Only the Shadow IT Knows

Episode Notes

Transcript

Kennedy-Mighell Report: Only the Shadow IT Knows – 4/2/2015

Advertiser: Got the world turning as fast as it can? Hear how technology can help – legally speaking. With two of the top legal technology experts, authors, and lawyers: Dennis Kennedy and Tom Mighell. Welcome to the Kennedy-Mighell report, here on the Legal Talk Network.

Dennis Kennedy: And welcome to episode 149 of the Kennedy-Mighell Report. I’m Dennis Kennedy in St. Louis.

Tom Mighell: And I’m Tom Mighell in Dallas.

Dennis Kennedy: In our last episode we took a look at technology accessories and how accessories can make our gear more usable and more personalized. In this episode, we turn to the headlines and explore recent stories about Hillary Clinton’s use of a personal email server. Many of the stories talk about something ominously referred to as Shadow IT. Now we’ve touched on Shadow IT over the years on this podcast, but we thought it might be a good time to really focus on Shadow IT in some debt. Tom, what’s on our agenda for this episode?

Tom Mighell: Well, Dennis, in this edition of the Kennedy-Mighell Report, we’ll be talking about the phenomenon of, as you said, Shadow IT, or as I like to think about it, what happens when your employees take technology into their own hands. In our second segment, we look at some small additions to powerpoint slides that can help when you prepare your next presentation. And as usual we’ll finish with our parting shots, one tip or observation that you can use the second that this podcast is over. But first let’s get started on our main topic and that’s Shadow IT. The idea of Shadow IT really isn’t a new one. In fact, I looked back in our show archives, and we’ve periodically discussed the issue as early as 2010, I saw a reference to something. But Shadow IT really came roaring back and gained some national prominence over the past couple of weeks when we learned that Hillary Clinton’s been storing official state department email on her personal server located on her property. So we thought we’d take a deeper dive into the world of Shadow IT in this episode. So Dennis, why don’t you start us off. What do people mean when they use that term? What do we intend to talk about with that term?

Dennis Kennedy: Well I think the best definition and the easiest way to think about it is just a description for the way people use unapproved IT systems, software, hardware, Cloud solutions, and they use it inside their organization for work purposes without explicit organizational approval. And often it’s in contravention of existing policies. And a lot of times it’s done with good intention, but sometimes has unexpected results. So I think it’s just as simple as that, it’s just unauthorized IT use by employees of trying to in some cases get work done that they need to get done, try to do work better; or in some other cases trying to avoid detection of what it is that they’re doing. Tom, do you want to maybe dive into the Clinton email example? Which is in some places sort of an extreme example of Shadow IT, but also illustrates some of the basic principles of why employees might want to go around existing systems to get things done.

Tom Mighell: Well I think what we’ve learned is that Hillary Clinton, the reason that she gave – she finally talked about it, I think she waited a little bit too long to talk about it – but turns out that Hillary Clinton has been basically keeping all of her official state department emails on a separate, non-federal government server during the time that she was secretary of state. She had her own server that was somewhere located on her property – to make it sound like it’s in a shed in the backyard – but it’s somewhere on her property. The reason that she gave that she was doing it is because she didn’t want to carry around two phones. And frankly, you and I see that all the time. You’ve done that, where you’ve had to have a work issued phone and a personal phone, and I’m frequently working with clients where I see them bring two phones into the room. I think it’s horribly inconvenient, and to me I wouldn’t call it a good reason but I would say is I understand the impulse of wanting to get rid of one phone. Now what’s interesting though, is that email was actually not part of the federal record keeping rules in 2009 when she was secretary of state, which sort of boggles the mind that email was not required to be kept. And for me – I don’t want to get into a whole records management discussion because I could talk about this forever on this issue – but it’s amazing to me that they didn’t recognize that there are business communications in email. Nevermind the fact that she’s talking about significant matters of state security, whether you believe or not that she still has those emails. I think that there’s no question that at some point in time she was communicating important information that probably should have been captured and stored on a government server. Even if there was no requirements, even if she didn’t break any laws, it still boggles my mind that a government official would think it was appropriate to keep email on their own server, and we’re going to talk a little bit more about email as we get into it, but it just sort of blows me away that any employee would think the rules don’t apply to me for email, I’m going to do it on my own. And I don’t know if it’s just a personality thing, or I don’t know if this is really a lesson in Shadow IT.

Dennis Kennedy: That’s why I referred to it as kind of an extreme example where you’d go to the kind of end of the spectrum almost, in terms of the tact to say I’m going to set up my own, personal email server at home. So a lot of people say – and they have a lot of reasons – sometimes it’s the work around, sometimes people need to get something done and so they run it through personal email. But typically, people have a personal GMail or Yahoo or some other email account, so that’s the more common example of Shadow IT in email, that’s somebody doing their own server. But it’s kind of interesting because I think a lot of the Shadow IT gets associated with top executives who need to get something done or they want to use an iPad or something that’s not quite been approved and they get a special exception. And that sometimes opens the door to quazeye approved Shadow IT, but sometimes unapproved. And also I think it’s an example where convenience starts to outweigh security. Because when you think of that personal email server, my first thought was how secure can that really be? On one hand you say it is a little inconvenient to carry two phones, but it seems like you’re opening up some potential security issues here. But I think it illustrates a number of things that happen in the world of Shadow IT. Tom, I also wondered, there’s two notions that sometimes gets blurred a little bit here, and that’s Shadow IT and BYOD, which is bring your own device. And so in the bring your own device world, I think the big difference is that IT department is letting you use your own device or your own technology with their approval, where Shadow IT, you don’t have that official approval. What are some other typical things you associate with Shadow IT?

Tom Mighell: Well, I’m going to come back and say that I think the whole BYOD phenomenon is at least in part a reason why we see Shadow IT. A couple of years ago, before BYOD, people didn’t have it in their minds that they could bring in their own technology to do things. And now as it’s become more popular and even accepted, and IT departments are rather to say rather than fight back against it, we’re going to work with employees to let them use their own technology, it creates an expectation. So if I’m able to work and bring in my own technology in one company and then I move to another job and suddenly that IT department has very different rules and is a lot stricter and won’t let me use things. Will my mindset be more likely to engage in a little bit of Shadow IT and bring my iPad in and work on it and do something different? I think it might; I think that BYOD actually probably leads to more Shadow IT than we’d like to admit. That tends to be in the nature of hardware. I think that where we see it more often is in software, with people bringing in tools that they think will help them do a good job. And I think that a huge area for software, for a while it was instant messaging programs. Before companies started doing enterprise instant messaging, everybody would sign up for AOL instant messenger or Yahoo instant messenger, and they would be able to talk and it was to achieve a certain purpose. I could communicate with my coworkers and my friends on the side, but as a result, I’m capturing all sorts of interesting, maybe potentially risky work conversations that are part of that. We’ve seen in the past couple of years, and even back as far as 2010 when you and I first talked about this, we’re seeing Cloud services as being a ripe target for Shadow IT. Back then it was Google Docs, now I would argue that it’s Dropbox or some Cloud file-sharing service that people are tending to use. I know a lot of people in companies that I talk to started to use things like Basecamp because they think it’s a better management tool for what they need. So we’re seeing a lot of Cloud services being used. And I will be honest, there are a couple of companies I talk to where they’ve actually talked about it with IT and IT’s approved that sort of thing. But I would say that that is the exception rather than the rule.

Dennis Kennedy: Yeah and there’s a whole history of the software programs. I think of Skype being one of the big ones early on, because people use Skype for instant messaging and communicate with video chat. It’s free; so  freeware, open source software where people don’t have budget for certain programs. They can find a freeware program or an open source that will get what they need to get done. A lot goes on in that area, sometimes people like a newer version, perhaps an older version of a software or different version than what’s used at the company that they’re at. So maybe they’re used to using something at the company that they came from and so that stuff will come on on the software side. And then I think, as you said Tom, that the Cloud stuff is huge. I think the use of Dropbox by employees is – a little bit of research I did suggest maybe 20% levels of use of Dropbox by employees storing company files in Dropbox. And the reason they do it is because the tools they have at the company aren’t adequate or they don’t perceive it as adequate or they don’t know about certain features or they don’t have training on them, so there’s a lot of reasons. So people are typically trying to get things done or they’re trying to do something new or different or better. In addition to Dropbox, the one that I hear a lot about people start using or wanting to use is Prezi, which is a Cloud based presentation tool and again, it’s typically against all the policies and the IT people don’t know about it and the IT people just think well, it doesn’t do anything different than powerpoint does, so it causes a lot of issues. But in extense from software we talked about, it could be hardware, apps, smartphones are huge. One of the early stories about Shadow IT are people finding that there was an unprotected WiFi access in their firm and they tried to track it down and they found that it was a lawyer who wanted to work away from his or her desk and just brought in a WiFi router and it was unsecured. So it was visible and it gave exposure to the firm’s network just because somebody wanted to work away from his or her desk.

Tom Mighell: I wanted to add something and this is something that I see a lot in companies these days and I think I’ve even talked about it on the podcast before: I think that some people might say this isn’t Shadow IT, but I’m going to expand the definition of Shadow IT slightly to say that it s pushing back or finding ways to continue to do things the way you’ve always been doing them when IT tells you you can’t do them that way. And my biggest example that I see these days is a concept that we call underground archiving, especially of email. And I see it a lot in companies where the company has decided that email should not be retained for long periods of time and we’re going to delete it after a certain period of time. People feel very protective of their email; for most people email is their file cabinet; it’s where all of the important information is stored, you need to be able to go back there as your reference tool over and over again. And so when we have companies that have decided we’re going to delete email on a regular basis, we see a lot of times employees finding other places to store that email, whether they’re saving an email off to their own computer hard drive or to a shared drive somewhere or putting it on USB drives. We’ve seen people who’ve emailed their own email back to their home address so they’re keeping a copy of all their email back there. It’s just amazing, the places that people can send those that they’re doing that because they think that’s something that’s going to be taken away from them. And I think that’s what we want to talk about the reasons why Shadow IT appears. I think that the main reason, like you said before, is that people want to find better ways to work, the tools that they’re using are not meeting the needs that they want, they want to collaborate shared documents, they want to be more efficient or productive and they are being limited or stifled at least in their perception. I think a second big reason is that people use Shadow IT to protect something that they think they’re going to lose. If they think it’s going to stop them from being productive, this is how I’m going to protect myself and make sure that I can still be a productive member of this firm or of this company and security and all the rest began.

Dennis Kennedy: Yeah, and it is a tough thing because I think in so many cases, there really are good intentions behind this and people are just looking for a workaround. You’re trying to get, say, a document signed and sent by a deadline or a court filing and you’re not in the office and you can figure out ways to do it maybe by emailing yourself and printing it out at home and signing it and scanning it, emailing. And so you come up with all these workarounds and you’re basically blowing by all the policies but your intention is to actually get the work done. And then I think you do run into the thing where the people that you’re working with could be clients ands could be other people, but especially under a deadline where you don’t have the tools you need to do that work. And I don’t know how many times people run into a thing where there would be a Word document with changes and you’re not able to read it over your work phone, but if you send it to yourself on your home computer you would be able to see that red line. And I think those are the typical things. You have the work one to be done, the collaboration where somebody says just use my WebEx or use my instant message system or something like that and you do that. And then I think there’s also that sense of archiving where people are saying stuff is being automatically deleted, I think I need to keep it or I have a very small inbox limit n terms of storage so maybe I’ll offload some of these documents somewhere else, or I’m traveling and I can’t do certain things. So I think, most of the time, there’s good intention, but there are plenty of examples where there are bad intentions of Shadow IT.

Tom Mighell: Yep, and I agree. So we kind of know what the causes are, we got some examples of it. What are the issues with it? Why is it a bad thing, what’s the problem with it? And I think you mentioned before that security is probably the major issue that IT is not controlling it; that when you put an email server in your backyard, you have no idea what the level of encryption is or whether it’s as secure as perhaps a federal government email server might be. I come from a slightly different perspective and I see this as a risk issue for legal stuff because it’s another source of information no matter what you use. If you’re using Dropbox, you’re storing records there, if you’re using Google Docs you’re creating information there. If you’re underground archiving then it’s extra email in other places, and for me those are places that legal has to look, that lawyers have to look. And those are places where relevant information might live, if they become relevant in a lawsuit, any kind of litigation if there’s any investigation or something like that. So I think that security’s a huge risk on the security side. I think that just legal risk on the other side is a significant consequence as well of Shadow IT.

Dennis Kennedy: I think you’re right. Legal regulatory risk in the discovery area is just simply the fact that you have employees doing this, does that sort of open up the scope of discovery against you to the employee equipment and home computers and how do you deal with that. I think that in terms of the administration or the IT side of things, you have potential risk to how your network works; standardization, people using different things, incompatibilities. People installing things maybe where there’s no licensing or in violation of licenses; there’s a whole bunch of stuff going on there. And in most cases, I would be shocked if there’s not a policy in place that clearly prohibits most of the things that come with Shadow IT.

Tom Mighell: Yeah, I agree, and I really think that if we’re looking for solutions for this issue, I think that that solution is not more technology. I think technology is doing just fine. I think the solutions are managing expectations amongst employees and trying to figure out what is driving them to these tools and can we either provide them with these tools that get them what they need or can we adapt our policies so that they don’t feel so threatened. They don’t feel the need to go and look for other things. Can we modify the way we do things to protect ourselves and make the employees happy at the same time. And in my email example, there are a number of policies you can set with employees and I usually like to say keep email out there where people can see it, that you’re only going to delete it after a certain period of time and it can’t be a short period, it’s got to be a longer period of time and it ages out. And the older it gets, the less people have to look back and get to their email. And honestly, people don’t look at email that’s 2 or 3 years old. They think they do, they think they’re going to need to go back, but it just doesn’t happen that often. And you put a policy in place where you say we’re not going to get rid of your email, we just need you to manage it better. And I’ve seen time and time again that given that guidance and good management technique and good communications, that people will fall in line with that and won’t resort to the need for Shadow IT or any type of underground archiving.

Dennis Kennedy: And I see it more as a management issue but I sort of see it as a leadership issue. Because if you use the Clinton example, if you know that the head of your organization has their own personal email server, believe me, you’re going to feel entitled to do all sorts of Shadow IT yourself. So I think there’s a leadership issue. You can definitely cut down on a lot of things if you take away administrator rights for everybody, because people should not be able to install software at all. But I think you touched on a really important thing which I recall that your IT department needs to be more agile and more nimble and try to figure out what is it that people really need. Because if you kind of hear what people are using the Shadow IT things for, that will kind of give you a plan for what things you need to bring in and what should be prioritized because these are tools that people are definitely looking for. So Tom, let’s wrap it up by saying do you think we’re going to see even more Shadow IT as time goes on?

Tom Mighell: I think Shadow IT is something that never goes away, because as tools pop up, if Google Docs is out there and people want to use it, then companies find a way to offer collaborative document writing then there’s going to be something else that pops up down the road. So I really don’t see it as something that ever goes away and what’s going to be interesting to me is whether or not – as more and more millennials enter the legal marketplace – I would see them tending to be more the rebels, the people who would want to try more things. So I’ll be interested to see if that’s the case or whether they’re easier to satisfy with the right kind of tools. What about you, Dennis?

Dennis Kennedy: I say look at your smartphone, we’re expecting to do everything on our smartphones; that’s going to be the place that people expect to be doing everything and I think we’re going to see lots of what we refer to as Shadow IT.

Tom Mighell: Well, you heard it here first. And before we move onto our next segment, let’s take a quick break for a message from our sponsor.

Advertiser: Looking for a process server you can trust? Serve-Now.com is a nationwide network of local, prescreened process servers. Serve-Now works with the most professional process servers in the industry. Connecting your firm with process servers who embrace technology, have experience with high-volume serves and understand the litigation process and rules of properly effectuating service. Find a prescreened process server today. visit www.Serve-Now.com. We’re glad you’re listening to Legal Talk Network. Check us out on Twitter, Facebook and LinkedIn too.

Tom Mighell: And now let’s get back to the Kennedy-Mighell Report. I’m Tom Mighell.

Dennis Kennedy: And I’m Dennis Kennedy. Tom and I were on a call recently talking about a panel presentation on legal technology trends will be part of at ABA Techshow 2015 on April 16. I found myself stepping into a resounding silence and feeling like I needed to volunteer to put together the draft of the slides for the sessions. I jokingly asked what slide transitions the other speakers preferred, and to my surprise – unless they were joking with me – people had some pretty strong opinions and some actual suggestion for transitions. So I suggested to Tom that this might be a good topic for our second segment and I actually talked Tom into agreeing. Tom, I count 35 possible slide transitions in the version of powerpoint I’m looking at right now. Can the choice of slide transitions really enhance your presentations and do you have any favorite transitions?

Tom Mighell: Well first of all, I hate to break the news to you Dennis, but I was on that same call and I’m pretty sure that the strong opinions of transition preference were as joking or sarcastic as your comment initially was. And I hate to disappoint you on that but my suggestions for transitions were certainly not completely serious because I’ve got to believe that people who take their powerpoints seriously are hearing us talk about this and are cringing and saying why are you talking about transitions, it sounds like you’re talking about animations. And we all know that animations are bad, bad, we can’t use them; we shouldn’t be looking at them. That said, i think it really depends; I’m going to give the lawyer answer, it depends on the type of presentation. I typically don’t use either animations or transitions in the powerpoint decks that I use or when I do Keynote, I typically don’t use them. I will say, though, that I have used them and I think they make sense in certain circumstances. And the one I’ll use most is for either entertainment or educational purposes to break up a mood or to keep the interest or to make it more interesting. I think that if I’m just going to get up and give a speech, I’m unlikely to use transitions in that because I’m going to really on my ability to give a speech and hold their attention rather than the ability of the powerpoint to make it interesting for me. However, when I develop training materials for clients, they’re going to be taking that course on their own. And I think that adding in some transitions breaks up the monotony, it makes it a little more interesting to watch. It may not lend anything substantial to the content, but it makes it not such a boring, plain, flat training presentation or something like that. I’m not sure that I have a favorite transition, I sort of always have been a fan of the cube when it looks like it’s turning on a box looks. I don’t know that I would use it in many presentations but I think that it’s a cool look. Dennis, do you have any favorite transitions?

Dennis Kennedy: I generally use no transitions for a number of reasons. I think they tend to be distracting, I don’t want people to pay attention to what I’m saying  rather than watch how one slide moves into the next one; so I just don’t use transitions. And also the thing where if somebody might be reviewing slides, which is less common these days than maybe in the past, but if you’re moving through slides quickly, you don’t want to go through all of those transition animations. So if you’re running out of time, those transitions just eat up more of your time. But I look through all of the transitions and try them all, so I have a list of 6 of them. The one that I think people use a lot and it’s something that people are comfortable with and I think you see it a lot on TV and in maybe newscast and stuff is sort of dissolve from one slide to another. There’s one that I like that’s called “Cover,” which sort of has one slide come in and lay on top of the next one so it’s like a card that you have on a table and another card laying on top of it. Something a little bit similar is called “Switch,” that has the same sort of effect. The “Cube,” that Tom mentioned, I also sort of like and I could see where if it matched the theme or you could match it to the theme of what you’re talking about, that could be an interesting set of transitions to use. I was talking to one of my colleagues and he liked one of the really busy ones called “Vortex,” which just has your whole screen dissolve into a million squares and swirl around and he thought he wouldn’t use it more than say for one or two transitions in a presentations but thought it might help emphasize a point. And I think that’s the notion for me with transitions, don’t use it for everything but there might be a place where it sort of makes a point. And the other one that I like that i could see used sparingly on transitions is something called “Ripple,” which gives the sense of a drop of water expanding and then turning into the next slide. So I think that you could use these things, especially if they fit your theme or they fit the actual content on the slide – and I would use them really sparingly. If you have 35 slides in your presentations, you definitely don’t want to use every single one of the transitions at once, because it’s really distracting.

Tom Mighell: Well knowing, Dennis, that you have volunteered to do a powerpoint presentation at ABA Techshow, I am now dying to see it and I can’t wait until Techshow to see which transitions, if any, you wind up using in the presentation.

Dennis Kennedy: I’m dealing with Pro so I know that the no transition rule is probably going to be in effect. But I may do the second version that inserts like 25 different transitions just to freak you guys out. So now it’s time for that parting shot, that one tip, website or observation that you can use the second this podcast ends. Tom, take it away.

Tom Mighell: So we are recording this podcast as the South by Southwest conference ends in Austin and if you are in Austin or are following it from afar, there was on technology word that echoed above all others and that was called Meerkat. Meerkat is a new app, it’s kind of the darling of the South by Southwest even though Twitter is doing its best to shut it down. Meerkat allows you – and right now it’s only available on iOS, Android is coming soon – but it allows you to open your phone and livestream on Twitter. So you’ll send a link and say please join my livestream and people can click the link and you can hold a meeting, you can show a presentation, you can just show where you are, and people can join it. And I’m still exploring the potential uses and value of it and I’m not convinced one way or the other but I think that it’s a really interesting technology that we’re seeing. And there are other tools that are going to be coming out and I don’t know if it’s better or worse, it doesn’t save the video. Once you stop livestreaming, it’s gone. So if you have an iOS device, download it on your iPhone, check it out. It’s called Meerkat.

Dennis Kennedy: And it’s always worth remembering that South by Southwest is the place that Twitter broke open at the beginning. So technologies that are hot there are always worth taking a look at. So I have, actually, a product, I think this might have come from the Cool Tools website at some point, but I find that – as all of us do – sometimes you get jars and bottles and stuff and it’s basically impossible to get the lid off and you’re always trying things like banging them on the floor or hitting a spoon against them. But there’s something that I bought and I really, really like called the OXO Good Grips Jar Opener. So this is basically a device with a handle and sort of a V with teeth on one part of it. You snug it against the lid of any size and the V allows it to fit all of these different sizes including, say, a wine bottle. For some reason, lately, the Diet Pepsis in St. Louis, the 28 oz. bottles, the lids are really difficult to get off and it was snugged onto something even that small. And you give it a turn and it totally just opens it and it’s awesome and anybody around you is totally impressed with how you’re able to open jars. Especially if they haven’t been able to open them. So OXO Good Grips Jar Opener I think is about $10 or $15. Once you try it, you’ll totally love it and won’t know how you’ve lived without it.

Tom Mighell: So that wraps it up for this edition of the Kennedy-Mighell Report. Thanks for joining us on the podcast; information on how to get in touch with us, as well as links to all the topics we discussed today, is available on our show notes blog at TKMReport.com. If you like what you hear, please subscribe to our podcast in iTunes or on the Legal Talk Network site. You can get to the archives to all of our previous podcasts in both places as well. If you have a question you want answered or a topic for an upcoming podcast, please email us at [email protected] or send us a tweet. I’m @TomMighell and Dennis is @DennisKennedy. So until the next podcast, I’m Tom Mighell.

Dennis Kennedy: And I’m Dennis Kennedy and you’ve been listening to the Kennedy-Mighell Report, a podcast on legal technology with an internet focus. Help us out by telling a couple of your friends and colleagues about this podcast.
Advertiser: Thanks for listening to the Kennedy-Mighell Report. Check out Dennis and Tom’s book, The Lawyer’s Guide to Collaboration Tools and Technologies: Smart Ways to Work Together. From ABA Books or Amazon. And join us every other week for another edition of the Kennedy-Mighell Report, only on the Legal Talk Network.