How significant is the tool sprawl problem?

Following up on my post earlier this month on Shadow IT, I wanted to discuss a related issue – “tool sprawl.” Tool sprawl describes an environment where the deployment and use of tools is not managed by a single IT group: applications, software, and tools are installed by end-users because they believe that waiting for the IT group will take too long and be too onerous.

Tool sprawl is a serious obstacle to providing security

The problem with uncontrolled installation and use of tools is most tools have their own way of providing security characteristics and they are unlikely to be the same or in sync with other tools already in place. In addition, many end-users are focused more on functionality than security, and the tool may be at odds with current organizational security expectations or standards. As anybody in IT knows, installing new tools is usually the easiest and least expensive part of the whole process. The real expenses are in time and money for on-going management, integration with other tools, upgrades to meet security requirements, maintenance updates, and, of course, technical support.

Another hidden cost — beyond the additional licensing fees — is that the more applications you have, the more time both your end-users and IT support have to spend learning about and supporting these tools. In many cases it would be less expensive for the organization as a whole to reduce the number of tools that are in use to save on support related expenses.

The tool sprawl problem is getting worse because agile development, cloud computing, and the Internet of Things are all introducing more and more user-focused software at a high rate.

I offer the following tips to address tool sprawl in your environment:

  • Encourage innovation outside of the IT department instead of frowning upon it.
  • Solicit feedback from your users to hear their opinions on what other tools they’d like to be able to use, or what processes they’d like to streamline with an additional tool..
  • Have the IT department identify helpful and secure end-user tools that have been implemented and fast track them into the IT portfolio to show the end-user population that new tools can be embraced.
  • Allow the IT department to put their foot down and categorically deny or remove tools that create compliance or regulatory violations.

Four Tips for Dealing with Shadow IT

Simply stated, Shadow IT is what happens when people within an organization decide to deploy Information Technology systems and services without approval from the official IT group.  On the positive side, this can be the source of real innovation from within the company without the normal formal approval process that can be time consuming and burdensome. On the negative side, these systems and services may be deployed in a way that is not in line with documented requirements for control, security or documentation.

The abundance of Bring Your Own Devices (BYOD) in the form of smartphones, laptops, IoT devices, and tablets, just to name a few, has created an atmosphere where people are not willing to abandon these devices for the sake of waiting for approval because they offer such a rich variety of applications that people depend on and use every single day.

The obvious fixes are to both establish open communications between the IT staff and other employees to understand why resources are being deployed without approval and to have management demand that the IT department be the sole gatekeeper for technology solutions.  Unfortunately, these fixes don’t often match reality and Shadow IT exists anyway.

Tips for dealing with Shadow IT:

  1. A potentially counter-intuitive solution is to encourage innovation outside of the IT department instead of frowning upon it. For example, have the IT department publish straightforward deployment guidelines (think of 1-2 pages of crisp and clear requirements not a 50 page book that nobody will read).
  2. Have the IT department identify helpful and secure solutions that have been implemented and fast track them into the IT portfolio to show the end user population that new technologies can be quickly embraced.
  3. Support the IT department to put their foot down and categorically deny or remove technology that creates compliance or regulatory violations.
  4. Monitor your own network to identify unexpected additions of either systems or services so the IT staff can immediately work with the users who have decided to deploy solutions on their own.