How I Learned to Stop Worrying and Love Shadow IT

“Shadow IT.” The phrase strikes fear in the hearts of IT managers. People are introducing software and devices which you don’t know about! How can you keep the network safe when they’re doing that!?

But… maybe you can. Maybe they’re using these things because they have a reason to. Maybe coming across as “Mordac, Preventer of Information Services” isn’t the best approach. Yes, it’s frightening. But what if you could love shadow IT? Tough love, perhaps, but still love. Then it might come out of the shadows a little.

People Know Their Jobs

When employees take things into their own hands, they usually aren’t doing it to be mean. They have jobs to do. If your company has hired good people, they know their jobs, and they know what’s necessary to get them done. Just as you know IT, they know how to do whatever they were hired to do. They recognize tools that will help them.

Sometimes they’ll find the tools before you do. They may even find better tools than the ones you know. Granted, they can make horrible mistakes. They know what they need, but they don’t necessarily know how to use it safely.

The answer isn’t a wholesale ban on all tech that the IT department doesn’t think of first. That won’t stop people from coming up with their own solutions. It will just drive them underground, where you don’t know what they’re doing and can’t control the risks. A better answer is to find what they’re using, work with it, and stop any practices which are truly risky.

Finding Shadow IT

Step 1 in making rabbit stew is “catch the rabbit.” To bring Shadow IT under control, you have to know about it.

You should already be doing network monitoring to catch break-in attempts and malware. It’s also valuable for spotting benign activity which isn’t authorized. Logs will show devices that aren’t supposed to be there and network activity by applications you don’t know about. If they’re doing anything dangerous, you may get an immediate threat report.

The other piece is equally important. Encourage people to tell you what they’re doing. If they think they’ll get a nasty lecture and a reprimand, they won’t say anything. If they can expect fair-minded, helpful advice, they’re more likely to talk about it openly.

When you know what people are doing, you can evaluate the risks, eliminate any dangerous practices, and make the others safer.

Evaluating Applications

When you find people are using an unauthorized application, don’t panic. Find answers to some questions, and then decide on the best action.

  • Why are they using it? If it’s a game, there might not be a good reason, but it might not be hurting anything except productivity. Whether it should stay is a matter of policy. If it’s a work-related application, it’s most likely filling a need which they think they can’t fill otherwise. Find out exactly what they’re hoping it will accomplish for them.
  • Is there an existing alternative? Sometimes people turn to new software because they don’t know the existing applications can already do it. Find out whether it really meets an unsatisfied need.
  • Does it meet compliance and security requirements? A lot depends on your organization’s security level and obligations. If you’re developing top-secret military devices, then you have to be very strict. If you’re under HIPAA or PCI requirements, you need to make sure that no one is bypassing them. You have more leeway if concerns like those don’t apply.
  • How well does it work with existing systems? If you already have an integrated set of applications, adding a tool that doesn’t work with them could be a long-term headache. Sometimes employees find something that seems helpful but don’t think about the bigger picture. You may need to steer them in a different direction, or there may be a way to make the pieces work together smoothly.
  • What does it cost? If a department is using free software, at least it isn’t impacting the budget. If it’s paying a large chunk of money, then you’re talking about not just shadow IT but a shadow budget. That’s bound to lead to questions later on. If they’re using pirated software, that’s major trouble, and you need to stop or legitimize it right away.

Bringing Shadow IT Under Control

[caption id=“attachment_161852” align=“aligncenter” width=“640”]Shadow IT working with manager Developing programming and coding technologies. Programmer working in a software development company office.[/caption]

Let’s say that you discover someone has introduced an application without authorization, but you decide it’s useful and can stay around. Your goal is to bring it out of the shadows and into the light. What’s the best way to do that?

The first step is to find out who introduced it. It might be the head of the department, or someone else with a little technical knowledge and a lot of enthusiasm. Talking to that person can help you to understand why it’s being used and why it wasn’t requested through IT. (Or why it was requested and denied.)

If it looks reasonable after that discussion, figure out a plan to make it official. This might require some configuration adjustments to make sure it’s working safely. Repositories should move to the ones that IT maintains. A plan to patch it when necessary is an important part of the rollout.

If the software is licensed, the accounts should move from the department which is using them to the company’s accounts.

Integrating Shadow Applications With Your Infrastructure

You might have a suite of applications and officially endorsed add-ons. They work well together, but now some employees want to use something completely different. It can be tricky, but don’t reflexively dismiss it as impossible.

The first step is to look at what you have. Your software may have APIs that make it relatively easy to integrate other applications. Creating some automated scripts could let everything work smoothly together.

Look at the tools which are available for bringing diverse software together. Microsoft Flow lets you build a workflow out of applications from different vendors. IFTTT (“If This Then That”) is a free Web-based service to connect applications. Zapier is another versatile way to build workflows.

Once workflow tools are part of the IT department’s repertoire, a lot of new possibilities open up. Applications that seemed hard to fit in can become viable options.

Love Makes the Data Go Round

Think of shadow IT as other people doing your research for you. Is that so bad? They have expertise in their jobs which you don’t. You understand the technical side, but they understand marketing, personnel management, or whatever they do. Putting your expertise together with their results in better decisions, as long as everyone’s open about it.

The term “Shadow IT” sounds sinister, but it isn’t always something to evoke fear. Some of the most exciting things come out of the shadows. What’s not to love?

For more technical solutions which you’ll really love, contact us.

Published on: .

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.