Making Your IT Organization the Owners of Shadow IT

Copyright (c) 123RF Stock Photos
Copyright (c) 123RF Stock Photos

Cloud computing and BYOD are two growing challenges facing IT leaders today. Both feed directly into the ongoing problems of Shadow IT.

When a manager or employee cannot get what they want from the established IT structure, they go around that restriction by using external cloud providers and unauthorized devices. “Shadow IT” poses risks for the entire company since it opens up unknown security gaps, creates islands of isolated data, and overloads the network with unauthorized traffic.

The Answer is for IT to Own the Shadow IT

In almost every company, the designated authority for information technology assets, security, and access is the established IT department. To control the spread of Shadow IT, your organization needs to move from a reactive stance to a proactive stance. By doing this, you can take ownership of the Shadow IT that exists within the company.

  1. Have clear policies on BYOD and the use of cloud computing services. These policies allow business units to assess their needs against what is allowed. IT also needs a clear rapid process for approving technology not addressed currently.
  2. Offer IT authorized and managed alternatives. Today’s corporate world requires employees to have access to data no matter where they are. By offering authorized easy to use alternatives, your organization will cut down on some Shadow IT activities.
  3. Prioritize risk. Some software and services pose higher risks that others. Address the high-risk ones first. Either cut access through the infrastructure or ask the users to stop using those services.
  4. Restrict access to certain third-party apps. Cloud storage apps like DropBox and Sharepoint are good examples. Both pose high risks for data security. Make clear policies regarding these systems and communicate them to all employees.
  5. Monitor the network. When people plug in unauthorized devices, use risky apps, or access unmanaged cloud services, the network will know. You can quickly detect any of these accesses and track down who is doing it.
  6. Offer a period of amnesty for people to come forward to report use of Shadow IT. They will have the chance to explain why they are doing it and why current IT assets and services are not meeting their needs.

When you put these six items into place, you will gain ownership of the Shadow IT within your company. Letting Shadow IT grow inside your organization is not a good idea given the risks involved. Take ownership of it instead.