“Shadow IT isn’t such a big deal. It’s only when it comes out from the shadows that it becomes a big deal.” So said my friend John, a colleague who is the sysadmin for an established midsized manufacturing business. John was commenting on his reaction to his management’s disapproval when he told them several users had been circumventing internal controls, supposedly to do their jobs more efficiently.
The politics of shadow IT
John’s experience highlights an often forgotten aspect of shadow IT. Namely, that shadow IT isn’t simply a technical problem or a managerial problem, it’s also a political problem.
Aristotle defined politics as the practice of making citizens happy. Unfortunately, many individuals who work at corporations today are anything but happy. People are afraid of losing their jobs in the name of disruption, the pursuit of market share at the expense of all else. Employees are saddled with unmanageable workloads in the name of efficiency masquerading as shareholder loyalty. And IT staff are squarely in the center of all this because computer technology is so critical to the success and operations of today’s businesses.
Many IT professionals I talk with nowadays are unhappy. They’re unhappy with their workloads, unhappy with management, unhappy with users. Instead of there being too much politics in the workplace, there’s not enough politics — at least in the Aristotelian definition of making other people happy. The proliferation of shadow IT is merely an outcome or expression of the underlying political tensions in today’s workplace. Users feel pressure to do their jobs, so they sidestep IT controls where possible to make this happen. Managers feel pressure to cover themselves, so they blame IT when breaches happen instead of attributing it to the draconian cost-cutting measures they’ve been required to implement. And CEOs feel pressure from shareholders to boost the agility of their businesses to compete in a crazy world where startups go from zero to golden unicorn status in times measured in months even though their profits remain negative.
And poor IT is caught right in the middle of all this.
Pressure from vendors
The pressure IT workers constantly feel doesn’t just come from above (management) or below (users). It also comes from companies that provide the tools and platforms that enable IT to do their job. In other words, it comes from the vendors.
I’ve been observing this matter carefully and my opinion is that most vendors of business software and services are all for companies embracing shadow IT in the workplace. Why is that? Because to the vendor, shadow IT represents opportunity. The pitch usually sounds something like this:
Having trouble getting control of shadow IT in your workplace? Afraid about the security and privacy implications of employees secretly bringing their own devices to work or making use of unauthorized cloud apps? Buy our product! Subscribe to our cloud service! We can help you get a handle on who is accessing and using unauthorized software and cloud services in your organization and keep your sensitive business data safe and secure yadda-yadda.
By playing first to our fears and then offering us their solution, vendors often portray themselves as saviors for IT staff struggling with the proliferation of shadow IT in their workplace. But is adding another technological layer to your infrastructure really going to make your life easier as a harried IT professional? Is new technology — more technology — the best way to address the shadow IT iceberg most organizations are facing?
The argument for controls
It’s easy especially for big companies to argue that the solution to the growing problem of shadow IT is to institute more and stronger controls. But while a governance, risk management and compliance (GRC) strategy may be essential for organizations that deal with government clients or international markets, smaller companies can find this approach burdensome. Midsized firms will often implement ITIL or COBIT frameworks for gaining some ISO certification. But once certified, attention to the controls that have been implemented tends to quickly wane at the expense of operational challenges. Even large multinational enterprises tend to fall asleep at the wheel once one of these projects has been completed. The eventual result of driving while asleep is an accident — in this case an embarrassing security breach that can lead to the downfall of the company.
Simply using policies to control the behavior of the users in your organization, however, is not the answer. As someone who has been in a management position, there’s a favorite saying by Gen. Dwight D. Eisenhower that I often come back to. Ike’s words of wisdom for managers was this:
“Plans are nothing; planning is everything.”
I have my own corollary for Ike’s saying, and it runs like this:
“Policies are nothing; policy enforcement is everything.”
In short, it’s not the implementation and promulgation of a policy that achieves anything within an organization. It’s the ongoing fair and impartial enforcement of the policy that results in actual benefit.
Out of the shadows
How does this wisdom apply to the problem of shadow IT? My own suggestion for IT managers concerned with shadow IT is this. Begin, of course, by making an inventory of the scope and nature of the problem within your company. If necessary, bring in outside help to enable you to get a clear picture of the extent and kinds of shadow IT being used in your workplace. Be sure also to interview a cross-section of your users to find out why they are using unauthorized personal devices, software, or cloud services in their workplace. And right from the get-go be sure to turn office politics right on its head — tell users your goal in all this is to make them happier at work, not to bring down the ax on their heads.
Once you’ve discovered who is doing what and why in the workplace, break the problem down into its component parts and prioritize them. For example, unauthorized devices are one aspect of shadow IT. This could be smartphones, tablets, or laptops. It might also be a NAS storage device sitting under someone’s desk.
Then there’s the problem of unauthorized applications. Most companies have controls that prevent users from installing applications themselves on their computers. Yet companies still end up with unauthorized programs installed on users’ computers. Why? Because a user asked a member of the IT staff to install a program they “really need” to get their work done, and the IT person did this for them. Why? To stop the user from continuing to bother them.
Finally, there’s the aspect of users storing business data on personal cloud services such as Microsoft OneDrive, Apple iCloud, or free Dropbox accounts. Unless your firewall is as granular as the stubble in Jason Statham’s beard, you’re never likely to prevent users from accessing free cloud-based services like this from their locked-down Windows workstations. Besides, Statham probably needs a stylist to spend several hours each morning of a day’s filming just to make sure his stubble looks “just right” for his audience of swooning admirers. Why should you as network admin have to spend hours each morning opening and closing firewall ports just to make sure everything is perfect in your locked-down world?
At this point, you’re ready to implement your controls, both technical and policy-based, to address the shadow IT problems you’ve identified in your organization. Now here’s the key: policies are nothing; policy enforcement is everything. But the more policies you have, and the more complex they are, the more time and energy it will take you to enforce them properly.
This means that the key to effective policy enforcement is to implement the minimum number of simple, easy-to-manage policies needed to meet your goal. And don’t ever implement a policy you’re not prepared to diligently but fairly enforce.
Or as Clive Owen’s character said in the film Croupier, “Hold on tightly, let go lightly.” Maybe if IT professionals like us take more of this kind of attitude regarding both our managers and our users, we’ll be a lot happier.
Photo credits: Pixabay, FreeRange Stock