- Security TWENTY
- Women in Security
Counter shadow IT with cooperation, tools and new procurement processes, writes Alessandro Porro, vice president of international at Ipswitch.
On top of everything else! An IT department has its hands full even if all the users keep to the rules. It sets up the company network, provides a functioning IT system at every workstation, keeps everything going and looks after security and stability. But in many businesses IT managers are increasingly having to contend with an additional source of pressure: shadow IT. Many departments or individual employees procure applications without the knowledge or authorisation of IT. A study by PricewaterhouseCoopers (PwC) found that between 15 and 30 percent of IT expenditure in the companies surveyed took place outside the official IT budget.
This rampant proliferation of IT has become an issue lurking in the shadows for all IT managers and it has been labelled “shadow IT”. The term describes the use of “non-approved IT products and services,” or, as Christopher Rentrop, Professor of Informatics at Konstanz University of Applied Sciences, put it in a lecture: shadow IT is “all applications that are acquired without the IT department’s involvement and whose use is not covered by IT service management (ITSM).” The phenomenon is not new. Bring Your Own Device (BYOD) has encouraged its spread and to a certain extent legitimised it in many companies. But it is not employees’ own devices that are the real problem. The hardware can be identified by network management tools, but monitoring social media platforms and cloud-based applications is very difficult. For example, staff can use Facebook or Dropbox to send or publish documents unobserved.
The failure to monitor, manage and eliminate non-approved software and services consumes bandwidth, slows networks, causes compliance problems, adds to the workload of IT departments and imposes an additional financial burden on them. Half the IT managers in the PwC study believe that 50 percent of their budget is being eaten up by the management of shadow IT. Transparency is what IT administrators strive for. In a survey of 400 IT administrators conducted by the network specialists Ipswitch, 12 percent named “shedding light on shadow IT” as their number one wish. They believe that their day-to-day work would be far easier if users revealed what applications they have installed on their work computers.
The procurement process
Again and again, departments put forward similar arguments to explain why they procure IT under the radar of the IT department. Three reasons crop up repeatedly both in studies and in one-to-one discussions. Firstly, the IT department is too sluggish and too weak in terms of action. Secondly, the IT department lacks the expertise needed to provide and operate certain applications. Thirdly, the IT department is too expensive and too complex. The business analysts, Gartner predict that by 2020 at least 90 percent of the IT budget will be managed outside the IT department. Forrester, too, suggest that central IT departments may by then be largely obsolete. Shadow IT thus poses a threat to the very existence of IT departments. But might this trend not also represent a major opportunity?
The criticisms levelled at IT departments in connection with shadow IT should be taken seriously by companies – and in particular by IT departments themselves. One of the most important reasons why shadow IT is flourishing is that IT procurement processes in the majority of companies are currently ailing. It is these cumbersome processes that have been in use for more than 25 years that are casting the shadow. They must be re-thought and re-designed. Organisations need to focus on the needs of their staff and consider what acquisitions and procedures are needed to make employees more efficient, more effective and ultimately happier.
Listening to staff
IT administrators must encircle and capture shadow IT. The IT department should strive to become a constructive force by listening carefully to the workers. The risks cannot be contained unless the consumerisation of IT is viewed as an opportunity. Staff do not on the whole deliberately wish to circumvent IT procedures. They usually have a specific and acute problem that they need a solution to quickly. Naturally it is far easier for staff to use a cheap cloud-based solution from the Internet than to initiate lengthy IT procurement processes that may lead to nothing or fail to solve the core problem. In their private lives people are used to the convenience of using apps and cloud applications to make life easier. Why should they not do the same at work? This explains phenomena such as the great popularity of Dropbox in companies. The email system cannot cope with large attachments – so the employee quickly creates a link to Dropbox and the matter is swiftly dealt with.
It is time for IT departments to stop playing the heavy-handed ‘Big Brother’ in such situations and instead to seek cooperation. Five steps can mitigate the impacts of shadow IT and encourage cooperation with staff:
• A network management solution is needed that identifies unauthorised apps before they cause problems. A flow monitor is one such solution.
• The network’s bandwidth use must be transparent. The IT administrator needs to know where users, devices and applications could be pushing network capacity to its limits.
• A monitoring system that immediately identifies problem devices is needed. Who has access to what and via what device?
• Issues that cause the network to slow down or fail must be identified and resolved faster.
• To prevent the use of cloud services that cannot be monitored and put data security at risk, IT departments should make simple and efficient data exchange tools available.
Employees are concerned mainly with improving their everyday work. For example, a member of the sales department of a medium-sized IT dealer decided to download and adapt a small programme that automatically sent out updated price lists to the company’s partners. It is a useful little tool that he set up “without tedious approval processes and coordination” with IT. His managers became aware of it and regarded it positively. When the IT department noticed that the tool was being used, it initiated discussions and ended up taking the application under its wing. A monitoring solution now has the application on its radar and raises the alarm if a problem occurs with it.
Managing the impacts
Shadow IT is also used as a derogatory term for solutions that often help companies to become and remain successful. Many businesses in many sectors would be hard put to do without the advantages of shadow IT – whether in relation to simple procurement or a rapid solution to a work-related problem. Provided that the environment is not one with particularly high security requirements, IT departments should focus less on monitoring all acquisitions and installations and instead concentrate on having tools and solutions that can manage the results well. In other words, it is not about getting rid of shadow IT but about casting as much light on the darkness as possible. To attempt to blank out shadow IT or deny its existence would be to be blind to reality.
Cooperation with employees is important to create the necessary transparency. Monitoring tools can help safeguard the network’s performance, monitor the availability of applications and prevent misuse. Above all, though, it is essential to subject established IT procurement processes to thorough scrutiny and make them leaner and faster.
About Alessandro Porro
Alessandro Porro is the vice president of international for the Ipswitch network management division. Alessandro joined Ipswitch in 2004, shortly thereafter becoming director of sales for Asia Pacific and Latin America, increasing revenues from those regions by more than 300pc in his first three years in that role, and after which he was promoted to oversee the division’s international interests and profitability, increasing revenues 468pc through all channels in six years. Alessandro spent over 12 years leading international sales both in the IT and manufacturing sectors, in Latin America (Southern Cone), Europe (Germany/Italy), and the United States.
Alessandro attended Boston University’s BA/MA program in international economics.
Alessandro still likes to reminisce about the years during which he was a semi-pro soccer player, but he enjoys spending his down time cooking, writing, and playing with his daughter Maia Elyse.