Essential Guide

Combat the latest cloud security challenges and risks

A comprehensive collection of articles, videos and more, hand-picked by our editors
Get started Bring yourself up to speed with our introductory content.

Build a shadow IT strategy all departments will love

To minimize shadow IT risks in the enterprise, some IT pros find that adhering to the old adage, 'if you can't beat 'em, join 'em' is the best approach.

It's a phenomenon that's at least as old as the PC: business departments and end users deciding to bust loose from...

the constraints of corporate IT to do their own thing. Today, thanks in part to the wide range of offerings available through the cloud, that phenomenon -- now called shadow IT -- is experiencing a major comeback.

And while building a shadow IT strategy can be as challenging now as it was 35 years ago, one increasingly common approach is for organizations to accept it, rather than fight it.

"If you can't beat 'em, join 'em," said Joe Fuller, vice president and CIO of Dominion Enterprises, a marketing company based in Norfolk, VA. His company, which produces print advertising magazines such as Auto Trader, now operates 26 listings sites, including Homes.com and Boattrader.com. That, in turn, means operating two data centers where most of those sites are hosted.

"We don't try to battle shadow IT; we try to embrace it," Fuller said. His department provides direct connections to Amazon Web Services (AWS) and Microsoft Azure from its data center in nearby Ashburn, VA. Dominion's internal hosting rates mimic AWS rates. "When we send our bill for hosting to our internal business customers, we include a recap of their cloud billing, too, so the business leaders can see what they are spending inside and outside the company," Fuller said.

Fuller is also training the company's systems and network engineers on AWS and Azure so they can be a resource to the development teams that use those services outside IT's hosting environment.

Four key steps to building a shadow IT strategy

Shadow IT was a constant problem for about a decade at the University of Michigan in Ann Arbor, said Tim Rolston, a former IT director there. So his group eventually became adept at managing and integrating shadow IT with official IT offerings. Based on that experience, Rolston recommends a four-step approach to building a shadow IT strategy.

1. Create an adoption path. Most users deploy shadow IT systems to fill a need that official IT systems have not addressed. Rolston calls such shadow IT systems "gap solutions."

"When you identify a successful gap solution running in your environment, embrace it, fund it and absorb it into your service catalog if it provides sufficient value," Rolston said.

2. Consider making adjustments to existing services. Sometimes, shadow apps simply work better for users than the equivalent offering in your IT service catalog. Therefore, "you should consider altering your [own] service to specifically address the concern prompting the shadow service," Rolston said. If you can, include the shadow IT end users to make them feel like a part of this process, and encourage adoption of the adjusted IT offerings.

We don't try to battle shadow IT; we try to embrace it.
Joe Fullervice president and CIO of Dominion Enterprises

Next, communicate to the entire user base that you're making a change to your service -- and why. "Give full credit to the folks who made the shadow system," he said. "This will encourage other folks to approach you with their needs, as opposed to creating [more] shadow systems."

3. Don't "squish" shadow IT if you can't provide a better service for end users. It's possible that you simply aren't able to provide a better offering than what a small-scale shadow IT system can provide. If that's the case, let the shadow apps continue to run, and offer whatever support or funding you can afford to give.

If you can't afford to support it, be upfront about it, Rolston said. "This will prevent the shadow IT offerings in your organization from going deeper underground and making their identification almost impossible," Rolston said.

4. Give "homegrown IT" awards. Organizations should give an award or recognition to end users with the best homegrown IT systems, or those with the best suggestions for improving existing IT services. "This will encourage folks to approach you with their homegrown systems or concerns before they go 'shadow,'" he said.

While the four steps above may not be appropriate for every organization, they "helped our users see that we were on the same team, as opposed to adopting an 'us versus them' mentality," Rolston added.

Improve to eradicate shadow IT risks

The presence of shadow IT can be a good indicator that the IT organization isn't meeting the objectives of the business. So, the focus shouldn't be on managing shadow IT or getting rid of it, but on making it unnecessary, said Ben Piper, an author and IT consultant at Ben Piper Consulting in Atlanta, GA.

When creating a shadow IT strategy, IT teams should seek out the business objective behind every request. When they get a request to install a new piece of software, ask, "Why?" to uncover the true business need. "Too often, IT thinks of itself as a service provider and neglects its consulting role in the business. An IT manager should be able to explain every item of IT spend in terms of business objectives met -- not services provided," Piper said.

Finally, remember that shadow IT risks have always existed, and will continue to exist, said Andrew Storms, VP of security services for New Context, a security consultancy in San Francisco. That means one of the best things IT can do when building a shadow IT strategy is communicate. "Get out of the cubes and go and speak with your users; creating and fostering that human bond goes a long way to understanding your users' needs and challenges," he said.

Next Steps

Seven cloud security risks to avoid

Minimize shadow IT risks in hybrid cloud

Create an identity-based security model for cloud

This was last published in March 2016

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

3 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How does your IT team handle shadow apps?
Cancel
Our organization is still trying to determine the best way to handle shadow IT, but we have learned a few lessons about how best to approach it, one of which is to work with the users, not against them. We have seen is that the trend towards self-service has made some of the decisions for us as users who are either unsatisfied with an ailing legacy system or are early adopters of emerging technologies have brought on their own shadow IT solutions to solve problems, and those solutions became the new standard.
Cancel
It’s also important to remember that, once users start using shadow IT, it sets a precedent of use, which means that moving from that solution to a sanctioned solution is now more than a simple change in technology, it’s also an organizational change, so your shadow IT strategy needs to encompass elements of organizational change management.
Cancel

-ADS BY GOOGLE

SearchServerVirtualization

SearchVMware

SearchVirtualDesktop

SearchAWS

SearchDataCenter

SearchWindowsServer

SearchCRM

Close