What is shadow IT?
Shadow IT covers a range of issues in enterprises from people connecting unauthorised mobile devices to the company network to department heads making big purchasing decisions about cloud services. What they have in common is that they’re happening without consulting the IT department.
Flexible working is a good thing of course but letting everyone decide what technology to use brings its own problems.
In a world where Bring Your Own Device is increasingly the norm a degree of shadow IT is inevitable for most organisations.
Don’t be fooled that this is just about millennials – it’s just as likely to be a techno-phobe MD who wants to email access on his iPad
Technology vendors say that an ever larger percentage of their sales are now coming from elsewhere in the business than the IT department.
As people use more and more technology in their personal as well as their business lives so they feel qualified to make purchasing decisions which they would once have left to the IT department.
None of this has to be bad news. And you need to think about why it is happening. Sometimes IT departments can be seen as slow, restrictive and unhelpful which leads parts of the organisation to look for other ways to get what they want.
If end users are not happy using the applications you provide then simply trying to stop them using alternatives will not work.
Why should I worry about shadow IT?
There are several ways that shadow IT can cause problems for large organisations.
The first and most glaring is security.
If staff access enterprise email systems on their mobile phones or home computers they can easily provide a possible attack vector for hackers.
A basic premise for securing a network is knowing what is connected to that network.
Equally staff using their own devices might not be keeping your company’s, or your customers’, data safe. That is an issue which regulators are taking increasingly seriously and one for which the IT department will still get the blame in the event of a data loss.
There are strategic and cost implications too.
If individual parts of the business are all buying similar cloud services from different providers there is a good chance they’re all paying more than they need to.
If they’re using free services there might be other risks in terms of data security.
Equally they might well be creating inter-operability issues or problems with other back-up systems which they’re not aware of.
Individual departments will not be taking a strategic view of the services which they’re buying which a central IT department can do.
How can I deal with shadow IT?
The first thing you need to do is to understand why people in your organisation feel the need to go directly to external providers.
What functions are they getting from third parties which your IT department is not offering? This might be a difficult process but to solve the problem means addressing what isn’t being done well enough. This might be a single business application which isn’t doing what those on the front-line need it to do, or it might be a broader issue.
But there are positives too. Shadow IT means people in your organisation are thinking about technology. They might even have found some excellent suppliers or helped speed adoption of a new technology which could have big benefits for the rest of the organisation.
It means that somewhere in that department someone has spent the time to precisely specify what application or service is needed, and found a supplier. Getting that person on side will give you the information you need either to bring that service back in-house or to find the right external provider.
Cloud applications are the biggest driver of shadow IT, so the second way to control shadow IT is to get the right, secure cloud applications in place.
But finally you do need policies in place to make shadow IT safe.
This means educating staff about the dangers of using mobile devices to access corporate services or data and of the risks of insecure cloud services.
If they need mobile access to the corporate network then they need to be trained to do it safely.
Getting back control of all departments external deals might be impossible but at the very least try to get the chance to offer internal alternatives.
Finally you need to explain how you can help with future arrangements and the dangers inherent in every department going it alone.
In the end it is about carrot as much as stick.
Especially if senior staff are involved the only way to stop shadow IT is to offer better services internally.
Providing the services that staff want, in the way that they want them, is the only way to stop them looking for outside help.