Shadow IT: A Brief History
Enterprise IT was traditionally highly structured, expensive, and limited to a known set of hardware and software vendors. Every project would take a long time (months/years) to implement, typically requiring a lot of custom development to make it all work.
With this history, it’s no surprise that a company’s internal IT function strove to reduce variables. It was hard enough to get the solution you paid for to work well. And as long as employees were using desktop computers connected to the corporate network, keeping tight control and reducing variables was relatively straight forward.
As the consumer computer industry grew and accelerated by the rise of the Internet, we began to see a “consumerization” of IT. Employees started using laptops, on home networks and on the road. They started using their own computers and phones for “company” work. This created a massive headache for the traditional IT world that sought control and elimination of variables.
To manage this changing landscape, IT began its long fight against any non-sanctioned technology products. They even created a disparaging term for these unofficial products: “Shadow IT.” The traditional response to Shadow IT was to eliminate it and return control to the centralized process. An entire sweet of tools was built to help manage and control Shadow IT. Wikipedia lists out the typical “implications” of Shadow IT.
- Wasted time
- Inconsistent business logic
- Inconsistent approach
- Wasted investment
- Higher risk of data loss or leaks
- Barrier to enhancement
- Organizational dysfunction
- Effect on IT Departments
Notice a common thread; they are all negative. This is not an accident. And this pejorative attitude towards Shadow IT is pervasive to this day.
SaaS: Pandora’s Box for Shadow IT
While Shadow IT was a problem before SaaS, the proliferation of free, freemium, and inexpensive per-seat SaaS offerings resulted in a massive explosion in Shadow IT. This trend is exacerbated by shifting employee preferences. Employees are demanding to use their own devices (the massive BYOD trend). They are demanding better products that are as usable as the consumer software they’re used to. They are demanding to be able to work from anywhere. When employees are off the corporate network and hardware, traditional tools for managing and fighting Shadow IT (e.g. packet sniffing, computer agents) are rendered ineffective.
In fact, this desire for tight control has probably been counter-productive. As IT gets increasingly restrictive, employees simply go completely outside the view of traditional IT. This exacerbates Shadow IT, resulting in a much larger surface area of company tech usage and data sharing that is invisible to IT.
Inverting Shadow IT: Enlightened IT
The first step to effectively manage IT in today’s often SaaS first world is an inversion of the typical attitude towards Shadow IT. Instead of focusing exclusively on its negative effects, we should also focus on the many benefits of this new world:
- Leveraging intelligence of the ENTIRE organization, not just IT / leadership
- Encouraging more experimentation leads to new product discover and quicker org-wide adoption of new tools.
- Organic adoption results in employees using the products they want
- Better product discovery as decisions get pushed to “users”
- Happier more productive employees
The way to do that is to invert the traditional attitude towards Shadow IT. To start with permission and restrict if needed, vs to start with restriction and approve in a centralized process. To require products be blacklisted to prevent usage, rather than wait for them to be whitelisted before allowing usage.
We call this approach Enlightened IT. And it’s a great way to encourage bottoms up innovation and adoption in an organization. It’s also a better strategic approach to minimize downside risk by actually seeing everything, and reducing blind spots.
How to effectively manage Enlightened IT
While it’s important to invert the traditional IT decision-making process, it’s even more important to do so in a smart, not reckless way. In addition to a new outlook, it requires a different set of tools.
To make this work, you need to be able to:
- Easily capture accurate information on products that employees are using, especially when outside company networks or company owned computers
- Discover product usage across the entire organization, not just traditional decision makers (everyone is a decision maker now)
- Be able and willing to promote and expand products that are working well and making employees happier and more productive
- Quickly find and address any security issues to minimize downside risk
- Be easily able to kill what’s not working or what’s not up to security or compliance guidelines
With that in place, you can begin a simple analysis of products that are discovered across the organization. They should fall into one of four buckets:
- Expand: Usage and adoption of products by teams and individuals can result in finding and choosing products that make the entire company happier and more productive. Products that meet both of these characteristics should be expanded to more users and teams, and even be brought into the core stack.
- Allow: A more open policy allows for many more products that may not necessarily need to be expanded, but serve a particular function for a particular team, and can go on doing so in a self-supported way. Plenty of department specific tools, such as marketing lead enrichment, will fall under this bucket.
- Research: This is the most important part of the Enlightened IT framework. Experimentation of new apps is great and should be allowed and encouraged, however, monitoring and research are still important. Products that have access to sensitive information, e.g. financial, contracts, PII (personally identifiable information), should be more closely vetted to make sure they meet your internal security requirements. After that initial research, you can choose to expand, allow, or restrict.
- Restrict: Certain apps may always be restricted by your particular organization. Due either to industry specific compliance needs, particular team sensitivities, or proactive decisions to consolidate on certain tools. The appropriate framework is to think of these restricted apps as a specific “Blacklist.” The default for a new app is to be able to test it, but certain products can be blacklisted.
Changing the culture of an organization to encourage bottoms up adoptions and more permissionless innovation will require buy-in from various teams, especially IT. If you can make this change, and start leveraging the product intelligence across the entire organization, you’ll likely have happier, more productive employees, and less worry about Shadow IT.
Enter Blissfully – Turning Shadow IT into Enlightened IT in a SaaS-first World
Blissfully automatically detect all the tools in use in your organization, across devices, and across networks. This is increasingly necessary as work moves onto personal devices and non-office networks. Keeping pulse of what the organization is using is the critical first step to making sure you make the best choices, keep employees happy and productive, and minimize security risk. Check out Blissfully to see how we can help.