Managing Shadow IT in Three Steps

Regina Rakipova

Shadow IT has become an unavoidable part of enterprise workflows. Skype, Google Docs, Dropbox, Slack, Evernote, etc. – corporate data flows between unauthorised applications and services uncontrolled and unmanaged. In the previous post we talked about inefficiencies and serious risks shadow IT poses and, yet, discovered a number of real benefits. However, those benefits are available only if shadow IT is managed correctly. Simply eliminating all shadow IT at once is not the answer: it is not efficient to ban SaaS, outlaw personal devices or restrict Internet usage. Instead, companies should come up with a solid strategy for finding the balance between security and enablement. Here are three steps to bring shadow IT under control:

Step One. Monitor and control existing IT resources

Shadow IT management starts with identifying and tracking unauthorized software, cloud services and devices already in use. To achieve visibility into shadow IT resources, organizations can implement IT Assets Management (ITAM) software. Such tools allow companies to monitor and manage new and existing software installations and cloud subscriptions, as well as their license agreements (e.g., EULA) and Terms of Service (ToS). In addition, companies can use Mobile Device Management tools (MDM), Data Loss Prevention systems (DLP), SIEM systems, Cloud Access Service Brokers (CASB), etc.

Another important thing is to put necessary controls in place. Strict user privileges prevent installation of unauthorized software and control access to the network and applications.

Having the right tools combined with consistent security policies is fundamental for taking control over shadow IT.

Step Two. Streamline communication between IT and business units

In addressing shadow IT issues, successful communication between business units and IT is the key. Employees engage in shadow IT when they cannot find applications and services required to do the job available within the company. So for IT professionals it is crucial to understand specific user requirements to be able to choose the right software investment. When business units become part of the decision-making process it helps CIOs to close the gap between IT purchasing decisions and the actual needs of users.

Step Three. Establish effective corporate policies

It is important to explicitly communicate to employees how business information must be processed. This is done by educating staff, establishing governing policies (including Acceptable Use Policy) and specifying restrictions and fines in case of violation in employment contracts. For instance, it can be prohibited for employees to bring in their own devices, root company-owned devices, download external applications or store data in the cloud. Without clear governing policies users may put business data at risk and compromise the company without even realizing it. After all, not everyone works in the IT department and not everyone is expected to know all the ins and outs of data security and regulatory compliance. Once users realize the potential consequences, they will likely be less inclined to engage in shadow IT.

Shadow IT cannot be completely eliminated but it can be reduced and managed. The right strategy not only ensures that potential risks are mitigated and expected benefits are enhanced. It transforms shadow IT into a powerful means for creating a more flexible and mobile workplace, which stimulates productivity, efficiency, and, ultimately, drives company revenue.