Dealing with Shadow IT – Be Nice

Shadow IT is the technology used by staff and executives who are provisioning their own applications to meet their own IT needs. Most CIOs underestimate the number of IT applications being accessed by business units and individuals within their organizations. Cisco estimates that CIOs underrate shadow applications by a factor of 15-22 times.

In recent years, heads of business units have become the major users of shadow IT. Line-of-business (LoB) sourced technologies are usually introduced to solve a specific business problem. Business units have an objective they must reach, and they source solutions on (usually) cloud-based platforms.

Formal IT is aware of the BYOD (bring your own device) trend and has generally reconciled the phenomenon. What is often not accommodated are cloud-based applications such as file sharing and backup sites, or collaboration tools used by individuals and teams to improve their productivity. User files are often stored off-site and are shared with individuals and teams with little appreciation of the security, privacy, and compliance issues.

The problem for the organization and for IT specifically is that most shadow IT applications are unsupported in-house, and they are not integrated with the organization’s established systems. Shadow IT data are not available to the rest of the organization, and importantly are not supported by back-office IT processes such as disaster recovery and so on. There are also increased security and compliance risks. Finally, shadow IT bypasses formal IT procurement processes, which require, business cases, dependency mapping, and architectural input.

The problem arises because IT is often seen as slow to provide solutions, and when they do, there are all sorts of hoops that the business user has to jump through – because of governance, DR, and all those boring things that IT has to think about. So when executives and individuals are faced with IT rigor, it is easier for them to find and install solutions from outside the formal IT net.

So here’s how to manage Shadow IT:

CIOs should not ban shadow IT but rather create an environment and tool-set that makes it practical and easy for executives to use formal IT instead of looking elsewhere for their technology solutions.

CIOs can accommodate the need for shadow IT by implementing a range of initiatives:

• IT should identify shadow IT in the organization where it can. Cloud discovery products should be used either as standalone products or as part of other IT management and security tools. Also, the log data from current firewalls, proxies, security information, and event management, and mobile data management products can identify the cloud services being used outside of IT’s purview. The data gathered will indicate which services are being used, who uses them and how often, how much data is uploaded and downloaded, and the source and destination of this data.
• Not all shadow services and solutions are risky for the organization. Allow those that aren’t, to continue, but let the users know that you are aware of them and offer information and advice for the secure and compliant use of the solution.
• Show understanding and support: It is counterproductive to penalize shadow IT users; they are usually merely trying to help themselves where they think IT cannot help them. Offer understanding to users of shadow IT and then offer support in line with your lower-risk alternatives.
• CIOs know that most collaboration, file synchronization, and transfer, and backup tools have corporate versions that combine user functionality with corporate visibility and policy. They should investigate and introduce the corporate version of individual tools.
• Introduce an integration platform as a service (iPaaS) that allows staff to connect systems and data in a non-technical way, usually through drag-and-drop interfaces. Naturally, the iPaaS must be inside the organization’s security perimeter and must allow for monitoring and control from IT.
• Organizational users expect access to data across locations and devices. Ensure that mobile access to IT-controlled data is available via Android and iOS devices.
• Introduce a low-code or no-code development platform that allows managers and executives to solve their business problems themselves, again within the organization’s perimeter.
• Set up a shadow IT team that shows understanding to users and helps them solve their business and productivity issues using approved IT tools and applications. Set up a portal that offers advice on technologies and solutions and allows users to rate these according to their experience.
• Run an information campaign on the potential risks of standalone spreadsheets. Provide cloud-based spreadsheet tools that allow for collaboration and integration. Data may then be imported from spreadsheets to a corporate database.

The longer one resists a trend, the harder it is to deal with later, and the more significant the impacts. So deal with shadow IT now – but be kind. Being officious would only deepen shadow IT.

Takeouts:

Shadow IT is a growing phenomenon

Heads of business units are often the major users of shadow IT

Shadow IT data are not available to the rest of the organization

IT is often seen as slow to provide solutions

Being officious only deepens shadow IT

Author  – Barbi Goldblatt –  Regional Executive