It’s a growing problem: End users are bypassing the IT department, and opting for third-party, cloud-based solutions instead. How prevalent is this issue? According to a recent survey, 71% of organizations say employees are using apps not sanctioned by IT.Of course, this opens the door for security problems. How can the IT department monitor or secure company data if they don’t even know where it’s stored? How can they avoid security breaches if employees are carrying confidential data around on their personal devices?
How can you address this issue? The automatic reaction for some is full-on war. They want to ban third-party apps, outlaw personal devices, and restrict internet usage. After all, these employees are putting corporate data at risk. They must be stopped! Right?
While I understand the mentality, full-on war is rarely a good approach. Treating users like the bad guys and implementing heavy restrictions will not only waste your time, it will alienate your employees. After all, it doesn’t address the root of the issue: Why are employees bypassing IT in the first place? Do they enjoy breaking the rules? I don’t think so. In fact, I believe they do it because they feel like there’s no other choice.
If you want to control the rise of Shadow IT in your organization, first understand the cause. Learn why employees feel the need to circumvent IT in the first place…and then you’ll better understand how to control (or even harness) it.
So, why do end users bypass the IT department? What can you do about it? To help you answer those questions, we posed them to a few experts in the area, and have compiled their answers below. Here are 7 of the most common reasons why end users bypass the IT department:
1. IT does not deliver solutions quicklyLook, I get it. Most IT departments are already overworked. Answering every end user request and delivering solutions in a timely manner is likely impossible. That being said, users now have choices. For instance, suppose a user needs a basic web app from IT. For many users, the choice looks like this:
Choice #1: Request a new application from IT, wait around for approval, and then wait around while IT builds the solution. Time required: Months.
Choice #2: Bypass IT altogether and use a cloud-based alternative. Time required: Days.
For business users whose salaries are directly tied to their results, which option is more appealing? Which option delivers results faster?
“It only takes someone 15 minutes to download dropbox and install it on their machine,” says Ari Elias-Bachrach, Information Security Consultant with Defensium. “Going through the IT department to get it approved can take months. With the consumerization of technology, people are used to being able to do things quickly and simply, and they get annoyed at being slowed down by the corporate bureaucracy.”
I understand that IT is overworked, but end users will take the path of least resistance. If your IT department can’t deliver the solutions they need, at least set up some self-service options and let end users create their own solutions.
2. IT does not offer the appropriate resources
End users don’t circumvent IT for the sake of beating the system. Oftentimes, they have a need that’s not being met by the IT department, and circumvention is the last resort. For instance, perhaps they want to access data on their smartphone, or just do a little work from home. If the IT department doesn’t offer the resources to meet those needs, users find their own way.
“Users bypass the IT department because the lack of resources within the work environment cause the user to be creative in order to be productive,” says Christopher Burgess, CEO, & President, Prevendra Inc. “This could be taking their work home, or out of the approved environment. For example, lack of a VPN may cause employees to email work to themselves to work at home, or load to a third-party non-approved storage environment.”
3. IT is viewed as a barrier
Sadly, in many companies, IT has developed a “culture of no.” End users feel like IT only gets in the way–like they look for reasons to deny requests rather than try to find solutions. This “technology gatekeeper” mentality may have worked when IT was the only option, but that’s not the case anymore. Now, if IT is viewed as a barrier, end users find their own ways to accomplish their goals.
“In my opinion as an IT Director, the #1 reason people bypass their IT department is that they feel that IT ‘gets in their way’,” says Charlie Leagra, an IT Management Professional. “This could come from a number of reasons – such as an IT group that is not customer-centric, BYOD (bring your own device) policies that make it ‘too hard’ for end users to work with IT, and/or just the sense that ‘IT doesn’t understand exactly what we want to accomplish’.”
“Whichever of the the reasons, the general sense that IT gets in the way is a serious problem, and it’s not just an IT problem, it’s a BUSINESS problem. Much of the root of the issue boils down to leadership. IT leaders need to position their teams as partners to the business. They need to achieve more than the status quo. IT departments need to be aligned with the goals of the organization, and need support from the executive suite to promote the “we’re all in this together” message.”
4. Consumer technology has surpassed business technology
In many companies, the technology and applications that users can access on their own far exceeds what the IT department can deliver. Often, this is a result of a company’s legacy systems and applications. While the IT department would love to give users modern applications, they can’t. They’re tied to outdated legacy systems that don’t work well with modern technology. As a result, end users realize that if they want modern technology, they must go out and get it themselves.
“The most powerful factor propelling users to bypass the IT department is the ease of use of new cloud applications,” says Pat White, CEO of Synata. “The complicated enterprise software platforms of yesteryear could hardly be described as ‘intuitive.’ Traditional enterprise software vendors sold bundled features to the CIO, not the end-user, so great user experience wasn’t a top priority. The same cannot be said today.”
5. IT is handcuffed by outdated policies/processes
“With the evolution of apps, smart devices and external clouds which initially focused on the consumer, these same consumer bring these behaviors and expectations (speed of the download and easy access to apps) into the workplace,” says JJ DiGeronimo, a Technology Executive, Author, Entrepreneur & STEM Advocate. “Getting access to unsupported applications and computers, from your desk, is as easy as buying books these days. Many companies, unfortunately, are handcuffed by their own processes and procedures which was not a problem when IT departments had no real competition. Many end-users wait anywhere from 6-12 weeks to get requested IT resources to move forward in their projects. Some companies the wait time is even longer.”
Modern IT leaders must face a difficult truth: While their processes were implemented with the best of intentions, many of them are outdated. They’re built for a world where IT had no real competition. They’re built for a world where end users were willing to wait weeks or months for solutions, because that was their only option. That’s not the case anymore. Restrictive policies and processes must be re-evaluated and re-worked to reflect modern realities.
“There is a corporate culture of forming policies in a bubble, and then pushing it down to the end user without their input,” says Karsten Johansson, Sr. Information Security Advisor at PENETRATIONTEST.com. “It wasn’t long ago that the corporate policy could mandate that personal computers were not allowed on the corporate network, and that corporate data was not allowed on personal devices. That was also a time when most people didn’t have their own cell phones anyway, and if they did, it was the one given to them by the corporation. Then we got telecommuting, which already blurs that line significantly.”
“Now home users routinely carry around computers that are at least as powerful, if not more so, than what is on offer at work. The response from policy makers is to allow those devices for certain things, but not others. However, without active engagement with the users, a feeling of entitlement results. They’re allowed to use these devices, so why should they not also be allowed to answer personal emails the very moment they arrive? There is a disconnect between management and users in regards to their own devices, which are clearly out of scope in the corporate sense.”
“The younger generations don’t see what they are doing as any different than what is expected of them. They see a corporate policy that is at odds with reality, and simply ignore it where it becomes confusing or inconvenient.”
6. They aren’t sure what to do
Am I saying that processes are bad? Not at all. In fact, a lack of proper processes and procedures often results in the same problems as those caused by outdated processes and procedures. Without clear, concise procedures in place, employees will become confused. If employees aren’t sure how to get solutions from the IT department, many will simply find their own way.
“Very often, the disconnect originates when there are no established procedures or processes in place for people to follow when looking to solve a particular business problem with a new or modified technology,” says Jim Kemp, Communications Manager, ColumbiaSoft. “Left without clear guidelines, people will begin looking for solutions on their own. We recommend end-users communicate with their IT department right away, and bring their own internal expert resources into the conversation as soon as possible.”
7. Users feel like they don’t need help
The level of tech expertise coming into the workplace these days has increased significantly. Employees entering the workforce now have grown up with computers their entire life. If they run across a problem, they’re far more likely to (attempt to) fix it on their own. Is that a good thing? I guess it depends on the employee and the problem they’re trying to fix…but, it’s important to understand that this happens more often than you realize.
“The most common reason end users circumvent IT is because they have a deliverable or workload which requires an immediate response and they have a level of tech savvy which doesn’t lend itself to needing help,” explains Penelope Baker, Director of Managed Services at Precision IT. “Today’s workforce is very different than that of just 20 years ago – when the average employee had to learn to use computers for work, rather than growing up with one which was as common to the household experience as the refrigerator or a light switch. When these employees need to do something, and they need to do it now, they simply can (and will). The level of knowledge and empowerment available to the common man with a simple Google search is stunning; functional business IT is no longer an esoteric mystical thing, it’s just the light switch.”
What can IT departments do about this?
So, now that we understand some of the most common reasons why end users bypass IT, let’s focus on the most important question: What can IT do about this? Are there cases that require imposing restrictions? Of course. However, your first goal should be harnessing its power. How can you use this trend to your advantage? Here are three ideas:
1. Become an enablerRather than trying to keep these consumer apps and technology out of the business, focus on helping employees use them in a secure manner. This may involve proper education, or giving employees ways to use the apps they want in a secure manner, as explained in the example below.
“I spoke with an IT manager at an enterprise company recently who is approaching this situation in a really smart way,” said White. “She said that rather than allow for a bunch of tools they don’t have a handle on, they’ve provisioned every app employees might want to use. This includes competitive solutions, like Box *and* Dropbox for Teams. There’s no need for employees to look for tools outside the toolbox they control, but users can still have access to the cloud apps they know and love. IT’s new role is to develop security
measures that help rather than hinder employees.”
2. Re-work restrictive policies
Examine the processes and policies end users must go through to provision technology. Re-work those restrictive policies that make working with the IT department difficult. End users must have a clear, simple path to get the technology they require through the IT organization.
“Companies, especially ones that have HIPPA concerns (or related regulatory concerns) are looking for ways to stop the IT drain and re-secure their data,” says DiGeronimo. “Many are creating cloud offerings for a small subsets of data and groups (often developers) to minimize leakage. Many of these companies have learned that this means creating new processes and procedure and reskilling IT staff to behave as an intern service provider.”
“Eventually, most IT departments will be focused on managing and delivering data based on SLA and not boxes/wires. Their data will likely be spread across internal and external clouds based on the type of data and its security needs and SLA will become key indicators to their success.”
3. Implement controlled, self-service options
As mentioned above, many IT departments are already overworked. Finding additional time to meet end user demands can be an impossibility. In these instances, you must give end users a way to securely create their own solutions.
“The reality is that in most organizations, IT resources are already maxed out and thus the answer for most business requests is an automatic ‘NO’,” says Tyler Wassell, Software Development Manager at mrc. “In this type of environment, the adoption of self-service reporting and application development tools can discourage end users from circumventing IT. The right development solution will allow IT to maintain control over applications and data while giving business units the ability to meet their own application needs.”
So, what do you think? Are there any other reasons that end users bypass the IT department? Are there any other ways to address this issue? I’d love to hear your thoughts in the comments.