Some organizations require that any software installed on a network device or any hardware connected to the network be approved through their IT department. When users install software, apps, or hardware without informing IT, it’s known as shadow IT. Shadow IT can range from a workplace culture that promotes decentralized decision-making to individual users going “rogue” and installing technology without any approval. Let’s go over the benefits and pitfalls.
The word “shadow” may have a negative connotation, but shadow IT isn’t all bad. When technology tools are chosen by the people that intimately understand their requirements in relation to a tool’s capabilities, it leads to more efficient work processes. Less customization is required, reliance on IT decreases, and the department or business unit’s needs are better met. When shadow IT is accepted as part of the organization’s culture, there should be network safety measures and procedures implemented.
As businesses grow, IT functions tend to become decentralized and individual departments or business units manage their own IT needs. While decentralization is often more efficient, especially in a large and disparate organization, it presents an opportunity for security gaps. According to the Forbes Insights report Perception Gaps in Cyber Resiliency: Where Are Your Blind Spots?, 21% of organizations surveyed experienced a cyber issue due to an unsanctioned IT resource. When software installations are delegated to individual units, the organization should consider several things:
- How far down the chain will decisions be made? It may be wise to limit installation privileges to a small group within the department.
- Can users install whatever they deem necessary? Certain software and apps are riskier than others, and few people in the organization will have the expertise to properly evaluate an app’s security features. A decision tree may be helpful for determining the safety of an application.
- Are installations reported, even after the fact, to IT? Decentralizing the decision-making process doesn’t mean IT can’t be kept in the loop on final decisions.
Close to half of organizations agree: shadow IT makes it impossible to protect all of their data, systems, and applications all of the time. And as you might imagine, shadow IT can cause strain between the IT department and business units. IT may be used to having control of the procurement process and it can be hard to have that control shift away. To make it work, expectations must be set and lines of communication must be kept open. If shadow IT is part of the organization’s culture, the IT department has to embrace it. When they do, business units will likely choose to work with them, instead of around them. And, that way, IT can help guide business units using checklists and advice, as well as stay in the know on what software and apps are being used.