Following up on my post earlier this month on Shadow IT, I wanted to discuss a related issue – “tool sprawl.” Tool sprawl describes an environment where the deployment and use of tools is not managed by a single IT group: applications, software, and tools are installed by end-users because they believe that waiting for the IT group will take too long and be too onerous.
Tool sprawl is a serious obstacle to providing security
The problem with uncontrolled installation and use of tools is most tools have their own way of providing security characteristics and they are unlikely to be the same or in sync with other tools already in place. In addition, many end-users are focused more on functionality than security, and the tool may be at odds with current organizational security expectations or standards. As anybody in IT knows, installing new tools is usually the easiest and least expensive part of the whole process. The real expenses are in time and money for on-going management, integration with other tools, upgrades to meet security requirements, maintenance updates, and, of course, technical support.
Another hidden cost — beyond the additional licensing fees — is that the more applications you have, the more time both your end-users and IT support have to spend learning about and supporting these tools. In many cases it would be less expensive for the organization as a whole to reduce the number of tools that are in use to save on support related expenses.
The tool sprawl problem is getting worse because agile development, cloud computing, and the Internet of Things are all introducing more and more user-focused software at a high rate.
I offer the following tips to address tool sprawl in your environment:
- Encourage innovation outside of the IT department instead of frowning upon it.
- Solicit feedback from your users to hear their opinions on what other tools they’d like to be able to use, or what processes they’d like to streamline with an additional tool..
- Have the IT department identify helpful and secure end-user tools that have been implemented and fast track them into the IT portfolio to show the end-user population that new tools can be embraced.
- Allow the IT department to put their foot down and categorically deny or remove tools that create compliance or regulatory violations.
Brad Johnson is Vice President of SystemExperts Corporation and has been a leader of the company since 1995. He has participated in seminal industry initiatives including the Open Software Foundation (OSF), X/Open, the IETF, and has published many articles on open systems, Internet security, security architecture, ethical hacking and web application security.