Simply stated, Shadow IT is what happens when people within an organization decide to deploy Information Technology systems and services without approval from the official IT group. On the positive side, this can be the source of real innovation from within the company without the normal formal approval process that can be time consuming and burdensome. On the negative side, these systems and services may be deployed in a way that is not in line with documented requirements for control, security or documentation.
The abundance of Bring Your Own Devices (BYOD) in the form of smartphones, laptops, IoT devices, and tablets, just to name a few, has created an atmosphere where people are not willing to abandon these devices for the sake of waiting for approval because they offer such a rich variety of applications that people depend on and use every single day.
The obvious fixes are to both establish open communications between the IT staff and other employees to understand why resources are being deployed without approval and to have management demand that the IT department be the sole gatekeeper for technology solutions. Unfortunately, these fixes don’t often match reality and Shadow IT exists anyway.
Tips for dealing with Shadow IT:
- A potentially counter-intuitive solution is to encourage innovation outside of the IT department instead of frowning upon it. For example, have the IT department publish straightforward deployment guidelines (think of 1-2 pages of crisp and clear requirements not a 50 page book that nobody will read).
- Have the IT department identify helpful and secure solutions that have been implemented and fast track them into the IT portfolio to show the end user population that new technologies can be quickly embraced.
- Support the IT department to put their foot down and categorically deny or remove technology that creates compliance or regulatory violations.
- Monitor your own network to identify unexpected additions of either systems or services so the IT staff can immediately work with the users who have decided to deploy solutions on their own.
Brad Johnson is Vice President of SystemExperts Corporation and has been a leader of the company since 1995. He has participated in seminal industry initiatives including the Open Software Foundation (OSF), X/Open, the IETF, and has published many articles on open systems, Internet security, security architecture, ethical hacking and web application security.