Accommodating Shadow IT in a nice way
In my book: Reinventing the C-Suite (Chapter 3) I talk about how Millennials want to use their own hardware and software applications. This leads to Shadow IT, where the business doesn't know that computing is being done without their authorization, support, or governance. But I do say that Shadow IT is manageable, but the book was not the place to expand on this. I refer readers to this site.
So here's how to manage Shadow IT:
The shadow IT drive behind digitization and agile and lean-startup executive mindsets could push formal IT into a back-office role or create a disconnect between formal IT and business operations. Dealing with shadow IT has become an imperative, not by banning it but rather by creating an environment and tool-set that make it beneficial and easy for executives to use formal IT instead of looking elsewhere for their technology solutions.
CIOs can accommodate the need for shadow IT by implementing a range of initiatives:
IT should identify shadow IT in the organization where it can. Cloud discovery products should be used either as standalone products or as part of other IT management and security tools. Also, the log data from current firewalls, proxies, security information and event management, and mobile data management products can identify the cloud services being used outside of IT's purview. The data gathered will indicate which services are being used, who uses them and how often, how much data is uploaded and downloaded, and the source and destination of this data.
Not all shadow services and solutions are risky for the organization. Allow those that aren't to continue, but let the users know that you are aware of them and offer information and advice for the secure and compliant use of the solution.
Show understanding and support: It is counterproductive to penalize shadow IT users; they are usually merely trying to help themselves where they think IT cannot help them. Offer understanding to users of shadow IT and then offer support in line with your lower-risk alternatives.
CIOs know that most collaboration, file synchronization and transfer, and backup tools have corporate versions that combine user functionality with corporate visibility and policy. They should investigate and introduce the corporate version of individual tools.
Introduce an integration platform as a service (iPaaS) that allows staff to connect systems and data in a non-technical way, usually through drag-and-drop interfaces. Naturally the iPaaS must be inside the organization's security perimeter and must allow for monitoring and control from IT.
Organizational users expect access to data across locations and devices. Ensure that mobile access to IT-controlled data is available via Android and iOS devices.
Introduce a low-code or no-code development platform that allows managers and executives to solve their business problems themselves, again within the organization's perimeter.
Set up a shadow IT team that shows understanding to users and helps them solve their business and productivity issues using approved IT tools and applications. Set up a portal which offers advice on technologies and solutions and allows users to rate these according to their experience.
Run an information campaign on the potential risks of standalone spreadsheets. Provide cloud-based spreadsheet tools that allow for collaboration and integration. Data may then be imported from spreadsheets to a corporate database.