Summary: Shadow IT–a term used to describe unapproved IT systems and solutions used inside organizations–is growing rapidly. Why is it such a problem? When left unchecked, “Shadow IT” can hurt your business in 3 important ways. In this article, you’ll learn how it can harm your company, along with five steps to address the issue.
It’s a growing problem. “Shadow IT” runs rampant in companies across the globe–often without the IT department’s knowledge.
What is “Shadow IT?” It’s a term used to describe unapproved IT systems and solutions used inside organizations.
Why is it a problem? It takes company data outside of the IT department’s control. If employees (or entire departments) purchase and use third-party solutions, IT has no way of managing and securing that data. This often puts sensitive data at risk.
For instance, the IT department may avoid a specific cloud solution because it’s not secure. But, what happens when an employee starts using this cloud solution without IT’s knowledge? They place company data at risk.
Another problem: “Shadow IT” wastes money. When employees license software without communicating with the rest of the business, there’s bound to be overlap. Different departments might purchase the same software, or license software that the company has already licensed.
Yet another problem with “Shadow IT”: It harms data visibility. IT departments already struggle to integrate multiple business systems and provide users with a clear view of their data. Now, imagine what happens when every department uses a different piece of software–unbeknownst to the IT department. Data visibility is nearly impossible.
So, we know why “Shadow IT” is a problem. But, what can you do about it? How can you deal with “Shadow IT” in your organization? Here are 5 steps you can take to address this issue:
1. Understand the extent of the issue
The first step to fixing any issue: Acknowledge you have a problem. The problem is, understanding your Shadow IT problem isn’t easy because it’s performed in secret.
How widespread is it? Unsurprisingly, it’s hard to quantify. Shadow IT statistics are all over the board. I’ve seen surveys placing Shadow IT usage anywhere from 30-61%.
The fact is, Shadow IT exists in most companies whether IT knows it or not. How can you know how widespread the problem is? It’s a two-step process:
First, start with a survey of your employees. Ask them what software they’ve been using, but reassure them that they are not in trouble. Rather, explain that it’s important for saving money and securing the network. You’ll be surprised at how much information your users will offer when asked.
Second, take a look at your network traffic. As explained below, this will help you understand what services are being used and how often they’re accessed.
“The first step is learning what is being used by which users,” says Richard Swaisgood, Senior Solutions Architect at Managed Solution. “This can be accomplished by utilizing your perimeter infrastructure (firewalls etc) to keep track of what your users are connecting to and how much they are using them. I highly recommend upgrading your existing perimeter infrastructure to Web-enabled to get even more data on what is being used, products like Cisco IronPort WSA or Forcepoint Web Security. For the users that are not protected by your perimeter infrastructure, you can utilize per machine agents to collect these logs and get additional data.”
2. Understand why it’s happeningMany businesses make it through the first step (acknowledging the problem) just fine, but fail at this step. Once they understand that users are bypassing the IT department, it’s treated as an “Us vs. Them” problem. The users are putting data at risk and must be stopped!
While a legitimate concern, this approach won’t solve your problem.
If you want to manage Shadow IT, you must first understand why users feel the need to bypass IT in the first place. Is IT moving too slow? Do they not have access to the right applications or data? This is an essential step, and as explained below, one that should be addressed with care.
“The specific reasons that employees and business organizations turn to or create their own shadow IT groups or technologies are many,” says Alan Zucker, Founding Principal of Project Management Essentials LLC. “But, the core is always the same: the formal IT organization is not meeting their needs. This usually comes down to IT not being quick enough or flexible enough.”
“Often IT organizations consider shadow operations as an affront. Their immediate reaction is “how do I shut that down.” Instead they should approach this as a customer service learning opportunity. Rather than coming in with the heavy hand, ask why? Why is the non-technology or business organization creating its shadow IT group? What are they not receiving from IT? How can IT better deliver on these needs?”
3. Set up proper education and communicationChances are, employees aren’t behaving maliciously when they go behind the IT department’s back and obtain third-party solutions. They’re simply trying to solve a problem. Or, they might not realize that their actions can compromise company data.
In most cases, users are just trying to do their job. They view Shadow IT as the fastest route. But, they don’t consider the security risks because they don’t realize the risks exist. Or, they don’t realize they’re breaking company policies because they don’t realize those policies exist.
This is one of the most common reasons why employees adopt Shadow IT in the first place. As explained below, setting up clear policies and educating your users about potential risks is a major step towards prevention.
“The key to preventing the inevitable battle between employees and IT/executives is proper education and communication,” says Justin Shelley, CEO of Master Computing. “It starts with an adequate and up to date AUP (Acceptable Use Policy). All employees should read, understand, and agree to this policy before they are ever given access to company-owned technology.”
“It continues with regularly updating the AUP as technology evolves. With each update comes proper education and communication with all staff members affected by the policy. It is all too common, when I ask to see a client’s or prospect’s AUP, to have them dust off a document that was written nearly a decade ago. Bad form! (See what I did there?)”
4. Change from “technology gatekeeper” to “technology partner”
In the past, the IT department performed the duties of a technology “gatekeeper.” They controlled technology because it was scarce, and hard for business users to obtain and use.
Unfortunately, this created what many describe as a “culture of no” among IT departments. These IT departments were more likely to deny user requests than attempt to help solve their problems.
Those days are gone. IT departments aren’t the only ones with access to technology, but many still behave as though they are. In today’s world of easily accessible technology, IT departments must change their approach. Rather than trying to keep all outside technology out of the business, focus on helping employees address their needs in a secure manner.
“One of the most common ways to tackle shadow IT is by having clear and stringent policies. But is this really sufficient? Not really,” explains Natasha Orme, Editor of Insights for Professionals. “And tackling this issue doesn’t need to be complicated. IT leaders need to stop imposing top-down demands on other departments, and should instead look for a more collaborative approach to IT procurement, where they work closely with other departments to determine what their specific needs are and find the perfect solution. This approach is important as it still allows employees to identify the most appropriate tools that work best for them, while leaning towards IT professionals for issues surrounding contract negotiations and determining whether the solution can be integrated within IT’s current infrastructure.”
5. Give users secure, self-service optionsOn the other side of the coin, many will argue that the IT department has no choice but to act as the “technology gatekeeper.” Giving users too much freedom and control only sets the company up for a data breach.
Besides, most IT departments are already overworked. How can they manage their day-to-day activities, while monitoring software usage on a per-user (or per-department) level?
The answer lies in data control. The central strategy of the CIO or IT leader should be to ensure data is available where required, but access is secure and traceable.
The big question: How can IT departments control the data, while giving their users access to the tools and software they need? I’ve seen this problem addressed in a couple of ways:
The “approved software” list
This method involves giving users access to tools approved by the IT department. Of course, this is only possible through clear communication between the IT department and the users. The IT department must understand the business user’s needs, and provide access to the necessary tools.
With this approach, the IT department locks down the data and gives users access to self-service development tools. The users can build the necessary applications over that data, without placing the data at risk. In this way, IT still maintains control over the business data, while giving business units the ability to meet their own needs.
These are just a few ways to deal with Shadow IT, but there are plenty more. If you would like to add anything to this list, I’d love to hear it. Feel free to share in the comments.