How to handle and prevent the use of Shadow IT by association staff
- Dan Lautman
- February 25, 2016
What percentage of your organization’s staff uses cloud-based “rogue” applications or services?
It might be higher than you think. 72% of IT executives surveyed by the Cloud Security Alliance (PDF) admitted that they didn’t know how many shadow IT applications were being used in their organization. And, only 8% of them knew the entire scope of Shadow IT at their organizations. Good for them, those lucky few.
Why staff goes their own way with shadow IT
Shadow IT is a fact of life for IT departments. And who can blame the users? In their minds, cloud-based apps are the IT version ofhitting the Easy button. They’re free or cheap enough that users are willing to pay or expense the monthly fee. No need for approvals, meetings, hardware purchase, or integrations—all the usual red tape involved with technology selection.
The pressure to find a tool that helps them get their work done is stronger than the pressure to comply with IT policies. From their perspective, your IT environment is too restrictive. They want to work on the plane, but your IT-endorsed solution is a VPN and not the always-available solution they desire.
Besides, they think, working with IT takes too long. They don’t have time to wait until their request is at the front of the queue. No, they didn’t plan ahead like they should have, but, alas, they need it now.
And, let’s face it, sometimes the IT department doesn’t consider the user perspective. Instead, we think: What’s going to be easiest for us to manage? Here’s the thing: The best solution for IT is not always the best solution for users.
Sometimes, IT doesn’t want to get involved because the request is too time-consuming. Or, it’s a low priority item. If IT is outsourced, the request may not even be in the scope of the contract.
If IT appears uncooperative and can’t give staff what they need, staff will go around IT and find a SaaS solution. Welcome to the shadows.
Uncovering Shadow IT
You could act unilaterally to uncover rogue applications by using network scanning tools, asking Accounting to flag monthly recurring expenses, or reviewing your Internet traffic logs. However, if you want to avoid contributing to an Us vs. Them culture, consider a more collaborative approach.
Schedule regular discussions with department heads. Learn about their operations and position yourself as a proactive solution provider. For example, find out how they’re sharing documents with board and committee members. What do they wish they could do better? What is causing frustration? What can you do to help?
Proceed thoughtfully when discussing shadow IT discoveries. Approach staff as an ally who can help them solve problems and make their work more manageable. You’ll need to call on all your EQ (emotional intelligence) to keep these conversations positive and productive, especially since staff may go on the defensive to protect the tools they rely upon to do their work.
A collaborative approach to Shadow IT
Make sure everyone understands why you do the things you do. They may think it’s all about power trips and control issues. You can counteract that assumption by educating department heads and other influencers about the security risks of Shadow IT.
Let department heads and staff know that you’re not going to outlaw Shadow IT. Spur them to understand that involving the IT department in technology selection can benefit not only them, but also other departments and maybe even the entire organization.
Your goal as the resident technologist is to give staff the tools they need while also protecting the data entrusted to your organization. If you want staff to turn to you first, you need to increase their sense of trust in the IT department. Demonstrate your desire to understand their work, goals, limitations, and opportunities. They’ll see that you’re ‘for real’ and welcome your assistance and advice less begrudgingly.
Once you learn about their needs, and even after you resolve current needs, don’t ignore them. Be proactive. Check in from time to time. Ask how current software is working or what’s on their wish list. Suggest solutions that help them accomplish new and evolving tasks, while taking note of security guidelines and integrations. Don’t wait to find out later that they chose something less than ideal (for you and for them).
Regular communication is critical to avoid being seen as a roadblock. Ask them: “What can’t you do that you want to do?” Be a problem solver.
You also have to change your mindset: look at technology from the user’s perspective. That doesn’t mean you have to kowtow to users. Instead, start from the user perspective and go from there to the IT perspective. How can you make a user-friendly solution work for IT? Or, do you have an alternative that the user may not have been aware of or considered?
Beware the trap of the cheapest solution—too often IT goes to that corner by default. Instead, consider solutions that provide the most value to the user and the organization, even if they’re more expensive.
Eventually, you could create a framework to evaluate cloud applications, and publish an approved cloud solution provider list with instructions on how to implement each one.
To ensure that staff comes to you first for technology solutions, you have to change the relationship between IT and business departments. They need to see IT as a solution provider that must also guard the organization against the growing risk of security breaches. This new relationship requires communication and understanding from both sides—listen and collaborate!
Looking for more information about information security? We’ve got you covered. Check out our eBook The Cybersecurity Watchlist for Association and Nonprofit Executives for more information on threats to your organization’s security and how you can prevent your data from being compromised.