How I Learned to Stop Worrying and Love Shadow IT
Shadow IT The phrase strikes fear in the hearts of IT managers People are introducing software and devices which you dont know about How can you...
âShadow IT.â The phrase strikes fear in the hearts of IT managers. People are introducing software and devices which you donât know about! How can you keep the network safe when theyâre doing that!?
But⊠maybe you can. Maybe theyâre using these things because they have a reason to. Maybe coming across as âMordac, Preventer of Information Servicesâ isnât the best approach. Yes, itâs frightening. But what if you could love shadow IT? Tough love, perhaps, but still love. Then it might come out of the shadows a little.
People Know Their Jobs
When employees take things into their own hands, they usually arenât doing it to be mean. They have jobs to do. If your company has hired good people, they know their jobs, and they know whatâs necessary to get them done. Just as you know IT, they know how to do whatever they were hired to do. They recognize tools that will help them.
Sometimes theyâll find the tools before you do. They may even find better tools than the ones you know. Granted, they can make horrible mistakes. They know what they need, but they donât necessarily know how to use it safely.
The answer isnât a wholesale ban on all tech that the IT department doesnât think of first. That wonât stop people from coming up with their own solutions. It will just drive them underground, where you donât know what theyâre doing and canât control the risks. A better answer is to find what theyâre using, work with it, and stop any practices which are truly risky.
Finding Shadow IT
Step 1 in making rabbit stew is âcatch the rabbit.â To bring Shadow IT under control, you have to know about it.
You should already be doing network monitoring to catch break-in attempts and malware. Itâs also valuable for spotting benign activity which isnât authorized. Logs will show devices that arenât supposed to be there and network activity by applications you donât know about. If theyâre doing anything dangerous, you may get an immediate threat report.
The other piece is equally important. Encourage people to tell you what theyâre doing. If they think theyâll get a nasty lecture and a reprimand, they wonât say anything. If they can expect fair-minded, helpful advice, theyâre more likely to talk about it openly.
When you know what people are doing, you can evaluate the risks, eliminate any dangerous practices, and make the others safer.
Evaluating Applications
When you find people are using an unauthorized application, donât panic. Find answers to some questions, and then decide on the best action.
- Why are they using it? If itâs a game, there might not be a good reason, but it might not be hurting anything except productivity. Whether it should stay is a matter of policy. If itâs a work-related application, itâs most likely filling a need which they think they canât fill otherwise. Find out exactly what theyâre hoping it will accomplish for them.
- Is there an existing alternative? Sometimes people turn to new software because they donât know the existing applications can already do it. Find out whether it really meets an unsatisfied need.
- Does it meet compliance and security requirements? A lot depends on your organizationâs security level and obligations. If youâre developing top-secret military devices, then you have to be very strict. If youâre under HIPAA or PCI requirements, you need to make sure that no one is bypassing them. You have more leeway if concerns like those donât apply.
- How well does it work with existing systems? If you already have an integrated set of applications, adding a tool that doesnât work with them could be a long-term headache. Sometimes employees find something that seems helpful but donât think about the bigger picture. You may need to steer them in a different direction, or there may be a way to make the pieces work together smoothly.
- What does it cost? If a department is using free software, at least it isnât impacting the budget. If itâs paying a large chunk of money, then youâre talking about not just shadow IT but a shadow budget. Thatâs bound to lead to questions later on. If theyâre using pirated software, thatâs major trouble, and you need to stop or legitimize it right away.
Bringing Shadow IT Under Control
Developing programming and coding technologies. Programmer working in a software development company office.
Letâs say that you discover someone has introduced an application without authorization, but you decide itâs useful and can stay around. Your goal is to bring it out of the shadows and into the light. Whatâs the best way to do that?
The first step is to find out who introduced it. It might be the head of the department, or someone else with a little technical knowledge and a lot of enthusiasm. Talking to that person can help you to understand why itâs being used and why it wasnât requested through IT. (Or why it was requested and denied.)
If it looks reasonable after that discussion, figure out a plan to make it official. This might require some configuration adjustments to make sure itâs working safely. Repositories should move to the ones that IT maintains. A plan to patch it when necessary is an important part of the rollout.
If the software is licensed, the accounts should move from the department which is using them to the companyâs accounts.
Integrating Shadow Applications With Your Infrastructure
You might have a suite of applications and officially endorsed add-ons. They work well together, but now some employees want to use something completely different. It can be tricky, but donât reflexively dismiss it as impossible.
The first step is to look at what you have. Your software may have APIs that make it relatively easy to integrate other applications. Creating some automated scripts could let everything work smoothly together.
Look at the tools which are available for bringing diverse software together. Microsoft Flow lets you build a workflow out of applications from different vendors. IFTTT (âIf This Then Thatâ) is a free Web-based service to connect applications. Zapier is another versatile way to build workflows.
Once workflow tools are part of the IT departmentâs repertoire, a lot of new possibilities open up. Applications that seemed hard to fit in can become viable options.
Love Makes the Data Go Round
Think of shadow IT as other people doing your research for you. Is that so bad? They have expertise in their jobs which you donât. You understand the technical side, but they understand marketing, personnel management, or whatever they do. Putting your expertise together with their results in better decisions, as long as everyoneâs open about it.
The term âShadow ITâ sounds sinister, but it isnât always something to evoke fear. Some of the most exciting things come out of the shadows. Whatâs not to love?
For more technical solutions which youâll really love, contact us.
