Shadow IT is one of the (many) things that keep system admins awake at night.
Right now, someone in every organization with more than a handful of workers is using an app they got from the internet that the IT department knows nothing about.
Unapproved technical tools – apps, cloud services like Dropbox or Google Drive, and personal devices – present potential and very real security concerns. They also come with not insignificant costs when multiple business groups buy duplicate solutions. By some estimates, 40% of spending on software and tech services occurs outside the IT department.
So common is it for a computer user to use a cloud service or download an app or tool to help them do their job that Microsoft says the average number of apps being used in an organization is around 1,000.
“80% of employees use non-sanctioned apps that no one has reviewed, and may not be compliant with your security and compliance policies,” Microsoft says, introducing a tutorial for using one of its products “to discover which apps are being used, explore the risk of these apps, configure policies to identify new risky apps that are being used, and to unsanction these apps.”
Hunting down and shutting off these apps and unapproved services does help with the security risk. But relying entirely on that approach is a never-ending policing effort that only contributes to the “Department of No” perception of IT.
A recent CompTIA article on the subject says imposing ever greater restrictions may even be counterproductive. “Enhanced rules may cause workers to venture outside of approved IT more, rather than less — especially if they feel their pain points are being ignored.”
The article suggests a more benign approach that actually allows some types of shadow IT uses while also educating workers about the risks and providing them with the functionality they want.
The latter is the approach the US Department of Veteran’s Affairs is taking.
“You have to give your customers options. If they don’t feel like they’re getting serviced properly from the central IT function, they’ll go find their own way, because they’ve got a mission to execute,” Dominic Cussatt, the agency’s principal deputy chief information officer, says.
He explained that the VA is developing portfolios of services from which customers can shop.
Reporting on Cusatt’s comments at a conference, FedScoop reported, “The idea is that these portfolios are ready to deploy, checked out from a security standpoint and with buys already in place.
“Said Cusatt, ’That ease of access helps them and helps them avoid seeking other options.’”
Photo by Christina @ wocintechchat.com