Early into my first role as an IT manager, I was faced with a problem that is common today. Users were utilizing shadow IT on a regular basis because they wanted to use newer & more flexible tools. For those blissfully unaware, shadow IT encompasses all of the unauthorized IT gear and applications that are being run outside of the IT department. In my case, these ad hoc solutions had a very ugly spotlight thrown on them when sensitive data was accidentally exposed. The situation involved someone forwarding email to a personal account and using a free cloud storage provider to share data. The pain of picking up the pieces afterwards was significant.
There is a perception out there that the best way to deal with shadow IT is to kill it and punish the user. While I share the frustration and security concerns of anyone dealing with shadow IT, a more enlightened approach (once the bleeding has stopped) is to step back and figure out how your organization got down this path in the first place. After all, the end goal should be to bring everyone back into the officially sanctioned, secure, and reliable IT world.
Users turn to shadow IT because their needs (actual or perceived) are not being adequately met. They regard the IT department as an impediment to success. IT leaders must get out there and engage with their customers to embrace innovation. The goal should be to act as a service broker and deliver whatever is needed across the enterprise in a reliable, secure, and cost effective manner.
A couple of thoughts to consider:
Be Open – While IT may better understand the underlying technology and restrictions on it, the end users of a service or device are the experts when it comes to applying it. They’re far more aware of what is state of the art in their industry than the IT staff is. Be prepared to take their ideas and run with finding ways to implement them. Make sure your request for change (RFC) process is open and understood beyond the IT department. End users who know they will be heard are less likely to go outside the system.
Share the Risk - Propose to share the risk with external leadership when introducing something new or unfamiliar instead of saying no. Make a joint assessment and decision about the potential risk and reward of implementation. Making them share the risk encourages responsible behavior and binds them to IT as a partner. If the decision is ultimately to say no, make that decision collectively so no one feels they have to go out on their own.
- Educate Without Alienating – A common critique heard from end users is that IT staff are condescending. Even with impeccable manners, misunderstandings can arise from a disagreement. Presenting information about how shadow IT can cause issues with duplication of effort, scalability, regulatory compliance (especially HIPAA and SOX), and security should be done in a way that doesn’t insult anyone’s intelligence or point fingers. Treating users like they’re children will cause them to ignore everything being said.
Looking forward, not only can you remediate shadow IT and get your organization back on track, you can foster innovation and prevent it by utilizing smart, inclusive practices.
Ready to take on shadow IT in your organization? Give us a call or drop us a line; we'll help you get started.