Fear not shadow IT, the software and services employees secretly use without explicit organizational approval.
For decades, CIOs and IT managers have searched for ways of reliably ferreting out and squashing shadow technologies, realizing that the illicit tools create dangerous security, compliance and workflow vulnerabilities.
Yet a small but growing number of IT leaders are beginning to view shadow IT in a new light. They’re coming to understand that studying the covert practice can help them gather clues and insights into end-user needs and preferences, leading to the development and deployment of authorized software and services that can boost employee performance and satisfaction.
Here are seven ways to gain the upper-hand on the shadow IT tools lurking inside your organization.
Many employees are tech-savvy, comfortable with leveraging devices, software and apps to get their jobs done more efficiently. “They are used to using consumer-facing platforms in their personal lives and want to transfer that ease and simplicity into the workday,” says Jon Green, vice president and chief technologist for security at Aruba, a Hewlett Packard Enterprise company. “Any corporate-mandated IT system that slows processes down or creates barriers to letting employees work 24/7 from wherever they are will likely be circumnavigated.”
Leon Adato, head geek at infrastructure management software provider SolarWinds,
maintains that employees who use one or more shadow IT technologies are simply looking to get their work done smoothly and efficiently. “Nobody works around an established process or team if that process or team serves their needs,” he explains. “But when it doesn’t, either because of speed or cost, that’s when teams and even individuals start looking for other ways to succeed.” After all, Adato notes, employees are primarily evaluated on results, not on how well they conform to standards, particularly standards that are doing little more than helping them to fall short of their goals.
2. Study how employees use the shadow IT tool
Direction on how to deal with shadow IT tools is best obtained by asking users to discuss the value the technology is delivering to them and the specific problems it’s helping to solve. “It’s similar to what our IT teams do when evaluating new technologies, except that the new technology is already part of some business workflow,” says Sean Cordero, head of cloud strategy at Netskope, a cloud security platform provider. “If it turns out your team can’t deliver the capabilities needed, then it’s likely a good time to dig further into the use cases and identify solutions that can meet the business’ needs.”
A top shadow IT example is surreptitious use of public cloud services. Employees often share files, offer multiple users document access or simply back up important files to services such as Dropbox or Google Docs. “While these platforms are ubiquitous and easy to use, they can put sensitive data at risk,” Green warns. He notes that enterprise-focused cloud platforms offer more robust security and utilization controls, including options to encrypt files so they can be accessed only by intended parties. “It’s also common for larger organizations to implement their own secure file sharing platforms or to use white-label products that allow them to customize features that provide the most value for their business,” Green explains.
3. Determine whether the shadow technology poses any security threat
“The first step is identifying what shadow IT exists in the organization,” recommends Roy Nicholson, a principal in Grant Thornton’s advisory services practice. “There are many ways of achieving this [goal], one of which is to monitor outbound traffic on the network, given that a large proportion of shadow IT commonly involves software or infrastructure-as-a-service capabilities,” he says. “From there, companies can start to work through a security assessment.”
Enterprises should assess shadow IT security in the same manner as they do other types of software and services, advises Mounir Hahad, head of Juniper Networks’ Juniper Threat Labs. “Shadow IT technologies do not inherently require different assessment procedures, but most certainly need to be evaluated to ensure any security risks can be observed and mitigated,” he observes.
Unknown users and devices on a company’s network can create security gaps and increase risk. “Using a network access control system that provides real-time information for every person, system and device connecting to company infrastructure is one efficient method of detecting shadow IT technology,” Green notes. Additionally, user and entity behavior analytics (UEBA) tools can help detect and prevent damage from hidden cyber threats that have penetrated perimeter defenses. “Together, these tools are a tremendous one-two punch for protecting corporate assets,” he states.
4. Evaluate the shadow tech’s potential value as an enterprise productivity tool
The simplest and easiest way to assess a shadow tool’s value is to discuss the technology with its users. “Your employees know how to make your company more efficient and their jobs more productive better than any vendor, sales rep, security expert or infrastructure team,” observes Pieter VanIperen, an independent security architect based in the New York area. “Treat your employees like you treat your clients/consumers — give them a good work experience and they will produce great work and they won’t need the shadow to hide in.”
If employees are using shadow tools, there’s likely a good reason, VanIperen remarks. “Find out why those users have turned to the shadow, and what gaps are there,” he suggests. Better yet, he says, survey employees about potential new tools and let them try out various options. “Make sure it’s not your process for getting a tool that is too complicated,” he adds.
5. Work with the shadow tech’s vendor to develop an enterprise-level version
If IT determines there’s a solid business reason for converting a shadow IT technology into an approved business tool, the organization should reach out to the developer to discuss specific needs and goals, advises Ron Temske, vice president of security solutions for infrastructure and service provider Logicalis. “Many software vendors have different versions of their products or will be willing to work cooperatively to make sure their product meets an organization’s requirements,” he notes.
Ten or fifteen years ago, most of the consumer tools that were spilling over into businesses as shadow IT failed to meet enterprise-level security and compliance standards. “That isn’t true for most of these tools today,” observes Michael Fauscette, chief research officer for G2 Crowd, an IT software and services review website. “There are exceptions, of course, and in those cases IT can either provide appropriate [vetted] tools to replace them … or partner with vendors to improve solutions in problematic areas.”
6. Deploy the technology in a way that preserves the shadow version’s original benefits
Once it’s decided that formal adoption is possible, IT’s should focus on getting the shadow technology into a fully usable and secure state. “Make sure the core use cases are covered, otherwise don’t bother,” VanIperen suggests. “A wanted tool that doesn’t work right will just result in more shadow IT.”
The fastest way to bring a shadow tool under the IT umbrella in a secure form that retains its original usefulness is to talk to the provider, explain the organization’s specific needs and then ensure that the provider is living up to its promises via tests and pilot deployments. Yet it’s also important to understand that there are some shadow IT tools that can never be offered in enterprise-level versions, Codero warns. “Supporting them in a traditional IT sense would be close to impossible.”
7. Remain vigilant
IT must always keep an eye peeled for new shadow technologies that pop up as earlier employee-deployed tools are dealt with appropriately. On the other hand, organizations that find themselves swatting down a series of successful shadow IT implementations should consider the possibility that there may be a significant gap in IT’s ability to deliver reliable solutions quickly and cost-effectively. “It implies a lack of communication and possibly a lack of trust,” Adato explains. “No individual, team, department or business can expect to continue to operate successfully when those underlying causes exist.”
Finally, IT should never cave in and approve a questionable shadow tool solely to meet employee demand. “If there is a security breach or significant outage, the responsibility for that incident will ultimately rest on the CIO or CTO, even if they were not the ones who executed the agreement with the shadow IT provider,” warns Alan Zucker, founding principal of Project Management Essentials, a business management consultancy. “To preserve the integrity of the enterprise, the IT organization needs to ensure that if shadow IT technologies are used, they meet enterprise standards.”