What do you think of when you hear the term “shadow IT”?
If you’re like 78 percent of our audience at today’s online presentation, Embrace Shadow IT, you might not even know what that term means. At its most simple, shadow IT is any infrastructure, tool or technology used in your organization that your IT department doesn’t know about.
These days, shadow IT gets a pretty bad rap. People think of the technological equivalent of a black clad deviant, running through your organization disrupting processes and security. You want to get rid of it as quickly as possible, before damage is done.
But according to Jose Simonelli and Ian Tewksbury, Architects for Red Hat Consulting, shadow IT doesn’t have be a negative thing. Simonelli and Tewskbury were speakers at the GovLoop State and Local Virtual Innovators Summit. In fact, embracing shadow IT can actually have a positive impact on your organization’s culture and processes.
Simonelli and Tewksbury explained that the use of shadow IT by your internal users is most often a signal of a workflow need that isn’t currently being met, rather than a deliberate employee choice to undermine security. And while a user should go through the formal procedures established by your organization to deploy a new system, Tewksbury said the likelihood of rejection or potential lagtime to implementation often deters employees from taking those routes.
Rather than chastising your employees for circumventing the system, recognize their actions as signals of need. By ignoring these signals, your organization will continue missing efficiency opportunities and wasting money on ineffective or duplicative technologies. To make most the most of these signals, our experts offered a seven step process to embrace shadow IT:
- Inventory. As Tewksbury explained, “ You have to know what you’re embracing.” The first step to embracing shadow IT is to take stock of what solutions exist in your infrastructure. To do that, Tewksbury encouraged having one-on-one, non-accusatory conversations with users. Ask questions like, “What tools are you using to be more effective?” and “What tools do you wish you had?” You can also enlist your IT department to use infrastructure tools that inventory technical solutions on the network.
- Categorize. Once you build your list, you will likely find it long and duplicative. To make it easier to understand and more manageable, group shadow solutions into buckets based on the user need or workload they address. Functionalities, such as collaboration tools or interoffice communications, can also be used to categorize solutions. Then seek patterns among those categories. What greater needs are popping up in multiple buckets?
- Value. Next, assign values to each group again, considering functionality or need categories, rather than individual tools. As your evaluate tools, keep in mind the three key players in shadow IT – the user, the business owner, and the IT staff. You’ll want to consider how each tool category is impacting their business and the mission of your agency. Don’t forget to consider how the absence of that tool’s functionality may negatively impact your business.
- Build consensus. Out of that evaluation process, you’ll start to understand which tools or groups are most valuable to your organization. But you can’t deploy or scale them alone. Start to build understanding of what is most important and what you want to tackle first. Where you can’t seem to build consensus, consider de-prioritizing or even cutting that tool category from your list.
- Plan. Once you have a consensus, it’s time to get down to brass tacks. Aat this planning stage, our experts impressed the need to keep the current shadow IT user front and center in your considerations. Define steps that allow the early adopters to utilize the new service as soon as possible to avoid them going off on their own for the same service. Involve the user in the planning so they are aware of what new service will be available. Finally, incorporate a migration plan for the existing service to the new internalized services to minimize impact or adoption by the end user.
- Implement. In the last step, implementation, continue to keep your user up-to-date and involved. Tewksbury admitted it’s tempting to get to this final stage and want to talk solely about the cool new things technology will bring, once it’s implemented. “That’s the fun part, right?” he said. “But avoid doing that first. Reframe the conversation to be about the user. They don’t’ need a specific product or tool; they need functionality. They need a tool to do their job and deliver value to their organization.”
Finally, as you incorporate shadow IT into your formal infrastructure, remember that the user will continue to innovate. So even as you reach the implementation stage of this process, you should be preparing to re-inventory your infrastructure and learn what other new uses your staff have found for hidden technologies.
That agile, constant cycle may sound daunting. However, it’s really a learning opportunity that you can’t afford to miss. That’s what embracing shadow IT teaches you. “Let’s reframe the conversation,” concluded Tewksbury. “Embrace these technologies and learn what the user is telling you.”
To view the slides from today’s presentation, click here.
Employees are the worst offenders of Shadow IT not because they are evil or bad. Instead, it all comes down to one simple rule in cybersecurity, “Employees will ALWAYS circumvent security for personal convenience and productivity.” Even in physical security how often do employees tailgate to get through an open door. They tailgate because it is easier than swiping a badge.
When security and convenience are mutually inclusive then security protection increases.