I’ve watched with interest the shifting perspectives on shadow IT over the years. While still an issue deserving of thought-provoking conversation, it’s no longer a CIO’s top pain point.
Or at least it isn’t the subject of an all-out ban as it once was. As a previous blog post by my Snow colleague points out, the rise of easily downloadable cloud technologies has enabled plenty of business-led IT purchasing in the spirit of improved productivity. This trend accelerated when the COVID-19 crisis sent employees home and forced most organizations to quickly stand-up remote work environments. In this new landscape, how can IT wholly block shadow IT?
Turns out, that isn’t the question to be asking.
It’s about your data
Savvy CIOs know blocking the download and/or installation of applications is much like drinking from a fire hose. Even with your best efforts, some will slip by and their price tags, bandwidth requirements and vulnerabilities, unfortunately, come with them. The crux of the shadow IT problem though should be security. Because throughout it all, your greatest concern should be your organization’s most important asset: your data.
With a growing emphasis on digital transformation, data as a strategic asset continues to evolve for most organizations. As its value climbs, so does its security needs. The risk shadow IT brings to your data gets played out in data loss prevention strategies whereby you need to prevent corporate IP from falling into the wrong hands, either illegally by sophisticated cybercriminals intent on profiting from your data or unwittingly from the private use of enterprise-grade collaboration apps who (under terms on consumer EULA) contractually come to own whatever your employees upload.
You also see it in data protection efforts as organizations work to comply with global data security and privacy regulations like GDPR and a host of others. You must know where your data is at all times and effectively demonstrate just how it's protected. With data and its protection a primary consideration when it comes to shadow IT, your perspective changes. Your tools and tactics do too.
Collaborate with your CDO
CIOs rely on software asset management (SAM) programs to gain deep insight into their software and cloud estate. What do you have, who has access to it, and how is it being used? This inventorying can not only save you budget when it comes time for a vendor licensing audit, but it can also generate red flags for the possibility of data at risk.
Reinforcing data as a strategic asset, Gartner predicts that three-quarters of large organizations will have a Chief Data Officer (CDO) by 2021. If you’re a CIO for a larger organization, chances are high that one of your colleagues is a CDO. If this is the case, you have a great opportunity to support the organization and each other in the flow and protection of data and in communicating to the workforce the importance of having good governance. Knowing what software and cloud applications are being used where, and by whom can inform data strategy and digital transformation projects, as well as drive data protection strategies.
How can IT educate?
Now, more than ever, IT teams are trying to find the right balance to effectively manage – but not control – their technology resources, budget and security measures. Unfortunately, with business-led IT, there may not be an IT veteran or procurement professional offering counsel to teams as they consider purchasing new services, applications, or even spinning up cloud instances. So while it’s no longer realistic to talk about eliminating shadow IT, there are steps you can take to better manage overall technology resources when driven by departments or individuals.
A good place to start is with education and ultimately transforming IT into the role of a trusted advisor. The goal is to enable users to make smart choices around their technology resources while putting governance and guardrails in place to ensure IT doesn't lose sight of what is in their environment in case something goes wrong. Because shadow IT has evolved and become an inevitable part of organizations, CDOs and CIOs should engage in regular discussions with employees about their needs and their understanding of the resources available. With more insight into employees' needs, IT will be better prepared to enable their workforce, as well as protect them.
For more on managing IT risk and protecting your organization’s data, download the e-book, Managing Governance and Risk in a Security-Centric World.