Previous research completed in my role as a technical journalist was a reflection on the challenges of keeping ahead of technical debt. One of the red flags noted to watch was the topic of rogue software. This is a term that refers primarily to applications that are implemented without the knowledge or assistance of the corporate IT department. Shadow IT is an expanded use of the term that incorporates not only the implementation of software without consultation with IT but could also mean the use of any other additional resources for the purpose of implementing a technical solution that lives outside of enterprise IT and cybersecurity. This could mean the implementation of rogue software or even the utilization of outside consultants to rework the business processes that result in changes to the data that is fed into IT approved applications. Believe it or not, even with all that we know and the current trend to move to the cloud, shadow IT continues to cast a very dark shadow.
COVID and shadow IT: The impact just got higher
For every topic, and every subject, and every relationship that breaks down, there are always two sides to the story. Having been both part of the problem and part of the solution to both shadow IT and bad relationships, this article is a yellow flag approach to the impact of shadow IT. That is not to say that there may indeed be a silver lining, as identified and documented by Rahul Sharma in his article from July 2018. It’s just that in the times of COVID and work-from-home, both the probability and the impact of shadow IT just got higher. Shadow IT may have seemed to provide a solution at one historical point in time, but today it seems to be predominately listed as a risk. While it was absolutely a risk when applications were installed onto the hard drive of a personal computer or an external drive, we now have the added risk that the hardware that houses this rogue software may very well physically reside in a personal home. There is no way for the enterprise to ensure that employee computers are always secure, and there is definitely no way to ensure that an employee’s home office is always secured. In addition, there is no way to ensure that the users of said PC are savvy to phishing attacks. Confidential corporate information that resides on rogue software living on the hard drive of a personal computer or external drive is never considered to be a best practice.
In her article from January 2019 titled, Shadow IT is exploding — and so are the security risks, Monique Magalhaes outlines considerations to help secure organizations when faced with shadow IT. This article is still very relevant to our current technology culture. Much like pharmaceuticals, shadow IT can often be a Band-Aid that does not address or solve the issue it is intended to fix. Yet, we continue to live in the shadow as our stakeholders are still able to justify the logic behind their adoption of this practice.
Too much administration
While organizational processes are put in place to ensure compliance and standardization, it is not unheard of that we can sometimes overdo a good thing. One of the reasons organizational groups often step away from following the proper channel is the assumption that the proper channel will require too much red tape. By the time all of the required paperwork and approvals are in place, the momentum is lost, and the resources are engaged in other work. It is cases like this when shadow IT is usually implemented as a quick reaction to a problem identified by only a few. As a corporate entity, one of the pieces of administration that we often require before budget approval is a business case. Among substantial other information, the business case will outline the cost-benefit analysis. In short, we need to ensure that the investment is justified, and we want to ensure that the investment is in alignment with the solution. It may not make sense to invest a substantial dollar amount to improve a solution or process that only benefits a few people. Shadow IT solutions often are the result of a small number of stakeholders who want a solution without concern for the longer-term implications or the bigger picture. Often, rogue software is only identified following an upgrade to a seemingly unrelated enterprise software solution. All of a sudden, the rogue software fails to produce the desired result, and the corporate IT department is called in to find the problem. It is seldom a quick and dirty fix.
It takes too long
There is also the case in which stakeholders do not understand the importance of process or the system development lifecycle. The thought is that by the time due process is undertaken to gather formal requirements, the system in question could already have been implemented. It is important that we educate our stakeholders to understand why requirements are such a critical factor in establishing successful IT implementations. We need to do better at helping everyone within the enterprise recognize the implications of missing requirements, the loss of data integrity if an integration is missed, and the impending cost of either or both to the enterprise. When we do not take the proper time to understand the business problem, we run the risk of implementing a solution that misses key requirements that were unknown until the solution is tested.
Leadership is not, and most likely should not, be aware of the intimate details of the day-to-day work within the layers of the enterprise. We have all fallen victim to leadership that does not follow this rule. They are the micromanagers who watch over our shoulders and unknowingly cause a high rate of stress. Ultimately, leadership needs to know that objectives and deliverables are being met. In the process, if a working group of stakeholders is not engaged in lieu of input only from leadership, there is the potential that the solution may not provide day-to-day efficiencies. As a result, workarounds are built, and these fall very nicely into the category of shadow IT.
Shadow IT is a symptom of a larger issue
In Canada (and probably Texas), we call them Cowboys. These are the rogue techies who run rampant through an organization, building solutions with no purpose in mind. This paints a false picture that those responsible for implementing shadow IT are easily identifiable. For the most part, we all just want the tools that we require to get the job done efficiently and effectively. When we find ourselves without the tools we need, instinct kicks in, and we build them. The solution is simple. Engage the right stakeholders when gathering requirements, test processes often to ensure that they are still effective for the purpose in mind, and use lessons learned from cybersecurity to ensure that employees are educated on the reasons for organizational process.
Featured image: Pxfuel