We live in a time of high-profile data and security breaches. Shadow IT is an obvious contributor to risk but, as we’ve discussed, there are reasons why people take that risk. So, understanding the causes and motivations for shadow IT is a good way to start.
If you are able to identify the reasons why your IT users are turning to shadow IT and propose workable solutions, you will stand a better chance of reducing both the problem and the risk that comes with it.
It’s a little like your IT users are your internal customers – how can you keep them onside, rather than have them do their own thing? To discover more, you could ask your IT users:
- What are the frustrations that led to the IT department being bypassed?
- What are their challenges, and why and how did their solutions make their life easier?
- How can you help them implement the IT they need?
As with any attempt to manage a situation, the best results involve understanding all sides of the problem. It involves a communication process and being prepared to learn from what you hear back. Here are some talking points to get the conversation going:
- Is your approval process taking too long? Perhaps IT is perceived as too controlling? Your IT users want to move with pace and innovate – are you holding them (and your business) back?
- Are your policies and guidelines pragmatic and clear? Your existing rules, requirements and policies regarding app and data usage should be based on your risk appetite, be clear and properly communicated. To avoid confusion, they should be simple and easy to understand and not too restrictive, where possible.
- Do your IT users properly understand the risks? You need to get them to understand the problems that shadow IT resources pose – and why you adhere to the security approach you’ve adopted.
- Are some solutions OK to use? For example, and depending on the risk appetite, many end-user apps and reports are built within the framework of third-party software that comes with comprehensive governance and security standards in place.
- Can you learn from their innovation? Your IT users may have developed an effective solution that serves their needs best. Provided it can meet the appropriate security and governance requirements, could it be adopted and bring benefits?