5 ways to deal with shadow IT

You don’t have to be a meteorologist to know that clouds create shadows. But as many businesses are now finding out, IT in the cloud has its shadows too.

In fact, shadow IT predates the cloud. The term describes the use of IT applications without the approval or perhaps even the knowledge of the IT department. And of course, ever since IT was introduced to the corporate environment, budget holders have been going behind the backs of their IT managers and installing their own software.

This is usually a sign that IT hasn’t understood the specialist nature of their work rather than because there has been a disagreement over direction or strategy.

Yet suddenly shadow IT has become a big concern. In fact, it has been named as one of 2014’s top strategic priorities for CIOs. Research from the 451 Group suggests that globally 44% of businesses now have shadow IT within the organisation.

>See also: 6 tips to avoiding rogue IT

It’s easy to see why: the cloud and the rise of software as a service (SaaS) have made applications easy to download, bypassing a company’s infrastructure and, more importantly, their controls with a single click.

In a survey sponsored at the end of last year by McAfee, more than 80% admitted to using non-approved SaaS applications in their jobs.

Now, it’s not just managers in large corporations that are making these maverick decisions, it’s everyone. And this includes those working for SMEs, which don’t have large IT departments with the power to steer them back on the straight and narrow.

So, is it really a threat – and is it possible to be more constructive than merely issuing a heavy-handed ban?

First, it’s useful to look at why shadow IT is growing. Many small businesses have been in survival mode for the past few years – cutting overheads and postponing the updating of IT infrastructure.

At the same time, the consumerisation of IT means people are often using more advanced technology in their personal lives than they are at work. As a result, the apps they download at home are filling gaps in outdated IT infrastructure at work.

In many cases, shadow IT just means that employees are trying to do their job quickly and effectively. If a client is jumping up and down because they need large document or file immediately and there is no company-sanctioned alternative, who would blame the employee for using a consumer service such as Dropbox? Is this not just a case of an employee using their initiative?

When there is a risk, often it’s not understood – or employees have developed ‘warning fatigue’. Besides, successful business people have never been afraid of taking risks.

‘So what,’ thinks the employee who sends the huge file via Dropbox when they are told that this means company data is in the public cloud. ‘At least I got praise from the client for averting a crisis.’

In other words, it’s easy for IT to blame everyone else for taking the risk. But there’s another side to this coin.

>See also: IT asset managers and CIOs – working together to tackle 'shadow IT'

Has the IT department listened to what the rest of the business is saying? Probably not, if everyone is downloading their own applications.

A little soul searching is needed here. Of course personal data from staff or customers needs to be fiercely protected. And nobody would want their business’s intellectual property to be shared with competitors.

However, is the security case being overstated? Or is the real risk that IT is concerned about losing control – or even their role and status?

Some IT professionals see the cloud as a threat. They are no longer needed to maintain and support the infrastructure. Shadow IT underlines this change.

But this is short-sighted. It’s unconceivable to think that, in this digital age, businesses don’t need specialist technical expertise at the very highest level. These days, many IT professionals are wasted merely ‘keeping the lights on’.

So, how can the IT team tackle shadow IT in a far more constructive way than issuing a blanket ban? Here are five tips:

  • 1. Audit what is being used with an objective approach – You will have some valuable information and an accurate indicator of what the business actually needs. This can form the basis of future strategic planning.
  • 2. Seek out consultants that specialise in supplying SMEs – They will know the products currently on the market that are tailored for this size of business and that can provide a better experience than consumer targeted apps. There are widely available alternatives that can be integrated with the company infrastructure.
  • 3. Work to achieve the right balance between security and accessibility – Security must be your main concern, but be clear about what you are trying to protect and what would be the consequences of a breach.
  • 4. See the situation as a wake-up call on improving internal communications – Could the risks have been explained better? IT departments must become better listeners, but also become more adept at explaining their side of the story.
  • 5. Don’t resist change
  • Be prepared for a path of continuous development and ensure that future implementations are business, rather than technology-led.

    >See also: The dangers of shadow IT

    Of course, businesses need to guard against losing control of their data and shouldn’t encourage the continual use of consumer-style apps that use the public cloud, especially if this data is sensitive in any way.

    However, nor should they swim against the tide. The best approach is to learn what the business is using, accept that this is needed – and then find a more business-focused alternative for better peace of mind.


    Sourced from Jamie Marshall, CTO, Calyx

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics