How to investigate, identify and eradicate shadow IT
Shadow IT is an ever growing trend and one that can have a very real impact on a company's data and reputation, departmental spend and efficiency, and even its position as an IT leader.
Employees increasingly want access to 'any service, from any device, at any time and from any location'. This typically results in staff procuring their own ungoverned and unauthorised IT services; including storage solutions enabling them to upload sensitive company documents in order to work from home or share files with colleagues and clients.
A lack of complete governance of company data is a risk that can result in security problems, data loss, compliance breaches, accounting and tax complications, support problems or privacy rights.
It can also mean unpredictable costs, over-spending and even duplicate spending. Multiple studies have shown that as much as a third of all IT spending is taking place outside the IT department (TechRepublic, Network World & Enterprise CIO Forum).
Although the impact that consumerisation of IT can have in the corporate context cannot be completely stopped, it can be managed and controlled. These are some top tips on how to get ahead of the very real headache that is shadow IT:
1. Where to start – admit that you have a problem
You should have data points that demonstrate you have a problem and what factors are contributing to it. You should have some business intelligence around why you have a shadow IT problem and its potential scope and scale – this will all help in solving the problem. The first thing to understand is the drivers for your current situation, whether it is cost or lack of controls leading to too much user-level flexibility.
2. Investigate the situation
Issue a full audit to understand where your risks are and where costs are being incurred. Without knowing the full picture, you cannot start identifying the problems and their solutions. So once you believe that shadow IT exists within the organisation, the first step is to understand its nature and scale. This will enable you to focus your efforts in the most efficient manner to regain control. Typically, the business intelligence is already available to you, be that in the form of expense claims made by staff on credit card expenditure for cloud services or purchase orders through the procurement systems to IT service providers or requests to support new software or devices that were not raised by the IT department. To find other sources, you need to think about what form the shadow IT might be taking, and asking your employees to help identify any additional IT support systems they are using, such as Amazon, Dropbox, RightScale or SFDC (if not the corporate CRM system).
3. Identify the reasons behind the problems
Understand the nature of the shadow and why it is present. Harvesting this information gives you insight into the financial scale and nature of the problem and the source. From this foundation, you can then set about understanding the business drivers for your current situation - why there are particular shadow IT needs and what the alternative solutions are - providing that the existing corporate solution does not support the need. Once you have established this then you can make a decision regarding your solutions that will resolve the problems and what you are going to offer as an alternative to support the business drivers and user requirements. Most importantly in this stage, accept that requirements exist that corporate IT is not addressing effectively. This perspective will help you to understand the business rationale for going outside of the corporate IT governance model and the delivery gaps within the corporate IT function.
4. Eradicate the shadow – which route to take?
Once you know the causes of the problems, then you can start to resolve it. Furthermore, you need to decide on the best way to tackle the problems - there are several routes you can take:
· Ban it - however, this can be unrealistic and cause a drop in motivation and efficiency levels
· Provide a ‘corporate' alternative - provide a storage platform that's secure, compliant and private
· Accept it - but build a corporate procurement relationship and rules for usage.
5. Implementing the changes
Now that you know how you are going to solve the problem, you need to deliver the solution. One of the big questions should be, ‘who is going to deliver the changes'? As communication was probably key to the problems in the first place then teamwork is certainly going to be vital in overcoming them. A governance structure should be established, involving representatives from compliance, finance and IT departments. It might also be an advantage to have a stakeholder from each of the other divisions – this should guarantee that employees continue to collaborate with the IT department and fully understand the necessity of the changes.
6. Moving forward – communicate and educate
Depending on your approach to the problems, different levels of communication and training for your employees will be required. The new approaches and procedures will need to be communicated – including the advantages and disadvantages and the long term consequences. All users will not only need to be informed of the changes, but re-educated and trained in how to adopt them into their everyday working life.
7. Long term success – manage and evaluate
Your action plan may have solved the problem in the short-term but it is important to make sure that the compliance practices continue and that the company's efforts to affect change were not in vain. It isn't always easy for people to change the way they work, and they may now have to wait longer for IT support. However, there are ways to monitor this - use the team that delivered the solutions as your central hub of control, combined with continuous evaluation and broader engagement with the business and management through user groups and satisfaction surveys. It is also essential to look out for any new problems that may emerge - only then can you hope to keep the shadow IT at bay.
Tim Cox is CTO at ControlCircle