Shadow IT continues to be prevalent in many organizations, bringing unknown and unmitigated risks into your environment. Several factors have accelerated the presence of shadow IT in recent years, such as bring your own device policies, the increased need within business units to have flexibility to affect outcomes, tension between IT/GRC stakeholders and other operating areas, an exponential reliance on employee devices and remote work due to the COVID-19 pandemic.
While there are a number of ways to combat the shadow IT issue, we’ve found one way to be more effective than others: building a collaborative culture. Gaining buy-in across different business units and stakeholders will have the greatest positive impact on preventing shadow IT. IT and GRC teams can take a progressive approach rather than leaning on elimination tactics.
Beginning with Why
Shadow IT is often a symptom of a larger problem. Consider the questions: Why are users bypassing IT in the first place?
- Are the technologies provided by the organization adequate, or do they make users’ workdays, or work product less effective?
- Are there bottlenecks causing delays in the IT department?
- Do users and departments leads have awareness of the authorized solutions available for use?
Give Users an Easy Button
If it is established that a shadow IT solution cannot be integrated into the approved solutions maintained by IT, a seamless transition to an approved solution is imperative to preventing shadow IT solutions from being acquired in the future. Remove barriers and make it easy for the users to switch from the Shadow IT solution to an IT-authorized solution.
Patience & Priorities
If there is rampant shadow IT present in your organization, you should consider implementing a grace period to give departments and users an opportunity to “come clean” about Shadow IT solutions without fear of repercussions.
Not all Shadow IT solutions are bad. Prioritize the risk presented to the organization by each shadow IT solution. Once a comprehensive inventory of shadow IT solutions is developed, identify the highest risk services in use and address those first.
Collaboration is Key
Consider the following steps to begin building the foundation of a collaborative culture:
- Reset the conversation between business unit leaders and IT: there is time and space to both innovate and secure!
- Educate users about the risks of shadow IT and its potential impact on the organization
- Establish responsibility for shadow IT: Is IT responsible? Are the business units held accountable for using unapproved software? Clearly outlining where this responsibility falls is vital to ensuring that shadow IT is not turned into “pass the buck.”
Building a collaborative culture is a continuous process. Business units and IT departments need to commit to seeking common ground, being transparent about resource needs, and holding each other accountable.