Managing shadow IT

Shadow IT is the use of IT systems within an organisation without the approval, or even the knowledge, of corporate IT. What should you do in response?

Some of us have worked in IT long enough to remember the heady days when we had full control of the infrastructure. No hardware or software could be brought into the business without the IT seal of approval. Business users had neither the knowledge nor the resources to acquire or maintain technology, but soon things began to change. 

Unapproved software would "appear" on machines because someone had discovered a new application or device that enhanced their productivity. When the first wireless network points appeared, business units immediately saw the benefits of staff mobility, yet IT groups were slow to react because of the security challenges presented by wireless access.

The scale of the problem became apparent when IT was asked to support devices and applications they had no knowledge of. IT groups sought to regain control, explaining the impact on IT resources and costs, and the risks to corporate security and compliance. Desktops were locked down, software audits performed and policies were produced in an effort to stem the proliferation of unapproved systems. For a short time control was re-established, but before long "shadow IT" was back.

Shadow IT is here

Shadow IT describes IT systems or solutions used within an organisation without the approval, or even the knowledge, of corporate IT. This is often referred to as the consumerisation of IT.

Armed only with a credit card and a browser, anyone can purchase low-cost subscription licences and have a new application up and running in no time at all. Importing corporate data and integrating with other enterprise applications can also be achieved, without IT having any involvement or even awareness of new systems.

Imposing more restrictions and preventing access to tools on the corporate desktop is a pointless exercise

The pressure on information workers to be productive outweighs any concerns over data security and corporate compliance. When staff need to access or share data quickly, they no longer need to rely on IT to provide the facility. Why would they go through the red tape of IT procurement, provisioning, testing and security, when they can find a solution themselves and be up and running in a matter of seconds.

The risks of shadow IT

There are four key risks to consider:

SAM compliance: Software asset management (SAM) is a big enough challenge when IT has decent processes for managing the procurement of software licences. When licences are procured outside of that process, without IT knowledge, SAM is not possible and the organisation is exposed to unnecessary risk. Discovery of unapproved software could mandate a complete audit of the infrastructure, along with the associated financial and resourcing costs to ensure compliance. The ultimate sanction against unlicensed software for the CIO is jail and/or an unlimited fine.

Governance and standards: Organisations invest heavily to ensure they comply with regulations imposed by government and industry. In addition, organisations adopt standards such as ISO/IEC 20000 to demonstrate quality to their customers. Investing time and resources to document systems, process flow and business models is wasted effort if documentation doesn’t reflect reality.

Lack of testing and change control: When new devices or applications appear within the corporate infrastructure without guidance from corporate IT, the change and release management processes are bypassed and impact on other aspects of the infrastructure are not considered. One of the main drivers for deploying software as a service (SaaS) is that the vendor takes ownership of the upgrade and release process, so SaaS customers are always on the latest version. However, upgrades can and do break systems. Managing the cycle of change, testing and release is taxing enough, but a new layer of complexity is introduced when third parties need to be included in the process.

Configuration management: IT groups may have spent months or even years populating a configuration management database (CMDB) and defining relationships between systems. If users go outside official channels, key services or systems may not be added or supported because IT is unaware.

What can we do about it?

Moving forward IT must have regular service reviews with the business. These meetings should have a definitive agenda and should include at least the following:

  • Service availability
  • Service performance
  • Service desk data
  • Incident and major incident data
  • Service request data
  • Outstanding problems
  • Change and release activity
  • New business challenges and requirements

Above all, address the pain points head on and ask the business why it is not coming directly to IT with their requirements. Look at your request fulfillment process – is there too much red tape?

A global market brings greater competition, and in tough economic times businesses have to be agile to survive. The information worker has never been under greater pressure to remain productive, both in the workplace and at home. Imposing more restrictions and preventing access to tools on the corporate desktop is a pointless exercise, when everything the user needs is available on their personal mobile phone or tablet.

Shadow IT, cloud-based applications and personal devices are now our competition. The only way we can ensure that we perform better than our competitors is by getting closer to the customer, understanding their challenges and delivering solutions that provide what they need. If IT is seen as a trusted advisor and is agile enough to provide what is needed, when it’s needed, there is no reason for the customer to look elsewhere.

Vawns Guest and Patrick Bolger are members of the Transition Management Special Interest Group at the IT Service Management Forum (itSMF UK).

Next Steps

Ten tips to expose and expunge shadow IT at your company

Content Continues Below

Read more on IT risk management