Home

Shadow IT is becoming a big problem for many organizations. What are some of things your organization do to identify and manage shadow IT?

I’ve still got a lot of meetings where people get up and talk about shadow IT. I don't really believe that shadow IT exists anymore in the way it was described. In the command and control era if anybody did anything without our knowledge, it was shadow IT like how did you go do that? Well, anybody that talks to us, they haven't really woken up to the new reality. In fact, ironically, IT has almost become shadow IT. If you think about it, the things we manage :the laptops, the Wi-Fi network, you know, make sure the security things are taken care of in the background. You know, these are not at all top of my concerns or most people that worry about out day-to-day business operations. They're worried about our Gainsight application or whatever. They purchased it to work in their particular functional area. What happened was we all thought, as technologists, that information technology should be used much more pervasively and was deeply ingrained into the day to day operations of the company for years. We would say we're really missing an opportunity here but it's innovating so fast. There's so many ways of getting more benefit out of technology. And then we kind of woke up and realized that functions went off and did what we said out loud. They're using technology in ways that meet their immediate interest.

19779 views
14 comments
8 upvotes
Related Tags
Anonymous Author
I’ve still got a lot of meetings where people get up and talk about shadow IT. I don't really believe that shadow IT exists anymore in the way it was described. In the command and control era if anybody did anything without our knowledge, it was shadow IT like how did you go do that? Well, anybody that talks to us, they haven't really woken up to the new reality. In fact, ironically, IT has almost become shadow IT. If you think about it, the things we manage :the laptops, the Wi-Fi network, you know, make sure the security things are taken care of in the background. You know, these are not at all top of my concerns or most people that worry about out day-to-day business operations. They're worried about our Gainsight application or whatever. They purchased it to work in their particular functional area. What happened was we all thought, as technologists, that information technology should be used much more pervasively and was deeply ingrained into the day to day operations of the company for years. We would say we're really missing an opportunity here but it's innovating so fast. There's so many ways of getting more benefit out of technology. And then we kind of woke up and realized that functions went off and did what we said out loud. They're using technology in ways that meet their immediate interest.
2 upvotes
Anonymous Author
In a college environment it is very hard dealing with Shadow IT due to the fact most faculty expect "academic freedom" and can do what ever they need to in order to teach.  To handle most of our Shadow IT issues we mainly try to educate our employees of the risks to the University due to the lack of security measures with Shadow IT.
1 upvotes
Anonymous Author
What we're trying to do is make them as partners-- shadow IT as partners and assist us so that we share the same policies. If you want to do certain things, do it this way. Although we don't have that big of a shadow IT presence on campus.
1 upvotes
Anonymous Author
As for the identification, we were able to get the majority of Shadow IT under control by these following things: proactive discussion between the IT Manager and department heads - it took some time to build the trust. The key success factor was the ability of IT to prove that the majority of the "shadow" systems could have been "legalized" without any impact to the business -- IT took over the administration and that was it. The second part of that was the identification of what is the company actually paying for -- this took some effort of Corporate Finance as many of these systems were being paid on monthly basis by various credit cards or even expensed. In the end, Finance knows they are not supposed to pay for anything IT related unless the system & vendor was formally approved by the company (there's an inventory they can easily check). Of course, in the meantime we had to improve the system / vendor introduction procedures and we did spend a lot of time on the education and awareness. There are some residual non-compliances which are impossible to tame as we're in SaaS business ourselves and we allow our employees to use company laptops also for their personal purposes, but at least when it comes to the systems we are using for collaboration and business processes, we have regained the control.
1 upvotes
Anonymous Author
There are 2 ways in which we have been able to address Shadow IT issues. One is regulatory (SOX compliance) and other one which is more common is the inability for LoB to sustain and maintain the application on their own. I have experienced in some cases where the LoB team have their own technology dev, analysis, QA and change management team to drive implementations, but fall short of meeting SOX compliance parameters. The best way to identify is to ask the LoB heads to self disclose these applications in their area, failing which they will have to take care of any SOX audit issues by themselves(which most of the LoBs do not want to). Once these applications are disclosed, IT teams can create a risk profile around these apps, and share the same with LoB heads. The risk profile should indicate how quickly these applications have to be remediated to meet compliance factors. The rest is the standard SDLC process to help these applications meet the necessary standards and helping set up collaboration between LoB and Tech to manage these apps. Obviously you cannot solve all the shadow IT issues in a year or two, infact you will Have to live with, it is a choice of which apps to be managed by IT and which ones to be left with business
0 upvotes
Anonymous Author
Yes, some of these tools can help identify the cloud application access. These tools can help you identify accessing of some SaaS applications, Office 365 and any other portal that LoB may be accessing for business or non business purposes. Filtering them and identifying the right apps is hard. But unless the onus of identification and remediation is with business, the tools will not help.
0 upvotes
Anonymous Author
The need to help educate them on issues with running there own servers, printers etc. The reasons they don't want to is they believe IT is slow and cumbersome. However, what they miss is things like security issues, regulatory and compliance issues. The others are what happens when you have problem or the equipment fails? I will assume you have control over the network which means you have to have the tools to detect any malicious activity and you should be able to turn off any ports for physically connected devices and should be able to pull authorization or wireless. 
0 upvotes
Anonymous Author
Here's a blog post that I wrote about #ShadowIT --> https://medium.com/@mdkail/how-can-cios-can-get-ahead-of-shadow-it-1604937598de
0 upvotes
Anonymous Author
Control it at the financial level. Set policies making it a fireable offense to expense IT services instead of going through procurement where it can be identified and controlled.
0 upvotes
Anonymous Author
Shadow IT is only a problem to the tech and security teams, to the line of business who adopted/implemented/developed it the problem they have is that IT didn't give them what they wanted (Real or Perceived). The best way to overcome shadow IT is to stop working in isolation from the business. Connect with them and start asking what they need, and then delivering on it, even if that means taking over their Shadow IT elements - it's going to save you more time than trying to shut it all down  You're both there trying to achieve the same outcome for the overall business, keeping an 'us and them' mindset doesn't do that. 
0 upvotes
Anonymous Author
Casb
0 upvotes
Anonymous Author
I agree with Midhat. Embrace it as a form of staff augmentation and see if you can get alignment with your vision, mission, practices.
0 upvotes
Anonymous Author
0 upvotes
Anonymous Author
A good balanced article.  If shadow IT is not addressed properly, the risks can outweigh the benefits.
0 upvotes