Shadow IT or what is sometimes referred to as Stealth IT is the use of information technology systems and software without the explicit approval of the organization that they are used in. Since in many organizations the IT department is responsible for approving and implementing new technologies, Shadow IT becomes an issue for IT Leadership, namely the CIO. The increase in cloud computing and the proliferation of Software-As-A-Service (SaaS) applications has made it increasingly difficult for IT departments to manage and keep track of what software is in use in the organization. Any department manager or team lead with a budget and a credit card can find a cloud based solution that solves a particular business need and voila! – The organization has just implemented a new system. However, why should an organization and its IT leadership care if line of business departments now manage some of their own IT needs? Here are a few reasons.
Compliance and Data Security
The flow of data and information has become increasingly regulated. Data compliance with regulatory initiatives such as Sarbanes-Oxley, HIPPA, PCI, and the EU Data Protection Directive has become a standard part of IT operations in many organizations. By bypassing any central internal auditing of information flow, an organization is put at risk. There are clear ways however, to prevent and monitor what company data is store in a cloud service, traditionally it is the IT department’s to implement such controls.
Lack of Broader Integration
When IT Business Analysts and IT Project Managers are unaware of the existence of “secret” applications, they may miss an opportunity to integrate such applications into other systems within the organizations. Integrating information across different data systems help to create a richer user experience, more business data analytic opportunities, and provides better workflows to automated business processes. Such missed opportunities can also affect the completeness of business intelligence (BI) dashboards and big data initiatives within the organization.
Inefficient Use of Time and Resources
Shadow-IT can contribute to a lack of productivity for non-IT staff who now have to troubleshoot, manage and maintain an information technology system, thus taking their focus off of their primary skill whether that be finance, marketing or HR. Additionally in larger organizations multiple isolated iterations of the same software product could prevent the organizations from realizing potential price breaks or even put them at risk legally by under licensing products usage.
What can a CIO or other IT leaders do to maintain control of the IT initiatives throughout the organization? Here are 5 suggestions that can be used to manage and stay on top of Shadow IT in the enterprise.
1. Initiate a Cloud Software Audit
There are several ways to perform an in-depth audit of any cloud services currently in use within your organization. Many CIOs and IT Directors are shocked when they find out that the number of Shadow SAAS applications in use in their organization is 5-10 times more than they would have guessed. Some organizations believe that they are not ready for the cloud due to security, compliance or some other reason, yet they may be surprised to find out that they are already in the cloud. If your organization has not yet audited its current cloud usage, then it may be time to initiate this internally or find a service provider to assist you.
2. Policies and Procedures
Many Shadow IT initiatives have come about simply because the initiator was unaware of or there was a lack of clear guidance. If your IT department has published guidelines and policies for your organization’s users, it may be time to review them to see if they need to be updated to include specific policies for the procurement and usage of SAAS and cloud-based services. If no IT policies are currently in place perhaps it’s time to work with executive management to develop some.
3. Drive IT-Business Alignment
When the business goals and objectives of the organization closely correspond with the efforts and the initiatives of the IT department, then true IT-Business alignment is in place. The problem is this is seldom seen. When the CIO and IT leadership drives and fosters a strong understanding of the business needs of the individual departments and creates opportunities for open communication between IT staff and line of business departmental managers, then the organization as a whole feels more comfortable turning to the IT department to helps solve business problems. Shadow IT is combated when the IT department is consulted early on to assist, thus giving them the opportunity to provide the technical solution.
4. Cloud Roadmap
An IT Roadmap in its various forms is a common tool used to plan for future budgetary needs for information technology spending. However the roadmap should be much more than a technology shopping list. A well planned roadmap should incorporate the current state of all IT systems along with a network assessment, the organizations business goals (see Point 3), and the route the IT department needs to take to help the organization to achieve these goals. A roadmap that is truly aligned with business objectives, should be projected 5-7 years out. Therefore both current and future technologies must be evaluated in the route and placed on the roadmap. If your IT Roadmap doesn’t include cloud computing or cloud-based services then you may want to consider redrawing the map! Let’s face it, line of business users are finding the benefits of the cloud, by the increased wave of consumer level advertising. They may have already experienced these benefits at home, at organizations they volunteer at, or even from the previous company they worked at. These benefits include such things as collaboration, data sharing, and the ability to work more effectively with remote teams. When the IT department does not have a plan to deliver such features via cloud based technologies, then Shadow IT proliferates. Whether your organization is ready to begin using cloud technologies or not, planning for the inevitable is important.
5. Implement A DLP Strategy
Since one of the dangers of shadow IT is the lack of central control as to what data can be shared in the cloud, implementing a data loss protection (DLP) system on existing systems can help train users. DLP can alert users or block them when sensitive data is potentially being emailed or saved in an unsafe location. Using specific rules, DLP for example can detect if a word document that contains a credit card number, a social security number, or sensitive medical information is being stored in an unsecure location. There are many DLP solutions and providers. When the IT department leads an effort to help and educate line of business users to recognize the sensitivity of certain data, this increases the chance of the IT department being consulted on potential Shadow IT initiatives.
Develop a Battle Plan
Depending on the size of your organization the suggestions listed above may need to be modified to meet your unique needs. Mid-market and Smaller organization without a CIO may decide to partner with an IT consulting firm that can assist them. Regardless, Shadow IT does pose a risk to any organization. It is important for executive management and IT leadership to assess the situation and implement a plan to approach future technologies in a systematic and unified way that will benefit the business as a whole.