In 2015 we have seen the rise of cloud, apps, BYOD and the introduction of numerous devices which has blurred our personal and working lives. This has given rise to a growing problem in the enterprise – Shadow IT.
Shadow IT describes technology used by employees which has not received explicit approval from the company, while Stealth IT, although similar, refers to technology approved by departments other than the IT department.
Shadow IT has successfully infiltrated the workplace, with CIOs battling to regain control of the IT used by employees. For 2016, CBR lists 10 things that should be on every CIO’s Shadow IT wish list.
1. Eliminate Shadow IT
Number one on any CIO wishlist. Shadow IT puts the entire organisation at risk – security risks, data protection issues, duplicated tech, wasted investment and lack of visibility – so it is not surprising that CIOs want to regain control, tackle unsanctioned, unregulated services and apps and ultimately bid farewell to Shadow IT.
However, it is not that simple. IT has evolved and IT departments have relinquished full control over technology decisions to tech-savvy, BYOD-embracing employees whose consumer lives are producing better tech solutions than what they get at work.
CIOs should not be wishing to eliminate Shadow IT – some would even say it can’t be done – but they should be looking to understand, identify and learn from Shadow IT.
With the first wish effectively a non-starter, the following wishes are achievable for CIOS – and might go some way in helping to regain control over Shadow IT in 2016.
2. Get Shadow IT on the agenda
Dealing with Shadow IT is a company wide issue, regardless of position or department. The IT administrators have a huge daily workload, and with Shadow IT creating weaknesses in infrastructure and creating risks across security and data, this is one topic which should be on every CIOs agenda.
Decision making has to be fast and solutions need to be found to save time, money and effort in the long run. When Shadow IT is put on the agenda, it then needs to be actively communicated across all levels in the company.
3. Identify the worst offenders
There are numerous risks to Shadow IT, from wasted investment to data security issues, so knowing which apps and services are the worst offenders will give CIOs the first step in regaining control over Shadow IT. Business productivity apps such as Microsoft Office and Google Apps are the worst offenders, closely followed by storage and backup apps such as Dropbox or Box.
CIOs must not be blind to hardware either, with the humble USB commonly overlooked as a Shadow IT offender. Comms services like Skype and MSN undermine any investments CIOs have made in UC, while social media, led by Facebook and LinkedIn, can prove a tempting gateway for potential attackers.
4. Identify the worst of the worst
Some apps, cloud services and devices are more high risk than others – but the CIO must remember that not all Shadow IT is bad. It is important to prioritise the risk and deploy firewalls, proxies or MDM solutions in existing infrastructure to block the highest risk services in use.
Identifying users of these high-risk services is also important, and CIOs should have a comprehensive list of approved apps/services to give the offending users when the request is made for them to stop using those particular services.
5. Start Dialogue with employees
From Dropbox to Google Docs, employees are self-selecting applications to use at work. But why are they using these unsanctioned applications? CIOs can gain great insight into why employees are using certain applications, from seeing what employees pain points are and what investments need to be made in order to boost productivity.
Improving applications, devices and services for employees can help workplace productivity and stop employees turning to unsanctioned IT. Shadow IT should be viewed as how IT is failing to meet employee expectations.
6. Network visibility
As consumer and work lives continue to blur, the in-control CIO must have visibility, optimisation and control across hybrid clouds and networks. As BYOD adoption continues to gather pace in the enterprise, it is imperative that the CIO is aware of the cloud services and devices being used by employees.
If the CIO remains unaware of the hundreds of unsanctioned cloud services and devices being used by employees then SaaS applications and cloud will fail to perform to the service-level agreements determined by the business.
7. Data Control
Many employees rely on their smartphone, iPad, laptop and many other devices for both their personal and corporate lives. If a company seeks to control an employee’s personal smartphone, there might be a fight on the CIOs hands.
Instead, don’t look at the device, but at the data. The data is what is valuable to the company and employees will be much more responsive to IT controlling corporate information on personal devices.
8. Regain IT spend control
A CIO survey conducted by Logicalis found that 33% of CIOs globally are side-lined when it comes to IT purchasing decisions, with a huge 90% of global CIOs finding themselves by-passed by line of business at least sometimes.
CIOs have control, but just about, with the democratisation of IT presenting increasingly tough challenges to CIOs. CIOs should look to establish an internal service provider model which can deliver a choice of services based on what the organisation needs.
9. Establish a Code of Practice
All employees should across all levels and departments need to be aware of what is, and what isn’t, allowed when it comes to IT. The code of practice needs to be completely transparent and clear, setting out the IT responsibilities, standards and approved services of the organisation.
If employees clearly know what constitutes breaking IT company rules, then they are more likely to avoid those particular services or apps. The code of practice could be bolstered by internal workshops, presentations or a helpline.
10. Stay one step ahead
IT is constantly evolving, with new tech emerging on a daily basis. The business has to respond to this evolution and although a Code of Practice is a good start, things will change. Anticipate problems with new, unauthorised technology by being proactive and constantly communicating with employees and departments across the business.
Ask them what can be improved, why they have bypassed a certain area and ask about any new tech on the scene. Stay one step ahead of shadow IT by talking regularly with the people most likely to use it.
