Summary: “Shadow IT” is a term used to describe IT solutions and systems created and applied inside companies without their authorization. How can you control the rise of Shadow IT in your business? You must first understand why it happens. Why do users feel the need to circumvent IT in the first place? In this article, we explore a few reasons and share some tips to help you control Shadow IT.
By now, you probably understand the risks of Shadow IT. How can the IT department monitor or secure company data if they don’t even know where it’s stored? How can they avoid security breaches if employees are carrying confidential data around on their personal devices?
Now, the automatic reaction for some IT leaders is full-on war. They want to ban third-party apps, outlaw personal devices, and restrict internet usage. After all, these employees are putting corporate data at risk. They must be stopped! Right?
While I understand the mentality, this is rarely a good approach. Treating users like the bad guys and implementing heavy restrictions will not only waste your time, it will alienate your employees. After all, it doesn’t address the root of the issue: Why are employees bypassing IT in the first place? Do they enjoy breaking the rules? I don’t think so.
If you want to control the rise of Shadow IT in your organization, first understand the cause. Learn why employees feel the need to circumvent IT in the first place…and then you’ll better understand how to control (or even harness) it.
So, why do end users bypass the IT department? What can you do about it? Today, let’s focus on these questions. Here are 7 of the most common reasons why end users bypass the IT department:
1. IT does not offer solutions quicklyThe biggest reason why end users bypass IT departments: Speed. They believe they can get a solution faster on their own.
Now, I understand the dilemma facing IT. Most IT departments are already overworked. Chances are, they’re understaffed as well. Answering every end user request and delivering solutions in a timely manner is likely impossible.
That being said, users now have choices. For instance, suppose a user needs a basic web application from the IT department. For many users, the choice looks like this:
Choice #1: Request a new application from IT, wait around for approval, and then wait around while IT builds the solution. Time required: Weeks.
Choice #2: Bypass IT altogether and use a cloud-based alternative. Time required: Days.
For business users whose salaries are directly tied to their results, which option is more appealing? Which option delivers results faster?
“It’s 2017, and most software solutions are now a web-based, SaaS (Software-As-A-Service) solutions that are Subscription-based Cloud Services hosted by an outside service provider,” says Maria Santagati, Founder of Stratball. “This often proves to be more cost-effective and efficient because businesses can get their software installed, configured, and stood up faster than they could to do this themselves in-house. They also don’t need to hire these resources, train them, pay them benefits, etc.”
“So business users don’t need to wait for IT – they can get the software solution they need quickly and begin realizing the cost-benefits of the solution faster and easier; with the solution returning real value to the business, ROI, and profits.”
Yes, your IT department is probably overworked. But, you must understand that end users will take the path of least resistance. If your IT department can’t deliver the solutions they need (when they need them), give them self-service options to create their own solutions. This gives them what they want, while still giving you control over data and user access.
2. IT and the business do not speak the same language
It’s no secret that IT departments and business users often struggle with communication. Sometimes, it feels like the two sides speak different languages altogether.
Here’s an article from a few years back that highlights why this is such a problem: “Is it any wonder that, lacking a common vocabulary with which to effectively communicate, many IT initiatives fail to deliver what the business really wanted?”
Now, I’m not saying the fault lies with one side or the other. But, this issue helps us understand another reason why end users bypass the IT department. If there’s a communication barrier that results in solutions that don’t meet the user’s needs, is it any wonder that they try another route?
“The less obvious reason for Shadow IT is due to neurodiversity and the vastly different way business and technology people process and interact with the world,” says Tim Goldstein, Neurodiversity Communication Specialist. “From my background in both business and technology I am more aware than most of the great difficulty working with the tech department. Getting them to understand the actual business need is frequently very difficult. Because of the lack of understanding, not only is frustration created, but the work they create will frequently not match the actual way the business works.”
“Lack of Neurodiversity understanding make it a frustrating task with poor social interactions and frustrating convoluted discussion. Easier to just let Mary in the biz department who like doing spreadsheets take on something bigger that will get done, than to deal with the IT department, get frustrated, and still have the same business problem.”
One way to improve communication: Bring both sides together. That could mean anything from changing where the IT staff is located in the office to having more cross-department functions. If you’d like to learn more, here’s a nice article that explains a few more ways to improve communication between both sides.
3. IT is viewed as a barrierIn the past, IT departments controlled technology because it was scarce, and hard for business users to obtain and use. Unfortunately, this created a “culture of no” among many IT departments. These IT departments were more likely to deny user requests than attempt to help solve their problems.
These days, IT departments are no longer the only ones with access to technology. The problem is, some IT departments haven’t received the memo. They still act like they’re the only option. They’re quick to say “No”, and slow to help.
Now, I’m not suggesting that IT departments say “Yes” to every request. I also understand that procedures, processes, and budgets may slow down IT departments attempting to help users.
But, IT must understand that they’re no longer the only option. When the only thing users hear from IT is “No” or “You can’t do that”, they will look for other options.
“End-users opting to bypass the IT department are often frustrated with lengthy bureaucratic processes which – in their view – inhibit progress with significant wait times before any changes can be made,” says Lauren Stafford, Digital Publishing Strategist at Discover CRM. “Even corporate policy devised with the best of intentions becomes outdated very quickly. As such, it’s difficult for any IT department to keep up with the demand of end-users who are used to having autonomy over their technological decisions outside of work. This is compounded by the rise of BYOD practices in the workplace, which promotes a culture of entitlement and self-sufficiency that is sometimes in conflict with restrictive company policy. There’ll always need to be a level of compromise as IT departments adjust to an influx of increasingly tech savvy end-users.”
Take a look at your technology approval procedures. Do they pose a barrier for end users? How long does it take to get a solution? Also, modern IT departments must adopt a “can-do” attitude. Even if they can’t give the user exactly what they want, they must try to understand the problem and help provide a solution.
4. IT lacks the skills
Technology is evolving faster than ever. The problem is, skills aren’t keeping up. Many IT departments lack the skills necessary to deliver modern solutions.
Now, I do understand how tricky this can be for IT departments. They’re overworked and understaffed. They spend most of their time fighting fires. How can they learn new skills when all of their time is spent keeping things running?
While those are valid questions, you must also look at the problem from the other side. What happens when users ask for a solution that the IT department can’t deliver? Or, what if the solution that IT delivers is vastly inferior to third-party solutions? They look for other options.
“While restricting employees’ capabilities, it’s important to understand the requirements, and provide an acceptable alternative that would be secure and appropriate,” says Steve E. Driz, I.S.P., ITCP, Bcomp..| President & Chief Architect at The Driz Group. “IT is often faced with a dilemma since they don’t have enough resources to support new technologies, and the most prevalent issue is that IT staff’s skill sets are not up to date to even understand what’s out there. The reason for that is that they don’t have the time to think about innovation and training when they bogged down in the day to day activities, practically fighting fires.”
Business leaders must take steps to bridge this skills gap. As technology plays an increasingly important role in the modern business, outdated skills become a liability.
But, what if you don’t have the skills to deliver a solution that the business needs, and you don’t have time to learn? Find a solution that solves their problem. Give them something that meets their needs, as well as your security requirements. After all, it’s more secure than asking them to go out and find their own.
5. Users aren’t aware of the policiesIn most cases, employees aren’t practicing Shadow IT maliciously. They’re trying to solve a problem. Most don’t realize the security risks of their actions.
The problem is, many companies take a heavy-handed approach to Shadow IT. They create policies and restrictions, without telling the employees why it’s important. They take an “us-vs-them” mentality.
If you truly want to reduce security risks, educate your users. Make sure your employees understand the risks involved, and why unauthorized tools and software must be avoided. Then, show them how to solve their problems securely, using approved tools and methods.
“For the most part, employees (end users) bypass the IT department and security measures mainly due to two things convenience and ignorance,” says Lindsey Havens, Senior Marketing Manager at PhishLabs. “The majority of the people placing a company’s sensitive data at risk don’t realize that they are doing it. They are going about their day at work, engaging in habits that such as checking their personal emails, shopping online, online banking and paying bills. Needless to say these unauthorized applications pose a risk for data theft by a hacker or data loss by the employee. Within some companies, security checks are put into place to monitor on the job internet activities.”
As mentioned above, preventing Shadow IT often comes down to educating the users on the risks. Many don’t understand how their actions jeopardize company data. Additionally, set up clear processes and policies (if you don’t have them already), and make sure employees know what they are.
6. Users think their issue is too minor
Oftentimes, Shadow IT occurs when users are just trying to help. They don’t want to trouble the IT department with a minor issue, so they try to solve it themselves. Unfortunately, they don’t realize that this could lead to more problems down the road.
The problem is, this often goes unnoticed. How do you know if users believe their issues are too minor, if they never tell you? As mentioned below, an anonymous survey is a great way to uncover these problems.
“We had this problem as well, so we sent out an anonymous survey around the company and we found there were two main reasons that users were bypassing the IT department:
– They felt the issue was too minor.
– They didn’t know the correct process.
The first response was what we’d expected but the second one left us scratching our heads a little bit,” says Job Brown, IT Manager at Roman Blinds Direct. “We don’t have a complicated process, all our employees have to do is send us an email. So what we did was send out an email to everyone, reiterating how simple it was to get IT support and how friendly our team is. In this email we also encouraged everyone to send us a request, no matter how minor. The response we saw was very positive, we managed to solve a lot of issues that our employees were having and they’ve since been a lot more comfortable coming to us with issues.”
The tip mentioned above is a great way to address this issue. Gather information from your users, and then educate them on the proper procedures.
7. Users think they don’t need helpThe level of tech expertise coming into the workplace these days has increased significantly. Employees entering the workforce now have grown up with computers their entire life. If they run across a problem, they’re far more likely to (attempt to) fix it on their own.
Is that a good thing? I guess it depends on the employee and the problem they’re trying to fix…but, it’s important to understand that this happens more often than you realize.
“Another reason being, some employees simply don’t ask IT for help,” says Dodi Glenn, Vice President of Cyber Security for PC Matic. “Instead, they choose to take matters in their own hands. This could be due to the IT staff not being approachable, or the employee simply thinking they can accomplish the task, without help.”
Again, this comes down to education. Make sure all users (even the power users) understand the risks of Shadow IT. Put clear and simple procedures in place, and provide them with (controlled) self-service options.
These are just 7 reasons why end users bypass the IT department, but the list could be much longer. If you would like to add anything to this list, I’d love to hear it. Feel free to share in the comments.