Don’t fear shadow IT -- exploit it and prosper

It's time to face a cold, hard fact: The "shadow IT" parade is passing you by, and if you don't get out in front of it and lead it where you want it to go, you might get run over.

Gartner projected in 2012 that marketing department spending on IT will surpass IT department spending on IT in the near future. True, that has yet to happen, but the scales keep tipping. Take a hard look at that future: You may not be in it.

Shadow IT has been presented as a new threat to IT departments because of the cloud. Not true -- the cloud has simply made it easier for non-IT personnel to acquire and create their own solutions without waiting for IT's permission. Moreover, the cloud has made this means of technical problem-solving more visible, bringing shadow IT into the light. In fact, "shadow IT" is more of a legacy pejorative for what should better be labeled "DIY IT." After all, shadow IT has always been about people solving their own problems with technology.

Here we take a look at how your organization can best go about leveraging the upside of DIY IT.

The IT department is simply too busy, overworked, understaffed, underutilized, and sometimes even too disinterested to take on every marketing Web application idea or mobile app initiative for field work that comes its way. There are too many strategic initiatives, mission-critical systems, and standards committee meetings, so folks outside IT are often left with little recourse but to invent their own solutions using whatever technical means and expertise they have or can find.

How can this be a bad thing

Because shadow IT practitioners are subject matter experts in their domain, the second drawback is unlikely. The third is an opportunity lost, but that's not scary enough to sweat. The first and fourth are the most likely to instill fear -- with good reason. If something goes wrong with a home-grown shadow IT solution, the IT department will likely be made responsible, even if you didn't know it existed.

The wrong response to these fears is to try to eradicate shadow IT. Because if you really want to wipe out shadow IT, you would have to have access to all the network logs, corporate credit card reports, phone bills, ISP bills, and firewall logs, and it would take some effort to identify and block all unauthorized traffic in and out of the corporate network. You would have to rig the network to refuse to connect to unsanctioned devices, as well as block access to websites and cloud services like Gmail, Dropbox, Salesforce, Google apps, Trello, and so on. Simply knowing all you would have to block access to would be a job in itself.

Worse, if you clamp down on DIY solutions you become an obstacle, and attempts to solve departmental problems will submerge even further into the shadows -- but it will never go away. The business needs underlying DIY IT are too important.

The reality is, if you shift your strategy to embrace DIY solutions the right way, people would be able to safely solve their own problems without too much IT involvement and IT would be able to accomplish more for the projects where its expertise and oversight is truly critical.

Seek out shadow IT projects and help them, but above all respect the fact that this problem-solving technique exists. The folks who launch a DIY project are not your enemies; they are your co-workers, trying to solve their own problems, hampered by limited resources and understanding. The IT department may not have many more resources to spread around, but you have an abundance of technical know-how. Sharing that does not deplete it.

You can find the trail of shadow IT by looking at network logs, scanning email traffic and attachments, and so forth. You must be willing to support these activities, even if you do not like them. Whether or not you like them, they exist, and they likely have good reasons for existing. It doesn't matter if they were not done with your permission or to your specifications. Assume that they are necessary and help them do it right.

IT departments have the expertise to help others select the right technical solution for their needs. I'm not talking about RFPs, vendor/product evaluation meetings, software selection committees -- those are typically time-wasting, ivory-tower circuses that satisfy no one. I'm talking about helping colleagues figure out what it is they truly want and teaching them how to evaluate and select a solution that works for them -- and is compliant with a small set of minimal, relevant standards and policies.

That expertise could be of enormous benefit to the rest of the company, if only it was shared. An approachable IT department that places a priority on helping people solve their own problems -- instead of expending enormous effort trying to prevent largely unlikely, possibly even imaginary problems -- is what you should be striving for.

Think of it as being helpful without being intrusive. Sharing your expertise and taking the lead in helping non-IT departments help themselves not only shows consideration for your colleagues' needs, but it also helps solve real problems for real people -- while keeping the IT department informed about the technology choices made throughout the organization. Moreover, it sets up the IT department for success instead of surprises when the inevitable integration and data migration requests appear.

Plus, it's a heck of a lot cheaper than reinventing the wheel unnecessarily.

IT is responsible for critical policies concerning the use of devices, networks, access to information, and so on. It is imperative that IT have in place a sane set of policies to safeguard the company from loss, liability, leakage, incomplete/inaccurate data, and security threats both internal and external. But everyone else has to live with these policies, too. If they are too onerous or convoluted or byzantine, they will be ignored.

Therefore, create policies that respect everyone's concerns and needs, not IT's alone. Here's the central question to ask yourself: Are you protecting the company or merely the status quo

Security is a legitimate concern, of course, but most SaaS vendors understand security at least as well as you do, if not better. Being involved in the DIY procurement process (without being a bottleneck or a dictator) lets you ensure that minimal security criteria are met.

Data integrity is likewise a legitimate concern, but control of company data is largely an illusion. You can make data available or not, but you cannot control how it is used once accessed. Train and trust your people, and verify their activities. You should not and cannot make all decisions for them in advance.

Regulatory compliance, auditing, traceability, and so on are legitimate concerns, but they do not trump the rights of workers to solve their own problems. All major companies in similar fields are subject to the same regulations as your company. How you choose to comply with those regulations is up to you. The way you've always done it is not the only way, and it's probably not even the best way. Here, investigating what the major players in your field do, especially if they are more modern, efficient, and "cloudy" than you, is a great start.

The simplest way to manage compliance is to isolate the affected software from the rest of the system, since compliance is more about auditing and accountability than proscriptive processes. The major movers and shakers in the Internet space are all over new technologies, techniques, employee empowerment, and streamlining initiatives. Join them, or eat their dust.

Once you have a sensible set of policies in place, it's high time to shine a light on shadow IT -- a celebratory spotlight, that is.

By championing DIY IT projects, you send a clear message that co-workers have no need to hide how they go about solving their problems. Make your intentions friendly and clear up front: that you are intent on improving business operations, recognizing and rewarding innovators and risk-takers, finding and helping those who need assistance, and promoting good practices for DIY IT. A short memo/email announcing this from a trusted, well-regarded executive is highly recommended.

Here are a few other ideas in helping you embrace DIY IT:

DIY IT can be a great benefit to your organization by relieving the load on the IT department and enabling more people to tap technical tools to be more productive in their work -- a win for everyone. But it can't happen without sane and balanced policies, active support from IT, and a companywide awareness that this sort of innovation and initiative is valued.

Related articles


Steven A. Lowe

Zur Startseite