The concept of Shadows IT and the implications for Online Security have recently moved to prominence in the IT community. It’s always been around but has only been dignified with a proper name.
Shadow IT – A Definition
Shadow IT is the deployment of new IT systems without the approval, and often the knowledge of the Central IT department. The advent of Cloud solutions and services has increased the growth in Shadow IT deployments.
Shadow IT – Implications
The implications of Shadow IT can be grave.
The organisation as a whole and individual departments do not involve ICT in strategic policy formulation or ICT development initiatives. As a result, departments can proceed on their own or with third party support to develop their individual programmes supporting their operational imperatives.
Because of their relatively low cost and availability, the introduction and operation of PC based standalone and networked systems is difficult to control. Departments install systems without the knowledge and participation of the ICT function. Support is provided by external third parties.
ICT systems become fragmented and uncoordinated and develop into Islands of Technology. Data integrity can be seriously compromised. While some ICT related policies and procedures might exist, Shadow IT ensures that they do not conform to any common standards of hardware, software or support.
The financial implications of providing support services like maintenance, software licence renewals and hardware replacement are not recorded in any budget.
Shadow IT has serious implications for Online Security. The potential for data leaks and malware attacks increases exponentially. Quite clearly the Online Security of the corporate network, its applications and its data is seriously compromised by the addition of unrecorded and often unknown systems, especially if there is uncontrolled access to the corporate network.
Shadow IT – How to Control The Risks
The root cause of the dislocation between ICT and the corporate entity has probably arisen over time, and from an inward-looking stance within IT. Simply put, senior management and user departments have no faith in IT being able to support their development programmes, and so the dislocation deepens. Shadow IT appears and expands. Resolving the Shadow IT issue is more than an IT issue, although it does have major implications for IT. Institutional politics will play a part.
In the short term, it may be difficult for IT to regain control over all IT developments in the organisation. Where an independent user application needs access to the corporate network or to corporate data, it will be possible to impose corporate Online Security protocols.
Other activities will be network and systems audits to see what additional systems and devices have been added, and where existing corporate solutions could be used to provide an equivalent service. The best solution is a long-term repositioning and upgrading of IT in the corporate environment.
The first thing that IT needs to recognise is that it is a subordinate, or service discipline – that it exists to meet the needs of the organisation and is not an end in itself. The implication of this realisation is that it needs to become very much closer to users so that it can understand, and importantly anticipate corporate and departmental requirements. In short, IT needs to adopt an outward-facing profile.
The first step is for the ICT leader to become part of the top-level policy-making body within the organisation to ensure IT has an influence on corporate decisions that may have ICT implications. This may be a difficult thing to do, but a necessary one. This will also reassure departments that their concerns are being heard at the highest level.
In the past, IT has tried to bridge the divide between IT and users by deploying staff to departments, or by designating particular staff members as the liaison between the department and IT. This has rarely been successful and has mainly been used as a sticking plaster over the underlying problem.
One approach under current discussion is to transform the IT department into a service department like HR or Finance. A full discussion of this repositioning of IT is beyond the scope of this document but will become necessary to counter the expansion of the Shadow IT environment.
In summary, Shadow IT will continue to be a problem, and only a root and branch repositioning of IT within the organisation will provide a long-term solution.