The virus itself has been bad enough. But now that businesses that have transitioned, ready or not, to a remote work office environment, they are faced with another rapidly spreading plague. I’m talking about Shadow IT.
“Shadow IT is when a business goes out on its own, without involving IT, to get digital or IT resources themselves,” says Aaron Kamphuis, data analytics and IoT practice manager at OST, a business and IT consulting firm that helps customers bridge the distance between insights, technology, and strategy in smart, meaningful ways that yield transformative results. “This means,” continues Aaron “that the business will either hire vendors directly or purchase software solutions, without consulting or collaborating with IT.” What’s the result of this endzone runaround of your IT team’s controls and restrictions? “It creates pockets of technology use around the enterprise without the involvement or governance of an IT team.” And that’s something that every CEO should fear knowing there are always lawyers lurking around hidden in the bushes outside.
In fact, it’s been predicted by Gartner that one-third of security breaches by 2020 is going to come into organizations through the use of Shadow IT services. And as business move toward supporting an entirely remote workforce amid the COVOD-19 pandemic, the probability of workers reaching out to IT for advice on how what cloud services they can use will likely diminish. Which, in turn, may lead to an increasing use of Shadow IT. And it’s a fact that not all cloud services providers are created equal; they can vary a great deal in the level of security they provide for their users. And when non-IT staff members decide to take cloud development into their own hands, they often look for the cheapest and easiest solution instead of properly vetting what’s available. The result can put their organization’s data at risk.
I asked Aaron to elaborate more on the subject of what Shadow IT is and why many businesses are concerned about it. “Businesses should be concerned with Shadow IT from a governance and security risk standpoint,” Aaron says. “Because if you have company or customer sensitive information that is located in technology services that aren’t under the governance of IT, there is potential for the information not to be protected or handled properly.
“Another concern is you get a certain amount of portfolio management when you go through a central IT organization, and this allows you to negotiate better pricing and leverage resources that are already available through your company. Whereas if a department goes out on its own, it doesn’t have insight into the purchasing power or the resources that are already available and may acquire services that are less financially responsible for the company.
“Furthermore, often with Shadow IT resources, the acquisition of technology is just the first phase, companies also have to deploy the use of it. And if a business unit purchases an IT service with the idea that they are just simply going to use it without consulting IT, this can cause issues in terms of business continuity, degradation of services, and lack of security protocol. IT is then brought in during crisis mode to fix something they had no role in implementing. This causes issues because IT could be unfamiliar with the system or have to spend resources they did not budget for.”
The big question for all of us who work in corporate IT these days is how the current situation is affecting the security and integrity of the infrastructures we support — and indirectly our jobs as a result. So, I asked Aaron next whether he thought that the problems associated with Shadow IT have increased in recent months because of more and more employees working from home due to the coronavirus crisis. “Absolutely,” replied Aaron. “If you look at operation models of companies pre-COVID, everything was emphasized around on-premises with some enablement for a distributed workforce. COVID flipped that balance overnight as all of a sudden, everyone was working from home.
“Because of this shift, the productivity tools, computing tools, and workstations that people needed went from being dependent on on-premise management to everything needing to be distributed. The result was that companies had this huge scramble in the weeks following the lockdown of trying to get workers set up to be able to work securely from home. As a result, they had to prioritize getting employees back to work over properly vetting new technology initiatives. With how quickly the technology needed to be implemented, businesses weren’t thinking about the ramifications of new technology, leading of course to Shadow IT. So basically, COVID-19 was the perfect time for Shadow IT.”
It’s no use focusing on a problem if you don’t also try to come up with a solution. I finished my discussion with Aaron about Shadow IT by asking him what sort of strategies, techniques, or technologies businesses can use to minimize the dangers of Shadow IT when their employees start working from home instead of at the office. Aaron responded to this with the kind of realistic perspective that those of us in the IT field are familiar with from long, hard experience. “The reality is that Shadow IT is not going to go away, while the expectation for businesses to be more in control of their acquisition of digital IT resources is going to increase. My advice to IT is to somewhat embrace Shadow IT, finding a balance between the IT processes, centers of excellence, and governance that they provide. IT teams need to be more involved in these processes and more influential so that instead of going around IT so that departments can look to them as an advisor that supports the business. That way, when businesses need to move quickly, IT has the mechanism and mindset to do that, but it doesn’t undermine principles such as managing risk. In short, building a better partnership with business leaders will allow IT departments to use Shadow IT to its advantage.”
For more analysis of the kinds of problems associated with Shadow IT and some constructive ways that businesses can deal with the problem, check out these other articles on our TechGenix website:
- Shadow IT is exploding — and so are the security risks
- Shadow IT is not that scary after all: Here’s 6 reasons not to be afraid
- Shedding light on Shadow IT: Yes, it’s a problem — except when it’s not
Featured image: Shutterstock