Shadow IT is now a firmly entrenched reality for most businesses. Gartner estimates that shadow IT accounts for 30% to 40% of IT spending in large enterprises, and a 2016 survey by NTT Communications found 83% IT professionals reporting that employees stored company data on unsanctioned cloud services.
For IT leaders, shadow IT is both a blessing and a curse. On the positive side, it shows that users are actively engaged in technology and are willing to put some of their budget dollars into technology investments. It becomes problematic when hardware and systems are brought on board without anyone centrally administering them for security, or tracking them to ensure that all company technology assets are accounted for.
What can IT leaders do to assure a win-win for the company, the users and the IT department?
1. Develop a win-win strategy for shadow IT
Many IT leaders I meet with have a dim view of users going out on their own to buy software and hardware that they don't know enough about. “It’s a headache,” one CIO colleagues confided to me.
Shadow IT can be a headache for IT, which ultimately must “pick up the pieces” by managing neglected vendor relationships, effecting integration with other systems, and keeping track of all of the company’s technology assets. But shadow IT isn't going to go away. What CIOs can do is to develop new strategies for working collaboratively and cooperatively with users.
One strategies is to proactively participate with users, meeting with them at least quarterly to see where they are experiencing business pain points that technology can address. This provides an opportunity to ask users which types of systems they would like to see in place that can help the business. In many cases the IT budget is limited, so it can work to everyone’s advantage if a user can find money in his/her budget to fund a new technology.
IT can also develop a better service culture. This includes the deployment of IT business analysts who understand the business and can empathize with users. If users feel that someone is truly in their corner as an advocate, and not just trying to defend IT “territory,” they will be more likely to view IT as a business partner.
2. Track and monitor your technology assets
Automated asset tracking software can be deployed on your networks to immediately detect any new IT systems, servers, software and devices as they connect -- no matter where they reside. By discovering new technology assets as they come onboard, you can log these assets and visit the user areas that are implementing them.
It is also a best practice for corporate IT to visit with user areas on an annual basis to review technology asset inventories, to ensure that all new technology assets are on an enterprise master technology asset list, and to assess the life stage of each asset for purposes of future planning.
3. Implement zero-trust networks
Gartner predicts that by 2020, one-third of all successful security attacks on companies will come through shadow IT systems and resources.
Ultimately, it is corporate IT that is responsible for enterprise-wide security. But it’s difficult to enforce if users are installing technology in various places and you can't tell if it's properly secured.
One approach to the problem is to implement a zero-trust network that requires users to abide by corporate security rules.
A zero-trust network does not allow a user to access the network until all security criteria, predefined by IT and business management, have been met. The intelligence built into zero-trust networks immediately detects if traffic is moving through the network in an unusual or unexpected way. Digital identity and access permissions are strictly enforced.
“These networks are an excellent edge technology that makes up for the fact that compute at the edges of enterprises must by necessity be remotely managed, and not by IT,” said Ben Goodman, vice president of global strategy and innovation at security company ForgeRock.
4. Focus on integration and data management
Frustrated with IT backlogs, users might go off and buy their own systems. But everyone agrees that eventually systems should be integrated to share information and achieve more efficient workflows throughout the company.
IT is tasked with pulling together all of the data from diverse systems into a single data repository that users from everywhere can use for analytics. In this way the company can be sure that everyone is using (or querying) the same data, and that everyone is going to get a “single version of the truth.”
CEOs and CIOs have compelling reasons to demand data and technology integration and data uniformity. These are best achieved when IT is informed early in the product evaluation process so the new technology can be evaluated for its integration potential with other systems. If CIOs clearly articulate this necessity to executive teams, they will get more support for IT involvement in early stages of technology evaluation.
5. Assume responsibility for vendor relationships
A common refrain I hear from IT is, "We don't have to assume responsibility for managing vendors that were brought in by users."
Vendor management is not an area that users are skilled in. Instead, users focus on their daily business processes. Once a technology is implemented, these users fail to track contracts, vendor SLAs or other critical terms in vendor agreements. They will make a phone call to a vendor when they have an application question, but if the system really goes down or experiences a serious production issue, they pick up the phone and call IT.
Consequently, IT almost always is the recipient of vendor contracts and relationship management.
When these tasks get turned over to your team, accept them. It is the only way that your company can be assured that the technology systems and vendors it contracts with will be managed by people for whom vendor management is a core competency.
In the end, IT almost always inherits shadow IT systems and vendors, even if users subscribe to them, because SLAs must be monitored and system problems must be resolved.
Picking up these responsibilities helps the IT department have an element of control over shadow IT and the ability to ensure that it is working well with other IT systems that the company uses. Technology detection software and zero-trust networks can also help to identify new technology deployments and ensure that proper security protocols are being followed throughout the company.
The best approach of all is to proactively reach out to your users on a regular basis. This should be done by the CIO and IT staff who have strong interpersonal skills and business savvy as well as technical background. When IT forms a trusting and collaborative relationship with users, everyone benefits. Shadow IT can actually become a productive driving force within your company, with users joining forces with IT to shepherd in new technologies that help the business.