that's things that we've created for a client. So XYZ company needs to know how to do this type of process with their ERP. Great, we'll create it. But we're not going to share that with other clients because it has proprietary company information. And so we can share it, but we're limited in our scope of sharing. And then there's TLP Red, which is it stays inside of our company and we're very careful of who we share it with inside of our own company. Top secret, right? So this is our secret sauce. This is data that we are never going to share with somebody until they are an employee of a high enough level.

Robbz

This may not even be shared company bank account information. Our secret sauce. Maybe the Coke recipe is labeled red. If you were part of the Coca Cola company, anything exactly. Anything litigated like that and using that process, anything that you can teach to someone that's just learning how to drive and have that native, the red, yellow, green should make some common sense in your industry.

BJ

Well, and I feel like that applies a lot to these types of applications. So some applications are going to be very okay, great. I don't really care if people have itunes on their computer. It doesn't really impact things for me. If people want to have Adobe Reader versus Edge Reader. Okay, great. Have it. It's not a risk. But when you start. Having.

Robbz

Yeah, I was going to say you want to pay a different company so you have a different email address entirely. That's not what the company is using. That is the definition of shadow or rogue.

BJ

It probably my favorite example would be like a salesperson who is given salesforce by their company but can't stand it, and so they go get sugar CRM because it's what they're used to using. And so now all of their information, all of their leads, all of their contacts, if they leave the company, they go with them. There's literally nothing you can do to stop it.

Robbz

Not their pieces that are owned. Do you know how many times you and I sit down on the computer and we see that some company has completely paid for a tool like Reich? It's a project management software, a task management software, and that's where the whole company should be. But somebody spun up an Asana on their own because they just thought it would look prettier.

BJ

My favorite is we have a client. So this is an existing use case, and it's an accepted tool now, which is fine. So we know about it, it's documented. But they signed up for Asana for task management inside their organization. If they had spent five minutes and asked us, we could have turned them on to Microsoft Tasks and Lists and saved them $30 per person per month. So they're probably spending $1,000 a month on software that they could have replicated with half an afternoon worth of work right now.

Robbz

People don't understand. They think that okay, that's one thing. The company doesn't own it. So of course the company wants control. But there's also you mentioned that putting your data elsewhere is a risk. So here's an example. I read online of something that people would seem common. You ever had like a file format and you want to converted the type, and you literally go to Google and be like, how can I convert this? And then suddenly, instead of the instructions on how to do it, they have this cool little web browser tool that lets you to convert that document. Well, someone was trying to add a watermark to a document because they didn't want to go through the steps of figuring out how to do it in their Microsoft Office tools like Excel and Word. So instead they're like, I want to do this easy. So they pull up a page, they find a place that will watermark your documents. There's no advertisements, stuff is in broken English, but they're like, it's a free tool. I don't care. They upload their personal and private document to put a watermark on it, and they get a converted copy. How convenient. I'm going to bookmark that tool for later. Well, what that tool was doing and again, this is not my instance, this is what I'm reading online. What that tool was doing is trying to scrape the data from your document, knowing it's important, knowing it needs a watermark, and then either sell or misuse that information for either identity theft, bank account information, anything that was on the document that they can find use for. They're going to attempt to use maliciously for money gains.

BJ

That just makes my head hurt. The pure amount of if it's free, ask yourself, you're the product. You're the product. This is a big part of why I'm trying to sorry. The anxiety level is, yeah, I could definitely feel my cortisol spiking like crazy, man. Well, and I get it. People just want to do their job, right? Like, been there sometimes you just want to do whatever is easiest. Literally the entire day yesterday, I wanted to throw my computer out the window. So we've been working through a whole bunch of new security processes internally, and I was trying to make two changes. I used to have global administrator over Office 365. Because I'm the owner. That's my job. I have the right to have that. I disagree with that overall thought process, but whatever. I had global admin for a while. Well, now I have to go through an entire approval process. Somebody else has to sign off on it. And it wasn't working. I'm sitting here going, I need to make one simple change. I just wanted to do the three minute fix and move on. And I was so frustrated. So I get it as we walk through trying to do more security. So, in full disclosure, I do not have Global Admin now.

Robbz

Even to your own company?

BJ

You don't have my own company. You're a good drive. I daily drive. Zero admin privileges on my computer. Zero admin privileges of our Office 365. I have zero ability to do this. I drink the same koolaid I tell our clients, because if I get hacked, I'm a big risk.

Robbz

So you don't use Dropbox, you don't use those internal file converter apps. You can't access naughty websites at the office. You do everything that you do for the customers back in your same seat 100%.

BJ

Oftentimes a lot worse, because we're trying things out on ourselves first to make sure that it's a functional process and is it going to drive them crazy.

Robbz

Ken, confirm. You'll be sitting if you work at Etop, you'll be sitting in the chat and suddenly you'll get a ping from one of the admins saying, hey, who's got a little downtime that can test this new product for the next couple of days? Excellent. Pick me. And if I go down, I revert the changes, go back up, document it, and then move on with my day. It happens quite often.

BJ

There's kind of a running joke that we're a whole new company every three to four months because either employee growth, process growth, client growth, but we're changing and improving our processes so much and so frequently that we literally are an entire new company every three to four months. Like, our admin went off on Femla and I texted her, was like, hey, I miss you. Hope you're doing good. She's like, I'm really scared to come back because last time I went on a maternity leave, I came back and I didn't know how to do anything. I had to relearn everything, unfortunately for her. But we've been walking through a new service operations process internally, which is going to completely change her job again. So we've been working on this since March and we're going to roll it out in the next two to three weeks. So it's the end of August, so we're going to be rolling it out the second week of September. It's a completely different process than she was used to before. And I mean, this has nothing to do with Rogue It particularly, but it has more to do with just the consistency and processes and how much you can change.

Robbz

We're not saying because of Shadow It and Rogue It, to only stick with what's always been. You should have that process where if someone discovers a new efficient procedure, a new efficient tool, any different way, that that should have a formal process of submitting it. Hey team, check this out. We're going to save so much time. We're going to save money. We're going to get a better end product for the customer, whatever it may be, that should be at the forefront of grassroots R and D from your people. You should have that set up and it should be vetted and onboarded. You shouldn't ostracize someone for trying something new, but instead give them the tools to do it correctly with less risk.

BJ

Well, and I think that's where it needs to do a better job of collaborating with people. It's what are you trying to accomplish? And then can we accomplish that same efficiency inside the tooling we already have before we add something or, hey, that's a great idea, let's start pushing this down the road and see if it's something that we can roll out to the entire organization. But you want to go through a couple of different steps. First, where you're vetting it, you're making sure it's backed up. Does it meet your needs? Does it meet your compliance requirements? Is it scalable? You signed up for that one dropbox personal account and now the organization is suddenly paying for 25 people at their enterprise level to replace the fact that you already had SharePoint and OneDrive or Box or Insert file sharing here. There was their training and support. Do they have support? Well, you don't get support on free tools, typically.

Robbz

There was a alert that I did. This is a real story I did at Etom. There's a alert that I did where someone allowed Microsoft Office permissions to their account. That means they can look at their emails, access their calendar, other things. And that's sent an alert to our help desk. And sure enough, we saw the tool. We know what the tool is, but it's not something the company pays for or uses. So I said, hey, for now, I have to pull those permissions. But here's this great opportunity. Let me loop the manager in. You showed me the process and how this can save a lot of time, and we'll see. Vet the process, see what they say. It went to the manager's desk. They went over, they reviewed it. We checked the security on it as well. Then they decided to get a subscription onboard it and share it to the rest of their team. Instead of me just being the gatekeeper saying, you can't have that, I had a better conversation saying, no, I'm not trying to take it away from you. I'm just trying to make sure that we stay secure while you figure out how to share that with everyone.

BJ

And now I'm dying to find out who it is. I didn't even hear about that. That's funny, but that's it. Our job is, at the end of the day, there's always three things, right? It should mitigate risk, support, and add value. And at any given point, we could be doing any one of or all of those things at once. And so a big part of this conversation about Rogue, it is about mitigating risk. But if you approach it with a positive attitude, oftentimes it can add value, too, and it's providing support. So it's, how do we support the company in mitigating risk and adding value? It's never any one thing, but it's how do you move the company forward in a positive manner while being and collaborate?

Robbz

And if I'm trying to remember the details on that one, I think what we did so they could test it is instead of using your account, that you're using every day with real company data in it, we made them a dummy account so they could use that, connect it with it so that it had access to only that dummy user's data for testing this tool. And it was a much safer way of getting it done. And after the 714 days of testing, that account got deleted. And then we began onboarding it, and we were working the process.

BJ

I mean, I couldn't ask for a better outcome. TADA, the even better part of the outcome is I didn't even know it happened. Now I just need to go back and check in with one of our team and make sure we documented the documented?

Robbz

It was documented. Yes.

BJ

Winning. Look at us. We're doing our job, and I don't even know it. That is literally my favorite thing.

Robbz

I get a cookie.

BJ

You had two cookies. I think this is like four months peanut butter cups.

Robbz

Yeah, I think this is like four months ago, but we'll talk after.

BJ

No, I love it. But again, so much of Rogue and Shadow we hate those terms, by the way.

Robbz

Just putting it out there this is not a fun conversation for us. This is us eating our brand muffin in the morning. Just letting you know that we hear that term and we feel just as ishy, as you can imagine.

BJ

So here's a very extreme example of Shadow Rogue. It was accepted by the company, so we'll call it Shadow. It one of our bigger clients, has a marketing department that of course had to be all Mac, which in and of itself that's fine. I don't love it, but it's okay. It's a supportable thing. The marketing director at the time fancied himself a smart technology person. So he had set up a Mac server, and I'm going to do that with air quotes, a Mac server, and then attached a big they called it a Das so a direct attached storage. So it had a bunch of drives in it and then shared it out using Mac permissions to everyone inside the organization or everyone inside marketing. And nobody else had access to it, just marketing. And then he tied it to a Dropbox account and got every single person inside the company a $20 a month Dropbox account. And he also got everyone inside the he also liked Google Docs, so he got Google Docs set up so that way they could do something with it. And the company was using at the time a hosted exchange provider. And then we moved them over to Office 365. It's taken us five years to untangle the Shadow it that this person put in, and they've been gone for four of the five years, possibly longer. We're at the point where every single Mac is now set up properly on the domain and attached to the network properly. We've moved all their files over to a server that's managed and backed up. Like we finally have killed off Dropbox. Like we're really close to killing off Google Drive and G suite. They have a full Office 365 setup and a full G Suite setup. They're paying twelve or fifteen hundred dollars a month for extra systems.

Robbz

It was triple dipping and they weren't even using it. Like you said, the Google thing, we don't even know fully what they were trying to do, but we were told that they were unsuccessful, but kept it anyway because that's where their documents were.

BJ

It's been a journey. Untangling these messes is frustrating because it's like since G Suite and Dropbox aren't officially supported applications for them, we're not backing them up, they're not being monitored, there's no security tools on them. So who knows, their company information could just be out there and somebody could have access to it and we wouldn't know. And we've been pushing and we've been helping them and we've been working through, migrating and taking care of all of these tools. And we're really close, but at the same time it's taken. This is why we need to be careful, why companies need to be careful and aware of and thoughtful about this shadow in Rogue It, because it can cause really sticky situations that take a long time to fix and a lot of money.

Robbz

I can't figure out a better ending to this than that. Contact your It representative. If you don't have one, call us. We'd love to help you out.

BJ

Business we're kind of okay. We're kind of okay.

Robbz

Businesstechplaybook.com you can find our contact information at the bottom of the website or in our show notes. Email us, [email protected], message us, message us, and we might send you whatever that hippie reese's you're eating there.

BJ

BJ it's not a hippie Reese's. It's a body builder reese's oh, well, that's right. That way.

Robbz

Get those sick gains.

BJ

Coles at this point, the only sick gains I'm getting are around my midsection.

Robbz

Sick gains, bro.

BJ

Sick gains.

Robbz

Until next time.

BJ

So thanks for until next time.

Episode Notes

For more episodes got to http://businesstechplaybook.com

Find more on LinkedIn: https://www.linkedin.com/in/william-pote-75a87233

This podcast is provided by the team at Etop Technology: https://etoptechnology.com/

Special thanks to Giga for the intro/outro sounds: https://soundcloud.com/gigamusicofficial