cancel
Showing results for 
Search instead for 
Did you mean: 

A Game of Shadows with the IT Admin

Level 14

"Shadow IT” refers to the IT systems, solutions, and services used by employees in an organization without the approval, knowledge, and support of the IT department. It is also referred to as “Stealth IT.” In its widely known usage, Shadow IT is a negative term and is mostly condemned by IT teams as these solutions are NOT in line with the organization's requirements for control, documentation, security, and compliance. Given that this increases the likelihood of unofficial and uncontrolled data flows, it makes it more difficult to comply with SOX, PCI DSS, FISMA, HIPAA, and many other regulatory compliance standards.

hidden-shadow.jpg

  

The growth of shadow IT in recent years can be attributed to the increasing consumerization of technology, cloud computing services, and freeware services online that are easy to acquire and deploy without going through the corporate IT department.

  • Usage of Dropbox and other hosted services for storing and exchanging corporate information can be shadow IT.
  • Installation and usage of non-IT-approved software on company-provided devices is also shadow IT. Whether it is installing a photo editing tool, music player, or a pastime game, if your IT regulations are against them, they can also be shadow IT.
  • BYOD, not in accordance with the IT policy, can contribute to shadow IT as IT teams have no way of finding out and protecting corporate data stored on personal devices.
  • Even usage of USB drives or CDs to copy corporate data from corporate devices can be considered shadow IT, if the company’s IT policy has mandated against it.

CHALLENGES & ADVERSE IMPACT OF SHADOW IT

The foremost challenge is upholding security and data integrity. We can risk exposure of sensitive data to sources outside the network firewall, and also risk letting malicious programs and malware into the network causing security breaches. Some companies take this very seriously and stipulate strict IT regulations which require IT administrator’s access to install new software on employee workstations. Some websites can also be blocked when on the corporate network if there are chances of employees exposing data thereat. These could be social media, hosted online services, personal email, etc.

There have been various instances of compliance violations and financial penalties for companies that have had their customer information hacked due to the presence of intrusive malware in an employee’s system, leading to massive data breaches. Should we even start talking about the data breaches on the cloud? It'll be an endless story.

Additionally, shadow IT sets the stage for asset management and software licensing issues. It becomes an onus on the IT department to constantly scan for non-IT-approved software and services being used by employees, and remove them according to policy.

SHOULD SHADOW IT ALWAYS REMAIN A TABOO?

This is a debatable question because there are instances where shadow IT can be useful to employees. If IT policies and new software procurement procedures are too bureaucratic and time-consuming and employees can get the job done quickly by resorting to use free tools available online, then—from a business perspective—why not? There are also arguments that, when implemented properly, shadow IT can spur innovation. Organizations can find faster and more productive means of doing work with newer and cheaper technologies.

 

What is your take on shadow IT? No doubt it comes with more bane than boon. How does your organization deal it?

22 Comments
Jfrazier
Level 18

It is handled here via group policy, asset auditing, scans of PC's for non-approved software, blocked USB ports, etc.

xbod
Level 11

The reason this is still a thing is because it works...for the users.  I've seen it countless times, they want to do job A, but for whatever reason they don't have approval for the system/software they need.  So, they find something to get the job done, and then when IT comes along to take it away, they put up a fight, and often times, win.

My point to the user has always been, why don't you ask about the workaround software/system?  You never know, IT may be willing to let you try something.

rharland2012
Level 15

And many times, IT's hands are tied - since they're not allowed to *support* the shadow app.

The biggest break I see with shadow stuff is that since the user opportunistically finds something to help them get their job done - and the business doesn't see an unanswered need, because the users aren't necessarily going to inform management/decision makers that they've answered that need on their own - the business never finds out about these needs until after the fact, and are typically loath to spend cash to 'legitimize' the app/software/whatever. After all, they didn't plan for it, didn't budget for it, and have a default answer of 'no' when spending unsanctioned cash.

If IT puts out a blanket statement that 'use of nonapproved apps is unsupported', that does two things. It usually makes IT look like the gatekeeper, and it still ends up requiring administrative overhead - since depending on the user, they're STILL going to get 'support' if the situation is dire enough and they've leveraged the shadow app so deeply there's no going back.

It's a tough one.

jkump
Level 15

I have been fortunate in the companies that I have worked for that the policy has been that anything IT related goes through the IT department.  This is set at the CEO and follows down through the ranks.  It is then the discretion of IT as to whether or not to dedicate resources or allow the system to be supported elsewhere, but the system is KNOWN to the IT department and always falls in line with the policy.

gfsutherland
Level 14

True... I have worked in a couple of places where some departments bring "rogue" devices on board so that they become dependent upon them. Then, when there is a problem.... IT is called, forced to support and eventually take over support, upgrades and the like. One of the greatest examples I have of this is a member of the marketing group (in another life) who brought in their MAC and then it died, then expected IT to fix it, we did and subsequently was forced to support and budget for hardware and software. Made patching and security a nightmare.

In the end, it depends on the organization and the commitment to security and standardization.... Communication with other departments is vital so they understand the issues and IT understands the business need.

It is a classic "Push me - Pull Me"

mr.e
Level 14

Sometimes Shadow IT shows up in the least expected places.  I remember, about 10 years ago, being called into a meeting about wireless problems, in which techs from many parts of the country were called. When I joined the call, I asked what was the wireless problem was.  I was told that someone in very high in upper management could not connect to the network.  The fact that so many people (over 20 persons) were called to troubleshoot wireless issues for one person puzzled me a bit. 

But that was not all, this manager had bought his own network card -- which was not vetted by us.  He was upset that his his computer was not connecting to the firm's network.  We did fix the problem, but during the entire call, I was trying to locate the "candid camera". As I said, sometimes, Shadow IT does show up where you'd least expect it.

novasamurai
Level 12

We do the same (unit recently it was working), but as an organization grows quickly, on occasion a few managers fall out and get their own technology solutions, cause they think IT is too busy.

In a recent project I was switching out some vanity urls. The business owner said I missed one, I replied back with the Whois record that pointed out that the domain in question was purchased personally and not by the company, so I could not support it directly unless they transfer the domain. Otherwise it is on their dime to change it not IT.

So who is to blame, IT for not being able to work more than 24 hours in a day or the end users for filling a business need promptly. I think it is much deeper than Technology. I agree it is at the C-level where it needs to start.

jkump
Level 15

Funny just had a situation whereby another department purchased a product that was supposed to be a cloud-based policy administration tool and then when it was supposed to go live, oh yeah, we need access to your LDAP servers to allow authentication.  This is suddenly a big deal.  If they would have followed procedure, IT would have been involved and it would not have turned into such a big deal.

superfly99
Level 17

We have the same here. If we don't know about it, it won't be supported. But there's always exceptions to the rule.

vjerez4129
Level 13

At least at my old job, we didn't have much restrictions (at least that I know of) on shadow IT. In many instances my supervisor just told me to look up different software or whatever I needed to get the job done... (btw love the picture, just curious as to where you found it? It looks alot like the winning picture of one of our commencement contests at my alma mater - Pensacola Christian College

bspencer63
Level 12

Sometimes it takes the IT Dark Shadows to prove a point!

Agree with rharland that no matter what the IT department does, once any blanket statement is out there, administrative overhead is just going to be there.  It's one of the costs we must absorb and deal with on a daily basis.

Agree superfly99, there are always going to be exceptions!  With a couple hundred partners in the law firm where I work, there is always leeway to grant and allow for the members!

Jfrazier, if only we could get the freedom and approval to block and deny here!  LOL

And finally xbod, so true, so true.  Take the candy away and watch them cry!  Better if you can just deny from the get-go!

Good topic vinod.mohan!  The pic is very apropos!

mcam
Level 14

shadow IT is odd though, as more and more companies expect their users to personally supply mobile devices etc. In the mobile space "Shadow IT" is the norm.

rharland2012
Level 15

You're right - and that's perfectly okay if our users' expectations are in line with a self-service model. That doesn't always seem to be the case, however.

novasamurai
Level 12

Good point on the BYOD mobile side. Some companies have embraced Shadow IT, by actually calling it out and giving it boundaries. I believe IBM does this with it's work force as most of them are mobile. There are parts that are supported by IT, and parts that are not. Another example is King County Washington, that has an IT as a Service Model where the County provides IT services for each of its agencies based on a set "Service Catalog," for  service items they bid and compete with outside contractors for the agencies IT business. King County also embrace the BYOD model for mobile devices.

Disclaimer: I do not work for nor have worked for either organization. Just happened to remember from past research in BYOD white papers and conference talk notes. 

mattpearce
Level 7

A problem can be if a department by-passes the approval loop for purchasing of software, IT have contacts and can get a better deal to meet requirements. They don't always take into consideration the compatibility or pc power required to operate it, how it copes in a domain environment, licensing issues (free if at home, but a cost for businesses) etc. 

Jfrazier
Level 18

It also gets to be interesting when multiple departments have obtained different software titles to do the same thing.

They have different requirements and in time tend to cause issues because nobody is following the same set of standards...

rharland2012
Level 15

Re: King County - this is why I love ITIL when executed well. The service catalog takes the mystery out of the IT offerings, and by following the framework, IT has already established it can effectively support an offering if it actually makes it into the catalog.

muwale
Level 12

shadow IT is odd though, as more and more companies expect their users to personally supply mobile devices etc

byrona
Level 21

I think one piece to solving this problem is bringing Shadow IT out of the shadows and letting it happen in the open and not necessarily discouraging it completely.

I think you certainly need to secure your production infrastructure and control what types of activities take place there, this is certainly not the place for shadow IT activities.  However, I think it is important to let IT people have a place where they can have that creative outlet to play with new technologies even if it isn't directly related to any specific company sponsored project.  By doing this IT folks keep their skills sharp, they have the creative outlet they need to enjoy their job and they learn about new technologies that may at some point benefit the company.  The solution is to create a lab for this that is detached from the production infrastructure and allow your IT folks to allocated a certain percentage of their time involved in learning activities which can include working in the lab.

don.king
Level 8

Hard to see what other regions are adding to the network

toyedeji
Level 8

I think it depends on the environment. Shadow IT tools can create much worse problems in certain environments, and would be a smart move not to allow them. On the other hand, I know of SysAdmins who have their own hidden collection of shadow tools that help get past the occasional hurdle that requires an "out-thebox" solution.

ukybruce
Level 8

DEpends on the environment and vertical. But for most part, I see it locked down.