Plutora Blog - IT Governance, Software Development
Shadow IT: Learn From It to Get It Under ControlReading time 15 minutes
Why does your company have an IT department? At its core, this department employs best practices to ensure that company data is securely accessed, created, stored, and transmitted throughout your organization. This includes both hardware and software entities.
Shadow IT, on the other hand, is hardware and software that’s not created and controlled by an IT department. Even so, it’s neither shady nor malicious. Employees in other departments create shadow IT to help solve existing problems that aren’t being solved by your IT department.
In this article, we’ll consider how and why shadow IT is developed, and then we’ll explore some ways to control it successfully.
What’s Shadow IT?
Wikipedia provides a good list of examples of shadow IT:
Examples of these unofficial data flows include USB flash drives or other portable data storage devices, MSN Messenger or other online messaging software, Gmail or other online e-mail services, Google Docs or other online document sharing and Skype or other online VOIP software—and other less straightforward products: self-developed Access databases and self-developed Excel spreadsheets and macros. Security risks arise when data or applications move outside protected systems, networks, physical location, or security domains.
Your IT department knows how to manage applications to ensure that the company’s data is handled securely and produces accurate results. However, as a result of various circumstances and pressures within the company, shadow IT escapes the safety and predictability of IT management.
In other words, shadow IT is a bit like hacking within your own organization, but it’s done for a productive and good cause. It’s creating an ad-hoc hardware or software solution to an existing problem.
I know this definition may still be unclear, so let’s dig into a shadow IT story to further illustrate.
The Perfect Ingredients for Shadow IT
Once upon a time, there was… you, the manager of the IT department at a large insurance company. You’re responsible for ensuring that all employees can access and store company data easily and securely via various IT systems. The sales department, for example, must be able to provide the best price on premiums in accordance with company policies.
It All Starts With Pressure
One day, your company finds out that one of its direct competitors has introduced some form of a loyalty discount for their long-term customers. The longer a customer stays with the company, the larger the discount they’ll receive on their premiums. It’s a clever move on their part, and your company is now behind.
The marketing directors determine that your company must match this competitor’s offering for that particular state—now. As the IT manager, you’re asked to estimate how long it’ll take to make the necessary changes to the existing software. After a quick analysis, you determine it’ll take at least a month. However, the company must act quickly in order to keep up with the competition. It simply cannot wait for your department to implement all of these changes. In the meantime, the sales manager must find a manual way for his department to do this. So he does.
The Pressure Spreads
The next day, the sales manager calls an all-hands meeting. He informs everyone in the sales department that your company needs to recompute the cost of insurance premiums based on customer loyalty, starting after their first year as a customer. For every year a customer has stayed with your company, they’ll get a 2% discount on their monthly premiums—up to a 10% maximum discount. (Usually, there are a lot more complications to sort through in these kinds of situations, but let’s keep it simple for the sake of this illustration.)
The salespeople will now have to use a calculator instead of the company’s software to make their calculations. So you work with the sales manager to provide a formula and identify different scenarios when they’ll have to recompute the premium for existing customers. Everyone working in sales receives a set of steps: pull an existing policy, get the policy start date, figure out how many years the policy has been in effect, compute a percentage discount, and then apply that discount to the policy premium.
The company understands the extra burden this places on the Sales Department, but your competition is forcing you to act in order to survive in this tight marketplace.
The sales manager gives everyone the green light. “Let’s get to work,” he says. “We hope to complete the required changes to our IT system soon. But in the meantime, some overtime hours may be required.” So everyone scrambles to get this data, pulls out their pocket calculator, and computes the new premiums with the loyalty discount.
There you have it! All the ingredients are there for shadow IT to develop. You have competitive pressure, an outdated IT system that’s hard to adapt, and an increased employee workload.
A Shadow IT Is Born
Meet Amy, a salesperson for your insurance company. She’s bright, fast, and accurate; and she’s willing to help others in her department figure out the company’s old legacy software. Everyone wonders how she does it. The key to Amy’s success? She automates any repetitive task.
For a few days now, Amy has been using her calculator to figure out the new discount policy. The process is very repetitive and tedious. She knows she has to figure out a better way. Someone else would have continued using the calculator just to get things done. Not Amy.
A Star Employee to the Rescue
Amy figures out that she can connect a spreadsheet to the customer database, write some basic SQL query and some formulas, and she’ll be able to automatically compute a customer’s discount. So with a few clicks and a couple of weekends of extra work, Amy develops a spreadsheet with all the existing policy data and the correct discount computed. She makes it available to a few people in her department, and pretty soon everyone is getting a copy of Amy’s super-duper spreadsheet.
Now every employee merely has to open the spreadsheet, enter the policy number in the nifty search field Amy created, and the spreadsheet takes them to the right discount.
“Awesome!” says everyone. Amy is a hero to her coworkers, and longtime customers are happy with the new discount. It’s a win-win. Problem solved! But at the same time, shadow IT has just been born inside your organization.
Shadow IT Spreads
Your company has a number of remote employees who really want to get a hold of Amy’s infamous spreadsheet. But the email system doesn’t allow large attachments due to security issues. Amy’s spreadsheet is pretty large because it contains a lot of data. Employees decide to save the spreadsheet to their personal thumb drives so they can use it when they work from home.
Everyone is happy for a short while… until you hear about Amy’s spreadsheet. You aren’t happy. Your CIO is absolutely livid and talking about shutting down the spreadsheet. However, the sales manager really needs that spreadsheet so his people don’t go crazy.
What’s going on? What is this mess?
Shadow IT Creates Security Risks
Amy’s handy spreadsheet has become the new standard for computing insurance premium discounts. But it’s based on formulas Amy created to solve the problem. Granted, the formulas are simple, but nobody checked to make sure the numbers are correct. And what if your company wants to change the discount formula to become even more competitive? How do you ensure that everyone uses the new formula with Amy’s spreadsheet?
The CIO becomes even more livid when he learns that Amy’s magical spreadsheet, which contains customer data, ended up on remote workers’ personal storage devices. This is a major security breach in the middle of your organization.
How to Get Shadow IT Under Control in 7 Steps
In order to successfully manage shadow IT, you must first understand it. I don’t mean understand shadow IT in general, but specifically how it’s being used inside your organization and why. If you just dismiss it and shut it down simply because your company has a general policy against it, then some of your best employees might end up leaving the company in frustration.
Let’s look at some things that will help you understand your own shadow IT and what to do about it.
1. Don’t Overreact
Normally, having shadow IT within your organization points to an existing problem. Unless you have clear proof of a person’s desire to harm your company willfully, then you must calm down. Overreacting and blaming people without having all the facts is very destructive.
Actually, if you blame people while you’re trying to figure out what’s going on, you’ll get a very limited view of the problem. If you’re angry, people will be too scared to inform you about how they use shadow IT. No matter who else above you may be frustrated (like your CIO), don’t convey that frustration to the employees. It doesn’t do anyone any good. Adopt a solution-finding attitude.
In this particular case, Amy’s spreadsheet saves your sales team a lot of time, which has a direct correlation to your company’s bottom line. So this spreadsheet by itself isn’t the problem. It’s actually a solution. It might not be the correct solution, but it’s a solution to a pressing problem for your sales department.
2. Understand the Problem Shadow IT Solves
You remain calm after you discover that shadow IT exists in your organization. That’s good! Your next step is to understand the problem your shadow IT is trying to solve. Get a hold of Amy’s spreadsheet and go talk to her. Learn what data is in the spreadsheet and talk to the users to find out how they’re using it. Is there customer data in the spreadsheet? What kinds?
Talk to the person who started sharing this particular piece of shadow IT. Whether it’s on a personal USB stick or a personal Wi-Fi access point, find the source and talk to the people involved. However, and I’ll say it again, do it in a solution-finding manner. If you talk to Amy and blame her for your current management headache, she might quit. Instead, you must find the true answer to the most important question about shadow IT: What problem is it designed to solve?
You must figure out the context of the situation that prompted Amy to create the spreadsheet. Listen, if the IT department could have changed the existing software system to automatically calculate the new loyalty discount, then this shadow IT wouldn’t exist, would it?
As I’ve demonstrated through this story, a perfect storm of events and pressures usually generates shadow IT. So you must understand the context, circumstances, and existing problems before you can determine what to do.
3. Understand the Solution Shadow IT Provides
Now that you’ve remained calm and gathered all the facts, you should have a good idea about the original problem. You must also understand the potential benefits of the shadow IT solution. Open Amy’s spreadsheet and look at the data. Examine the SQL query and see if her calculations are correct.
Keep in mind, however, that Amy works in sales, not IT. She created this to help her do her job. Amy didn’t create the spreadsheet with efficiency or security on her mind. So don’t scoff at her seeming lack of understanding of SQL or her disregard for query efficiency. Just focus on understanding what’s in front of you, or get someone who can—and fast.
You can also create some requirements for an improved solution that would solve the existing problem quickly. Even though it’s a bit early, you might get your own IT people engaged to help fix any problems with Amy’s spreadsheet and ensure that her formulas and results are correct.
4. Determine the Extent of Shadow IT
You must now figure out the full extent of shadow IT in your organization. Going back to our story, you must find out how many people are using Amy’s spreadsheet. If it’s only a few people, then the necessary measures are different than if the entire organization is using it. Track down the usage of the spreadsheet in a solution-finding way, rather than pointing fingers at everyone. Take immediate measures where you can in order to minimize the problem.
5. Determine the Risks
The fifth step has to do with mitigating the risks. By now you understand the problem Amy was trying to solve and the solution she developed, good or bad. You also understand what data is involved, how it’s obtained, and how it’s stored in the spreadsheet. This technical analysis coupled with understanding how far Amy’s shadow IT has spread within the organization will give you a clear picture of the existing and potential risks.
In our example, it looks like customer data has been exposed to personal computers. Get the right people involved, contain the spread, and ask everyone for solutions. At this point, some actions should become clear in your mind. You must first address any existing risks to customer data and then deal with any future consequences.
6. Find a Way Forward
Now you’re ready to find a way forward. Since changes to your existing IT system are still far off, you must figure out if you can somehow transform Amy’s solution so that it can be used securely by everyone. Maybe by this point, you have a new version of Amy’s spreadsheet that’s been corrected by your IT department. Hopefully, the new version incorporates logic fixes that ensure the results are correct, but it also limits the amount of customer data stored in the spreadsheet, which fixes the security risks.
What’s next? Maybe you can make the new version of the spreadsheet read-only and ensure that it’s accessible by all of your salespeople through the corporate network so they don’t need to save it on their personal systems. This way, only your IT department can make modifications to the logic, ensuring consistent results and mitigating security risk. (This is just my simplistic idea for our fictitious example, of course.)
Is this the right solution? Certainly not for the long term, but it will help your employees tremendously, at least in the short term. It shows that you care about helping them do their jobs. It also shows that you listen to their problems and want to help solve them. Amy should feel appreciated instead of being identified as a problem employee.
How you walk this thin line between learning from shadow IT and fearing its risks will determine many things about your organization—including whether or not your employees consider it a great place to work.
7. Continually Deliver Great Systems
Any short-term solution must be labeled as such. Finding a short-term solution shouldn’t deter you from also working to implement all the new requirements inside your IT systems. Your data must be accessed and stored together securely by all of your employees. Yes, changes to a legacy IT system can be slow and costly; but they have to happen, and they must address the existing problems.
The best way to make sure shadow IT doesn’t happen very often is to continually deliver systems that solve your customers’ and employees’ problems. If you deliver clunky systems that leave lots of gaps for your employees to fill in, then shadow IT will happen more frequently.
I need to emphasize two words here: “continually deliver.” Keep in mind that this is a continual process for an IT manager—it never stops. It must include talking and working with your users on an ongoing basis, in addition to automated system monitoring and analytics analysis, like this tool from Plutora.
Controlling Shadow IT the Wrong Way
If you focus only on creating a stricter company policy to try to eliminate shadow IT, then you will fail as a manager. Why? Because a new policy won’t solve the problem within your organization. In our example, the existing workflow for your sales team was inefficient and frustrating, which resulted in an inconsistent customer experience and a challenging employee experience.
A super-strict company policy that strives to eliminate every risk will never solve existing problems. Instead, it will most likely result in some of your best employees leaving your company when you need them the most. In essence, if you fail to learn from shadow IT and use it to the benefit of your company, you’ll become the victim of your fear.
Learn From Shadow IT in Order to Control It
The key to controlling shadow IT is to learn from it. Attempting to control it without understanding and solving its root causes will lead to frustration throughout your company. Failing to understand the solutions it provides can cause your organization to be overly concerned about the risk. When risk becomes your only focus, you may stifle your employees’ efficiency and creativity.
On the other hand, if you combine best IT practices with learning about and fixing the problems that shadow IT attempts to solve, your organization will move forward with everyone on board, ready to face the next challenge together.