“It doesn’t make sense to hire smart people and then tell them what to do, we hire smart people so they can tell us what to do.”
This is a great point-of-view and one I think will resonate with both employers and employees. If leaders everywhere adopted this perspective, then employers would feel even more empowered to innovate, and innovation is the key to success in these times. We only have to look at the move towards DevOps methodologies as an indication that businesses want to move faster and stay relevant in the marketplace.
I think this can be easily applied to shadow IT. Dealing with shadow IT inside your company can be an opportunity to get the smart people you employ to feedback new and novel ways to do things better.
What is Shadow IT?
Simply put, shadow IT is the unknown. It’s any IT being used in a business without the knowledge or approval of the business.
Some typical examples include:
- Email: Services like Gmail/Hotmail. Mostly this will be personal email, but what about any large file transfers which your internal Exchange server doesnt permit? Is intellectual property being transmitted beyond your firewall without your knowledge?
- File Storage: Dropbox/Box.com Online file storage services like these allow you much more flexibility with data. How does your team collaborate? Where are they keeping company data?
- Infrastructure Services: Amazon Web Services/Google Compute Engine, these public cloud services are a way to spin up an environment ready to install applications onto in minutes. If it takes your developers weeks to get a test environment internally and minutes on AWS, the how sure are you that they are always using the correct process?
- Social media – Facebook/WhatsApp Do you provide a way for your employees to communicate/collaborate? If a whatsapp group will help a team share information, are you sure its secure enough?
Why are companies worried?
Really it all boils down to one real risk, the security of company data. This isn’t to say that cloud services aren’t inherently secure, its more about the legal ramifications. It’s about knowing where your data is, so that if you are hacked, you know about it. There are other implications too though, such as high availability. If an application is running in the cloud without your knowledge and then the service goes down, how does that impact your business? Any unknowns mean risk.
Identifying the Risk
There are some very obvious starting points, which you can assume your users are already taking advantage of, such as Gmail, DropBox and Facebook. It’s important to have a company policy on these types of apps as a default, to ensure you are covered from a security/liability perspective.
The fist step is to understand what’s being used and how much. Sometimes, depending on the size of the company its simple enough to just ask around and ask your employees about the tools they use in their day-to-day tasks. However, in much larger organizations this is more difficult. Essentially to be sure, you need to monitor the activity on your network and look into the log data to see which applications are being used.
There are companies like Skyhigh Networks who provide tools and services for this. Solutions like this use probes to monitor your network and compare the logs against a database of known services, then provide you with a dashboard of apps being used and suggested ways to deal with them. There are also consultative approaches to this for large companies, for example VMware’s Advanced Advisory Services provide help with dealing with shadow IT as part of a data center transformation program.
Move out of the shadows without killing innovation
Once the use of Shadow IT has been identified, you can start to make changes to the IT processes and tools to reduce risk and increase security. This is where the opportunity lies, by questioning the impact. Is there a specific reason which means the software being used is inappropriate for your company? If not, then why not make it a company standard? Is it a security risk? Can this risk be mitigated easily? Are you concerned that a significant investment has been made in alternative solution and want to see a return in that investment? In that case it’s probably best to re-asses and potentially cut your losses in the interest of innovation.
I’ve seen two typical approaches to dealing with shadow IT in real life..
The first is the ostrich option (bury your head in the sand) ignoring any shadow IT actually exists, until it’s too late. We know that the ostrich option is highly risky and isn’t going to benefit you in any way.
The second approach is to give users an alternative version of the tools being used in the shadows Eg, Instead of Dropbox, move to Box.com or Set up a Jive environment to remove the collaboration through Facebook. This allows you the security and knowledge, bringing the process into the business and will allow you to understand the kinds of technology your users need to be effective in their roles.
An alternative to these typical approaches is to really embrace the power of collaboration. We’re looking for the best of both worlds, the innovation and novel ideas hiding in the shadows, but the collaboration and sharing, removing the unknowns. It might not be the most effective approach by reprimanding people who use shadow IT, but it could be an opportunity to understand what is needed to do the job faster and more effective. If the teams and individuals using the shadow it have great ideas on how to work faster, wouldn’t you want to share this with the rest of your teams and increase efficiency across the board? Why not reward the employees for novel ways to work, which they have proven to be effective? Then work with these mavericks to apply just enough process and security to be able to share their techniques with the rest of the organization.