Member Article

Shadow IT - Counting the costs, managing the risks

Shadow IT risks exposing sensitive data and breach compliance regulations. How should IT address this without eating into the productivity gains?

A recent report revealed that more than 85 per cent of cloud applications used in today’s enterprises are unsanctioned. That is the scale of shadow IT risks. For IT professionals with (very recent) memories of having complete control over both hardware and software infrastructure, the new freedoms that today’s users enjoy can be troubling.

The mainstreaming of mobile and cloud-based technologies has introduced unprecedented levels of user autonomy, in a broader climate of ever-increasing expectations of technology. The beauty of cloud-based systems and BYOD is the reduced learning curve for employees, helping raise productivity with ‘any place, any time’ flexibility. Proponents of Shadow IT argue that the enterprise as a whole has the potential to become more agile and efficient, better equipped to respond effectively to market change and gain new competitive advantage.

Without a corporate cloud adoption strategy, employees will access the online service that best meets their needs. After all, their sole focus is to get the job done, so factors such as security and compliance may not be a priority. Shadow IT, then, is a productivity gain that is here to stay. It plays strongly into the ‘always-on’ style of working that delivers flexibility into the working day, with staff able to work on familiar interfaces within devices that they may use in other areas of lives. The learning curve is shorter than ever and the working day is longer than ever.

But if business users are unwilling to acknowledge the risks of shadow IT, they are something that IT must confront face on. Without some degree of control, maintaining data security and compliance across the enterprise becomes an impossible tasks, especially when identifying which services are in use is a challenge in itself.

What are the real risks of Shadow IT?

To ban BYOD and shadow IT may reinforce the idea of IT being a gatekeeper rather than an enabler of change. The first positive step is to understand what shadow IT risks really entail.

A recent Computer Weekly article pinpointed four areas that IT managers need to address:

Risk Area #1 - Asset management. This becomes an impossibility when users are deploying their own applications, often on corporate hardware, bypassing licence management processes in place. The financial and legal costs of licence infringements are enough to keep IT leaders awake at night.

Risk Area #2 - Governance and Standards. Compliance to standards such as ISO 9001 is often underpinned by IT infrastructure in place. If the documentation does not reflect what systems are in use, then the company risks losing business-critical accreditations due to shadow IT.

Risk Area #3 - Lack of testing and change control. Bypassing release management processes means that the impact of new device or application deployments is not considered.

Risk Area #4 - Configuration management. If new services or systems are not registered within configuration management databases, entire business areas may be unsupported by the IT department, which may not even be aware of them.

Regaining Just Enough Control

Because of the unquestionable business productivity benefits that counterbalance shadow IT risks, the answer lies in getting closer to the business, to understand the strategic drivers and underlying challenges, in order to deliver proactive solutions that meet genuine need. In some ways, the ubiquity of the cloud makes this easier, by freeing up time previously spent supporting and maintaining on-premise installations. This requires IT leaders to take a more strategic role in the enterprise. Targeting areas to outsource can be particularly helpful here.

Information Age has outlined four ways of taking back control without turning the clock back:

1. Conduct a Shadow IT audit - This will give you an up-to-date picture of IT needs across the business.
2. Seek out specialist providers - They will point you to business applications that are much more suitable than services in the consumer market.
3. Strike a balance between security and accessibility - Don’t tighten up security to the point that you’re blocking services that meet genuine needs.
4. Communicate risks with the business - In the process, deeper relationships with business stakeholders may deliver a whole wealth of benefits.
5. Remain open to change - Bring about a cultural change within IT from technology-led to business-led development.

Takeaways:

• 85% of cloud applications in today’s enterprises are unsanctioned.
• Shadow IT risks have to be balanced against unquestionable productivity benefits.
• Listen to the business and meet their needs in order to minimise the risks of shadow IT.

This was posted in Bdaily's Members' News section by Justin Milligan .