Rather than resist shadow IT, CIOs can work as partners with the departments that are running the applications, keeping company data safe and secure.
Today’s fast-paced work environment finds employees striving to improve efficiency, productivity and communication. In an attempt to excel at work, they often use applications, services, data storage and sharing beyond IT’s approval. This practice — known as shadow IT — is having an obvious impact on technical support teams by undercutting sound governance and reducing operational efficiencies.
According to Gartner, by 2020, one-third of security breaches will be because of shadow IT.
There are five ways, though, that IT can become a trusted ally across an organization and build a plan of action against the security vulnerabilities and unnecessary costs of Shadow IT.
Seek out the biggest shadow IT opportunities. Information is knowledge and knowledge is power. Take inventory of who is using what programs across the company. With this information, IT can then assess potential issues and make appropriate changes. Monitor closely to see if any new and unknown tools or applications pop up in regular scans. Depending on results, an enterprise-wide vulnerability scan may be necessary. Network sniffers and security scanning tools can provide detailed information on new and unknown data streams. While monitoring does not remove the threats of shadow IT, it does provide the IT department with better insights and the ability to start risk assessments or research alternative solutions.
Assess security and efficiency risks and provide suitable alternatives. Take advantage of creating an open dialogue with your colleagues — your internal customers — across the company. Listen to their feedback, learn more about the problems they’re trying to solve, and be willing to provide input on which tools may be a security concern, and offer an alternative. I once had a request to review a tool that was already approved and deployed by another department in the organization. In this case, it was a lot easier (and a lot cheaper) to adjust our plan to add a few more licenses than it would have been to initiate a whole new contract.
Encourage employees to come forward with their requirements. Let’s look at supporting teleworkers as an example. If you don’t have an IT-approved way of enabling employees to work remotely, it is almost certain they will find a way to do so on their own. That’s when things get tricky. There is a tendency for IT organizations to not be very open to new requirements needed by employees to do their job. IT should offer a safe haven for those employees and departments to come forth with their requirements and even suggest possible solutions that they would like to see implemented. By working together, IT can then take a look at the programs, determine the risk and offer comparable solutions, where needed, to achieve beneficial outcomes for all.
Vineet Misra, CIO, Lifesize
Become more involved in the application selection process. This truly comes down to trust and relationships. It is important for IT to build a rapport with every department head and meet regularly to discuss their technology strategy. Establishing an open dialogue between departments and the IT organization helps to remove the “us” versus “them” notion and makes technology transparency and potential risks of adopting unapproved technologies less of an issue. Having a seat at the table in the strategic planning stage will reduce most surprises around shadow IT down the road.
Keep in mind that not all shadow IT is bad. It is very possible that not everything you discover when mitigating shadow IT is bad. The tools you discover are truly the voice of the customer, showing you what teams really need to be successful. It even may be that these applications can be beneficial to other departments. Be open to feedback from department heads and work together to have IT be part of the strategic planning for the department and company from the beginning.
The bottom line is that shadow IT doesn’t have to be prevalent if there is open communication between IT and its customers. Employees typically engage in shadow IT because they think it will save time and money by not involving IT in the approval process for the technology they want to use to be more efficient. In reality, going around IT just bypasses the critical management, integration, security, and compliance requirements, related safeguards they support. While it may take a bit of time, additional due diligence and even a bit of hand-holding make it possible to mitigate the risk of shadow IT and safeguard the security, profitability and efficiency of the entire company.
Vineet Misra is a tech enthusiast leading transformational corporate IT, cloud operations, security and business intelligence programs as CIO at Lifesize. For more than 20 years, his goal has been to enhance the role of IT to be more efficient, strategic and flexible within an organization.
The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT ... View Full Bio
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.