Skip Navigation

Thought leadership from SAI to accelerate your performance

Systems Alliance Blog

Opinion, advice and commentary on IT and business issues from SAI
Keyword: shadow it

Resolutions Your CIO Will Break – and What They Should Do Instead

The New Year is here and with it comes the flood of well-intentioned blog posts, emails and other announcements that things are going to be different this year. These posts, full of noble goals, will quickly be forgotten. Research has shown that at least 8 out of 10 of New Year’s Resolutions fail. Many are discarded within just a few days.

IT leaders are just as guilty as anyone else when it comes to failing to see their resolutions through to completion. One reason for that may be that while well-intentioned, their goals perhaps ought to be tweaked.

Here are a couple of hypothetical IT resolutions and their upgraded versions for IT Leaders to consider for this coming year:

1. Killing Off Shadow IT vs. Implementing a Flexible SaaS Policy

Shadow IT is not going away. The ubiquity of SaaS solutions makes procurement, deployment and regular use of shadow IT easier than ever. More than 80 percent of users admit to using at least some shadow IT resources on a regular basis.

This growth remains a grave concern for CIOs everywhere. Not only do they have rogue lines of business (LOBs) purchasing IT services, but they have data that is being exfiltrated into the cloud in ways that no one anticipated. The security concerns alone are enough to make IT leaders want to go on the warpath. Thus 2016 is the year to finally kill off Shadow IT, right?

Knocking back Shadow IT is the ultimate Sisyphean task. Not only will it require a huge expenditure of effort but it will alienate end users who are only trying to get their jobs done. This is a fight that IT leaders will not be able to sustain over the long haul.

A better alternative is to develop more a more flexible and responsive policy toward SaaS solutions. Make “yes” the default answer when it comes to LOB users wanting to try new things (or they will go behind your back and do it anyway). At the same time, to mitigate common security concerns, give users the tools they need to do things like encrypt files before putting them in the cloud.

2. Hiring More Staff vs. Implementing Change Management

A common perception in many IT departments is that they are understaffed. The daily deluge of tickets, phone calls, requests and e-mails has them buried in work from sunrise to sunset. Frequently they are running from crisis to crisis, never having the opportunity to knock out any of what they planned. Half-completed tasks are the norm and stress levels are sky high.

On a recent project at a software company, we encountered this issue. If the client had been asked to come up with resolutions, this would have been at the top of the list. Every member of the team, including the VP, was convinced that they desperately needed to increase the size of their team just to keep up. End users were outraged by the lack of support from IT. The team needed to grow their headcount right away and they needed those new hires to hit the ground running—so everyone needed broad experience and deep technical skills.

What actually happened? At the end of the day, they hired only one additional entry level support engineer.

What changed? The entire IT Team got focused around working smarter instead of harder. Effective but lightweight change management policies were put in place around production infrastructure. After just one week of having a Change Control Board, the firefighting stopped and stress levels dropped. IT staff were able to actually plan out their work and accomplish some long-deferred projects that enhanced services for the company and its customers.

Seeing this in action made believers out of skeptics who were convinced that growing headcount was the only solution. Today they are regularly discussing issues like technical debt with their developers and thinking about adding new hires to expand capabilities rather than just demanding more firefighters.

Thanks for reading this post. Want to see more content like this? Let me know by sharing or liking this post!


Last week the Department of Health and Human Services announced a $218,400 settlement with St. Elizabeth’s Medical Center in Brighton, MA relating to a HIPAA compliance violation. 

This enormous fine wasn’t the result of employees deliberately leaking information.  It didn’t come as a result of a major data breach caused by criminal hackers.  It came about because hospital administrators didn’t have adequate controls in place around their IT.

From the Boston Globe:

“The settlement… comes after federal regulators investigated a 2012 complaint that employees at St. Elizabeth’s used an Internet-based document sharing program to store health information of at least 498 patients.”

Employees who likely meant well started putting sensitive data into the cloud.  That’s a major shadow IT headache for any organization.  For those businesses that are subject to HIPAA or other compliance requirements, it’s also a very expensive headache.

Back to the Globe:

“Organizations must pay particular attention to HIPAA’s requirements when using Internet-based document sharing applications,” Jocelyn Samuels, director of the HHS’s Office for Civil Rights, said in a statement. “In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”

Think this can’t happen to your organization? Wrong.  According to the AMA, even if you’re in the dark about the rules you can be fined up to $50,000.  That’s a lot of money for an honest mistake.

hipaa requirements

Acadia healthcare policies



If you’re handling any kind of sensitive patient data on your network, now is the time to take notice. Here’s where you should be focusing your efforts:

Training, Training, and More Training: Compliance issues are a people problem, not a technology problem. Having organization-wide understanding of compliance obligations is non-negotiable.  Eradicating shadow IT and making sure that all of your employees understand why they can’t use the latest fad cloud application without permission is vital.  Stop letting users make mistakes out of ignorance.

Policies and procedures and tools to share them matter.  Doctors may take an oath to do no harm but if they or other staffers don’t know the rules, how could they know if they’re hurting patients through noncompliance?



policy tip

User Proofing Wherever Possible: Having active control around where sensitive data is stored and how it is transmitted is crucial.  That means you need a technical solution in place to enforce control obligations.  Systems that don’t enforce the standards by default will burn you.  This could be anything from automated filters to watch for particular content in emails, to encryption software that secures data at rest. 

Robust IT Governance Processes: Is your IT department disconnected from the strategic direction of the business?  How well aligned are IT’s priorities when compared with the end users?  Fixing gaps like these discourages users from trying to implement shadow IT.  If stakeholders are engaged through an IT Steering Committee or other governance structure they have the power to keep IT aligned with their needs.  There’s no reason to go it alone if you’ve got organizational partners who are focused on enabling the business.

Not sure where to get started?  SAI can help.

magnifying glassYou’ve probably spent a lot of time and money to ensure compliance with government regulations and industry best practices. Whether you deal with SOX, HIPAA, PCI, or another set of controls for your industry, you’ve probably made a substantial investment to ensure you’re fully compliant.

Information systems play a critical role in many of these frameworks. Data security is intimately linked to privacy rules. Retention requirements are easily met through backups. IT staff and management are well versed in the rulebook, but what about your end users? While it is often easy to understand the technical controls that need to be in place, your internal policies and procedures are often equally as important. ...Read More

sun shining through cloudsEarly into my first role as an IT manager, I was faced with a problem that is common today. Users were utilizing shadow IT on a regular basis because they wanted to use newer & more flexible tools. For those blissfully unaware, shadow IT encompasses all of the unauthorized IT gear and applications that are being run outside of the IT department. In my case, these ad hoc solutions had a very ugly spotlight thrown on them when sensitive data was accidentally exposed. The situation involved someone forwarding email to a personal account and using a free cloud storage provider to share data. The pain of picking up the pieces afterwards was significant....Read More

Jan 2016