Sergey Nivens - Fotolia


Managing shadow IT risk to the business

With more users turning to external IT platforms to meet business needs, IT professionals must take steps to start managing shadow IT.

The cost of acquiring IT -- equipment, licenses, services -- is continuously falling. At least that's how your end users see it.

The laptops, tablets and smartphones driving enterprise mobility cost a few hundred dollars. software as a service (SaaS) enables just about anyone to obtain low-cost or even free subscriptions, and open source software is freely available to anyone who wants to download it.

Why should end users go to the IT department for something, where they perceive that it will take ages to procure and activate, and the cost will be horrendous? Instead, they can, and often will, do it all themselves.

There are a myriad of problems -- some obvious, some not quite so obvious -- with employees using external IT platforms.

This shadow IT approach may help the individual -- but does it help the group, department or organization? In a company of tens of thousands of people, it has always been problematic, even for a centralized IT department, to maintain control. For example, many large organizations will have five or more instances of their enterprise resource planning software running -- not because IT wants to, but because it has just happened that way.

Now, with each worker with a credit card creating a de facto "purchasing department," those thousands of users are a nightmare. Shadow IT isn't much better in smaller organizations. A 50-person company, for example, might not have an IT department, and the IT person may be whoever has the biggest PC at home. That person's due diligence on managing shadow IT could stop at simply asking if it seems OK, without compliance verification, functional testing or contract negotiation on any purchase.

Dropbox, Box and other simple-to-use file sharing systems create silos of information that IT and the business are unaware of, disconnected from the centralized servers and storage of the data center or even approved cloud services. All of this information may be absent from aggregated capacity, secured content, usage and other reporting at higher levels, which can complicate business decisions. While an individual may have made his job easier, his rogue IT use could contribute to business failure.

Bring shadow IT in line with GRC

An organization cannot expect its employees to comprehend governance, risk and compliance (GRC) information such as data protection acts, personally identifiable information or ISO compliance. Data found in external IT platforms often breaks all the GRC requirements that the company's IT organization strives to support.

Shadow IT also has implications in the future. What if an external service provider goes out of business? What if external IT platforms are compromised by hackers? What happens to all that shadow-stored data? What if the employee leaves to go to a major competitor, with data still accessible to him via that external site?

First, get an idea of what is really going on across your organization. Simple hardware and software asset mapping tools show what is attached and being run against your IT platform. There will probably be a few surprises there. For example, a department that didn't authorize spending on an enterprise-scale storage area network might have its own network attached storage box running, purchased outside its IT budget. Expect software compliance issues as well: That NAS box probably runs a copy of MySQL or Microsoft SQL Server, even though the organization's standard for database management is Oracle.

Once you know what external IT platforms are in use, you can do something to control it.

Get a traffic sniffer, like the Microsoft Network Monitor or Wireshark, and find out what is crossing over the boundaries of your network: You would expect email and Web traffic. Web traffic over port 80 is a common way that SaaS vendors get through firewalls without any action required by users. You can identify where the traffic is coming from and going to and build up a library of who is doing what.

Many large organizations will have five or more instances of their ERP software running -- not because IT wants to, but because it has just happened that way.

Now you have the capability to take a big stick to your users and stop them from doing silly things. Except that approach will never work. You have a library of what external IT platforms are in use, but not why. Go talk to end users and find out what led them to sidestep IT. In some cases, it may be because they are unaware of existing enterprise capabilities. In other cases, it might be that they can't find any other way of doing it, and were afraid to approach you due to perceived complexities and the cost of a full-blown IT project. Look at their needs and judge the project's value to the business. Try asking other users if this project would benefit them as well.

If the user's shadow IT foray has solid business value, then evaluate the software or service that is being used. If it meets the enterprise's functional and security needs, then great. If not, can you find similar IT platforms that do?

This is where it also starts to get easier to bring the line of business heads back in order. You are showing that you are listening, taking on board some of the good stuff that they did outside of IT. As long as you provide equivalent or superior functionality, they should not worry about the underlying technology -- so, as in the example above, their choice of MySQL becomes immaterial, as long as you can do it in Oracle.

With all this information in hand, IT is far better prepared to ask for an investment to put in place a set of enterprise-grade services that end users can access via self-service. The costs of a robust internal IT offering are easily justified against the hidden costs of unfettered end-user choice being passed through credit card expense claims, and the softer costs of uncontrolled data issues not supporting GRC and decision making.

This also helps in managing shadow IT in the departments. The main board is now aware of the hidden costs of external IT platforms -- if a line of business manager wishes to go his own way, he doesn't have to justify it to you. He has to justify it to the company executives. IT regains control of budget, users and corporate information.

About the author:
Clive Longbottom is the co-founder and service director of IT research and analysis firm Quocirca, based in the U.K. Longbottom has more than 15 years of experience in the field. With a background in chemical engineering, he's worked on automation, control of hazardous substances, document management and knowledge management projects.

Next Steps

Why the "big stick" response to shadow IT doesn't work

Seven terrible, no-good, scary cloud security risks

Enterprise file sync-and-share market heats up

Understanding real-time collaboration in the enterprise

Changes in technology create new difficulties for GRC process

Dig Deeper on Data center capacity planning