“Shadow IT” or “Rogue IT”—I’d venture to say that all IT organizations experience it. It’s tempting for different parts of the business—when they feel that IT isn’t meeting their needs as quickly as they’d like—to find other ways to get things done. The problem is that they might be bypassing important security or availability controls, or creating IT functions that are impossible to maintain. In fact, IT sometimes appears slow because it is adding those security controls. And yet … the presence of shadow IT is often an indicator that business needs aren’t being met. When I was CIO of US Citizenship and Immigration Services, our solution was similar to what Nurani describes below, along with dramatically speeding up IT delivery through DevOps and the cloud.
By Nurani Parasuraman, AWS Customer Solutions
Shadow IT is not a new concept. It is a term used to describe unapproved IT systems and solutions deployed inside organizations. Some maintain that the cloud has been the reason behind proliferation of shadow IT. Interestingly enough, it actually existed well before cloud services became available. However, the democratization of technology through the cloud, where anyone with an internet connection and credit card can provision hardware, build, and launch applications, may have added fuel to the already simmering practice of shadow IT. This blog will outline best practices to address shadow IT by striking the right balance between its inherent risks and its potential rewards.
What Fuels Shadow IT? Should Organizations Be Concerned?
The genesis of shadow IT can be attributed to a fundamental difference in how business and technology view requirements for a feature, product, or service offering. The business naturally focuses on functional, tangible, end-user requirements such as ease of use, content relevance, personalization, and so on. The technology department, on the other hand, focuses more on the non-functional or intangibles such as performance, controls, security, reuse, scalability, disaster recovery, and maintainability.
Based on feedback from several business and technology leaders, top reasons for shadow IT to grow and thrive include: the ease of provisioning cloud services compared to tedious on-premises IT governance and approval cycles; non-agile delivery processes, drawn out timelines and higher costs associated with IT; business needs that aren’t met by IT solution(s); lack of necessary IT skills; limited IT capacity; and the business having more authority and discretion to spend money to meet their departmental goals.
Result? The business takes matters into its own hands to build and deploy solutions, bypassing the IT organization!
Enterprise IT has three options to deal with shadow IT: ignore, resist, or accept. Ignoring it is not advisable as there are too many risks involved. Resisting it by coming down hard on shadow IT with stricter controls and disciplinary action is detrimental to employee morale and productivity. Which leaves the recommended option: embracing the benefits of shadow IT for the greater good. Shadow IT is not necessarily bad, if monitored and managed. In fact, it serves as a breeding ground for innovation and can provide proofs of concept for future enterprise solutions. Think about it this way: on average, the IT staff is less than 5% of an organization—do you really want to keep the silent majority (i.e., the 95%) from innovating?
So, if shadow IT is good, are we saying organizations should not be concerned? No. Let’s see why.
Gartner had rightly predicted in 2016 that by 2020 one third of successful cyber attacks experienced by enterprises will be on their shadow IT resources. Unfettered shadow IT poses serious risks and can have significant ramifications for the company. Top risks include increased vulnerability to cyberattacks and data breaches; malware and ransomware exposure; risk of not meeting regulatory and compliance requirements; loss of intellectual property; scalability, performance, disaster recovery, and maintenance challenges if deployed without operational considerations; risk of fines and penalties if vendor licensing and agreement terms are not handled correctly; and lost price advantages of bulk purchasing.
So how do we foster a culture of experimentation that encourages thinking and acting outside the box but in a controlled, low-risk fashion? Sound like an oxymoron? Well, not entirely.
Managing Shadow IT: Proven Best Practices
Here are proven best practices taken from practitioners that have had success dealing with shadow IT over the years.
Leverage cloud offerings to standardize and make “common use” services available for use. Continuously evaluate and add to the list of available services. “Common use” services are those required by almost all functions in an organization and where shadow IT is most prevalent. Popular ones are: storage services, intended primarily for document and file sharing, both internally and externally; office productivity services such as project management tools, task tracking, capturing and sharing notes, scheduling, status reporting, and work request/issue tracking; collaboration services intended for quick ad-hoc collaboration such as chats, video and web conferencing, and desktop sharing; and business Intelligence services such as reporting UI, local databases, querying, dashboards, data modelling and analysis.
Ensure cloud service provisioning is painless, automated, and self-service enabled. One of the biggest advantages that the cloud offers is the ease and speed in hardware, software, and access provisioning. Any tedious internal process that delays the provisioning process defeats the whole purpose of agility. You would be surprised by how many organizations today have adopted cloud but still operate in a legacy on-premises mindset.
Eliminate barriers to experimentation. An effective strategy is to allow builders to experiment with new not-yet-approved products and services in a secure, controlled environment on the cloud using proper access policies without the risk of breach or malware. Ensure quick turnaround to any requests for service trials.
Decentralize innovation and software development functions. Centralize only those functions that add value and enable the decentralized teams. Centralized IT teams often cannot keep up with the pace of changes required by multiple business units. Consider decentralizing IT to business units with dedicated IT teams supporting them. The centralized IT department can focus on activities that accelerate the work of the decentralized teams to help them deliver for their business—for example, shared services, vendor management, tooling and automation for dev-ops, user and infrastructure provisioning, software upgrades, technology best practices, standards and guardrails for application engineering, operations, and security.
Monitor, evaluate risk, and remediate continuously. You cannot protect something that can’t be seen. Therefore, ensure tools are in place to scan logs, network traffic, and devices continuously for unapproved activities. Cloud services excel in such instrumentation, providing out-of-the-box tools for automated scanning, alerting, and even intelligent pattern detection—all a few clicks away. Evaluate and score the risk of each activity. Prioritize and act based on risk score. Connect with the teams that are engaged in the unapproved activity to understand the root cause before taking remedial actions.
Create a dedicated team for managing shadow IT risks. Consider creating a dedicated team that continuously monitors and mitigates risk. Once a stable process is established to track and remediate risks arising out of shadow IT, the team size can be reduced. This team can be part of the Cloud Center of Excellence (COE) team.
Be tolerant. Encourage an open and safe environment for employees to be transparent without fear of retribution. Establish a meeting cadence between IT and business units. Most teams, if not all, that bypass technology have good intentions and actually have a good reason to do so. Keep open dialogue with business units. Understand the true motivation for what the business is trying to solve before implementing a solution.
Improve training and awareness. Many shadow IT activities actually start without awareness of services and tools already available and approved for use. By simply providing a searchable online repository of available solutions and self-service processes to use them, you can drastically reduce unnecessary shadow IT adventures. One company I worked with went a step beyond. Their IT department provided a process to request secure sandboxes in the cloud to try out unsanctioned products and services. Additionally, everyone should be trained on how weak security practices can lead to data breaches and expose the company to all kinds of risks and penalties.
Shadow IT is here to stay. Harnessing the benefits from shadow IT is the way to go. Cloud services offer powerful tooling to manage shadow IT risk without stifling innovation. The best practices outlined above have proven to work and can help in dealing with shadow IT at a strategic level. More importantly, a good strategy needs a strong company culture as its foundation, and as Brian Chesky, Co-founder and CEO of Airbnb says, “When the culture is strong, you can trust everyone to do the right thing ”—remember to promote a culture of trust and openness. Assume positive intent. After all, aren’t we all working toward a common goal: keeping our customers happy?
Gartner, Inc. (2016, June 15). Gartner’s Top 10 Security Predictions 2016. Retrieved from Gartner.com: https://www.gartner.com/smarterwithgartner/top-10-security-predictions-2016?cm_mmc=social-_-rm-_-gart-_-swg
Industry Week. (2007, September 19). IT Matters: IT Support Staff/End User Ratio “Short of Ideal”. Retrieved from Industryweek.com: https://www.industryweek.com/the-economy/public-policy/article/22007831/it-matters-it-support-staffend-user-ratio-short-of-ideal
Joann Starke, Cisco. (2016, March 23). The Shadow IT Dilemma. Retrieved from blogs.cisco.com: https://blogs.cisco.com/cloud/the-shadow-it-dilemma
Mark Schwartz. (2021, September 2). Centralize or Decentralize? Retrieved from https://aws.amazon.com/blogs/enterprise-strategy/centralize-or-decentralize/
McAfee.com. (2017). What Is Shadow IT? Retrieved from McAfee.com: https://www.mcafee.com/enterprise/en-in/security-awareness/cloud/what-is-shadow-it.html
Microsoft. (2019, April 15). Discover and manage shadow IT with Microsoft 365. Retrieved from microsoft.com: https://www.microsoft.com/security/blog/2019/04/15/discover-manage-shadow-it-with-microsoft-365/