Shining a Bright Light on Your Shadow IT

Featured article by Colin Lacey, vice president, Enterprise Solutions Product Management for Blue Bell, Penn.-based Unisys

Many companies today struggle to get to grips with their “shadow IT.” Shadow IT refers to applications, devices, and services used within a company but not approved by IT. Sometimes the term is a pejorative, presupposing added risk and cost. It may also be considered a source of future innovation. Most Americans just got an object lesson in shadow IT in the controversy regarding the email server used by the former Secretary of State.

Regardless, shadow IT is one of the many things that keep CIOs awake at night.

According to a Skyhigh Networks study, the average company used 923 cloud services in the last year. That is so high as to be almost ungovernable, and CIOs are diverting scarce resources in an often futile attempt to manage shadow IT. More important, the study speculates that number is probably ten times higher than most organizations might have estimated. In other words, the problem they already think is worrisome is actually much larger and more urgent. A case in point, Gartner has predicted that chief marketing officers will spend more on IT than CIOs by 2017.

Among the biggest shadow IT worries are the hundreds of cloud services that employees purchase by credit card without any IT oversight. When IT chooses a cloud service, it undergoes extensive scrutiny for security and regulatory compliance. When an individual employee does, they more than likely reflexively click the “I have read and agree…” box, without any awareness of the cloud’s security, data location policies, or support model. This exposes the company to data loss, regulatory breaches, and unplanned service outages among other risks.

So security is the biggest worry, but right behind it is regulatory compliance. How can you attest to the performance of applications you don’t even know you have? And right behind that is cost. Who knows how much duplicative expense is rendered across the enterprise to these one-off purchases? Only the shadow knows.

The challenge is not to eradicate shadow IT but to govern it. It’s already under the radar; you don’t want to drive it underground, you just want to shine some light on it.

First, find it. Discover how large the problem is. That means routinely monitoring the company’s networks to identify new devices. You need to know where they are on the network, what kind of device. It also means routinely scanning your current firewalls to identify cloud services that are being used but not managed by IT. You want to know not only who is using them but also the amount and kind of data they are accessing.

Second, calculate the harm. Not all unofficial applications, devices, and cloud services are equal when it comes to security risk. Identify those that are high risk and throw up tight security to prevent users from accessing them. You know your “crown jewels” – your most valuable data. Make sure that an unprotected public cloud service or SaaS platform cannot expose it. For those that are low risk and heavily used by your employees, look for ways mitigate your risk before you ban them. Be consistent with your policies. Security is not a respecter of hierarchy. If you determine Dropbox is too risky, then don’t let the CEO use it for board of director packets while denying it to employees in the field.

Third, communicate with your employees – not just about your policies but also about your concerns. If they are heavy users of IT in their personal lives, they have probably downloaded apps of all kinds without experiencing negative repercussions. They are likely to be complacent, some more so than others, as illustrated recently in the Wall Street Journal:

While many millennials said they were contacting their work friends through social media to be social, other millennials said they were contacting co-workers through noncorporate systems because the corporate security controls made their work so inefficient–and they hate bureaucracy wasting their time.

You are NOT complacent, but you want your colleagues on your side, not looking for ways to circumvent what they see as an unnecessary policy that makes their work harder. Communicate clearly which apps will be blocked and what alternatives they can use instead, and give them time to comply before you start blocking them.

Fourth, be quick to respond to business units that request apps or devices that are not on your standard list. Begin compiling and publishing a list of apps that would not create security or compatibility issues if they were to choose them. Make yourself part of the conversation when Business Units are making these decisions so that you don’t find yourself vetoing their choices late in the game.

Fifth, recognize that shadow IT will roam your networks despite your brightest light. Wrap tight security around your most valuable assets, compartmentalize access strictly on an as needed basis, and perform routine scans for rogue devices and apps. That way, if – rather when – they infiltrate your network, you can see them immediately, respond quickly, and minimize the harm.

Sixth, remember that shadow IT can be a source of innovation. HR, marketing, operations and finance are bound to be more attuned than IT to new applications in their line of work. Engage them. Empower the lines of business to look for more innovative and effective ways of working, help them test and compare. In this respect, shadow IT, instead of being a CIO nightmare, presents a perfect opportunity to bridge the IT/business gap and form critical partnerships between IT and business leaders.

Mr. Lacey is vice president, Enterprise Solutions Product Management for Blue Bell, Penn.-based Unisys. He can be reached at colin.lacey@unisys.com.