How A ‘Non-IT Guy’ Improved Origin Energy With Shadow IT

How A ‘Non-IT Guy’ Improved Origin Energy With Shadow IT

Origin is one of the biggest energy providers in Australia. Like many other large organisations, it can be bogged down by bureaucracy and inflexibility. But that didn’t stop one employee from conducting ‘black ops’ projects that would contribute to the development of new products and capabilities.

Hand shadow picture from Shutterstock

James Moor is the group manager for market risk at Origin Energy and he admits that he’s not an IT guy. His background is in engineering and finance. What Moor does know is data and he was keen to find a better way for Origin Energy to deliver gas to customers. Origin had a wealth of data on its customer’s energy usage and he knew data analytics had the potential to bring business insights that could help develop new commercial offerings.

Moor wanted to use AWS public cloud service to run a few data analytics test projects. Unfortunately, at the time, AWS was not an authorised IT provider for Origin Energy.

He could have scoped out the IT requirements and the cost, put it all in a neat proposal for approval for his data analytics experiments, but he didn’t fancy going through that cumbersome process just so he can run a few tests.

Without funding and without the blessing of Origin’s IT department, Moor decided to take matters into his own hands. He went ahead and procured AWS services with a suite of data analytics tools and billed it on his corporate credit card. It was a clandestine affair for Moor and his small team. [Update: Origin has confirmed that only dummy data was used. The team did not use customer data.]

Speaking at AWS Summit 2016 in Sydney, Moor recounted the time when access to AWS was blocked on the corporate network so he continued his data analytics in the cloud test project using the free WiFi across the road from Origin’s office before moving on to another way to get an internet connection.

“We did graduate to something more sensible; a wireless dongle from Officeworks,” he said.

Moor’s team continued to experiment with data analytics on AWS to create fast proof-of-concepts for offerings that benefited from the insights that were being generated. Origin have since ran around six data analytics project on AWS internally.

Shadow IT is generally frowned upon by organisations but one of the major reason it exists is because IT departments are unable to satisfy the needs of employees. Larger companies also tend to have cumbersome approval processes even for small projects which can be a drag when you’re trying to be agile and stay ahead of the competition.

Moor does believe that bigger projects should be scoped out properly and go through the proper procedures within an organisation but thinks there’s no harm in running a few small projects on the side, especially when it’s in the cloud. You may not even know what the end goal for that project is before you start, but the whole idea is to build a culture of experimentation and innovation by providing easily accessible tools and resources for staff to try new things.

“The thing is, in the cloud you can fail fast and fail cheaply,” he said at an AWS Summit media panel. “When you can do things so cheap, quick and easy, you don’t have to bother with the vision. You can just jump in and try.

“Sure you can go through the traditional IT mechanisms, put together a scoping document and run through the costs and explain what you want to achieve from a small project, but I’m going to stick it in the cloud and see what happens first.

“… You can’t know what you’re trying to do before you’ve done it.”

What are your thoughts on Moor’s attitude towards Shadow IT? Let us know in the comments.


  • I’m not sure this is a shining example of behaviour that should be emulated. There’s an important point that Corporate IT needs to come to the table to assist with rapid prototyping and so on, but taking matters into your own hands like this is asking for trouble.

    “James Moor is the group manager for market risk at Origin Energy and he admits that he’s not an IT guy.” Or a security guy. He’s an engineer that’s rubbed up against a computer a couple of times and is now more than qualified to do his own thing.

    • Origin’s IT is run and managed by HP. The service provided is the absolute worst I have seen in any organisation (I have suffered first hand). Origin IT (and much of Origin for that matter) as a whole is the most dysfunctional organisation I have seen.

      While I can certainly appreciate Mr Moor’s frustration, what concerns me more is that he moved customer data overseas potentially without the customers being aware or at least having the opportunity to acknowledge their data being moved. Potentially a huge kick in the guts to Australian Privacy.

  • So without the company’s knowledge, he sent a huge volume of customer data overseas using a free public (ie potential/likely virus-laden) WiFi? Good to know Origin doesn’t care about data security! Time to change providers…

    • Agreed. That was my first thought too. If a lesser employee did this they would be sacked. Working in big business is pretty much about covering your backside. Want to be nimble and smart? Work for a smaller operation.

  • Good on you James! Out with the old and in with the new! Show them how’s done 🙂

  • Shadow IT, like piracy, is a distribution problem. IT Department’s can be under-staffed to provide for such projects as they only have enough staff for day to day administration and support, or they’re inhibitors to progress that they didn’t initiate.

    As Thomas said, if he was putting a heap of company data into the cloud without authorisation, then that’s a problem, but it depends on the extent and what the company policies are. It sounds as if he was using it as a proof-of-concept, which would only require a subset of the data.

    The people that have a need are always going to be more passionate and therefore wilful in regards to getting a result than the IT staff, who are there for expertise and support, not for driving force.

    To get IT on board you need to proof-of-concept your proof-of-concept and convince the people that pull the IT Department’s strings. Shadow IT can shortcut this tedious process.

    • To get IT on board you need to proof-of-concept your proof-of-concept and convince the people that pull the IT Department’s strings.

      From what I understand at Origin, what your asking would take at least 12 months without a push from a director.

  • Well where do you start with this……… first a major Australian company has little to no IT security. They slopped up to the Cloud (with no agreements on what happens to the data after they are done probably onsold now six times) a large section of customer data (hopefully no credit cards numbers or meta data or security keys or routing info or or or or )…..i think the health system is slow and painful but i dont don the white coat and operate people.

    Whats scary is someone with no IT background no IT or security understanding could even get there hands on the data to start with and then to use coffee shop WIFI. This has got to be the worst breach of security i have heard of and to think he even had the stupidity to then speak at a conference. Origin ‘my god’ sack him and tighten the whole place up.

  • Wow, quite a bit here that is out of context – I was in the audience at this event and it was 100% clear that this guy did some POCs to show the business the possibilities and then went and got all the approvals to build a set of commercially backed projects to move to AWS.

    Sack him?? Promote the guy and sack the people who were getting in his way to begin with!

    • But didn’t he have to take the data himself and push it to AWS to prove the possibilities? Then it’s a case of begging for forgiveness rather than permission.

  • Hi guys,

    I had mentioned already in the article that Moor was running tests on data analytics and developing proof-of-concepts in AWS. He didn’t explicitly state that he used customer data so that was not included in the article.

    I did follow up with Origin Energy about the data that was used and a spokesperson has confirmed that it wasn’t customer data. According to the spokesperson, it was all dummy data. I have added this in the article. Hope this helps to clear things up.

    It is interesting to see everybody’s thoughts on Shadow IT. It would seem opinions are quite divided on this topic.



    • For someone so intent on getting something done without IT involvement, I seriously doubt he had the insight, skill or intent required to:

      – create a large dataset of test data that would be meaningful in an experiment.


      – take real data and remove all private and confidential information before using it.

      Either way, if he connected a company machine to a free Wi-Fi hotspot then he risked getting his machine, or the company network, compromised by virus, malware or hacks. If so, then this is inexcusable and the end does not justify the means.

      If IT didn’t know about this, then how can he be sure there wasn’t anything compromising in the data?

      Do we know if he used his personal PC at work for this?

      Is he still using his Office works Wi-Fi dongle at work?

  • I’m a bit conflicted about this as I come from the IT department background. Having said that, Many times users are their own worst enemies when it comes to getting equipment and projects in a timely manner, simply because they assume that the IT department is going to drop everything and work on their project. Sorry to let you know this but like many departments in large organisations, the IT department is driven to be run as cheaply as possible. That means that to free up staff and resources, it can take significant planning and reshuffling of priorities. Assuming that an email to the IT manager on Friday is going to ensure that there is equipment for a new user on Monday is a bit naive, or extremely rude depending on how often it happens. Something like this could easily be done as a side project for the it staff that are interested in getting experience in the cloud services area.
    As the group manager for market Risk, I would have thought that he would be a bit more aware of the dangers of the data being released in the wild without correct security protocols. Market risk comes from a number of vectors and as many companies will attest, a data leak is guaranteed to get you bad publicity.
    Having been in both camps, I can tell you that if it all goes ok then you get a pat on the head and told thank you, but if something goes wrong, then you can expect your marching orders and lots of “I told you so”.

  • You guys do realise that no data has to leave Australia, right? AWS Sydney region? Anyone? If you argue about security in public cloud, you’re a retard. Go read a book or three.

  • I think you will find was encrypts data , on the move and at rest. Anyone should not forget that IT is about the business if it can deliver what the business needs….

Show more comments

Comments are closed.

Log in to comment on this story!