Turning ‘Shadow IT’ into ‘Better IT’

There is an ancient Chinese proverb about a farmer who loses his horse. For those who haven’t heard it, the story goes like this: There’s an old farmer who lives with his son close to the borderlands. One day, his horse runs away. His neighbors come to console him, but he only says, “how do you know it isn’t fortunate?”

A few months later, his horse returns and brings back with it a magnificent stallion. His neighbors come again, this time to congratulate him. He says to them, “how do you know it isn’t unfortunate?”

Later, his son falls while riding the new horse and breaks his leg. His neighbors return to console him, but the father again says, “how do you know it isn’t fortunate?” Then a war comes, and all the able sons are drafted to fight. Most are killed in battle, but the farmer’s son is spared because of his broken leg.

The point of this story is that sometimes things that at first seem unfortunate actually can be a blessing. The converse is also true: Sometimes things that seem to be a blessing really can be the opposite.

The reason I’m bringing this story up here is that it is a useful illustration of something that can happen in enterprise IT. Sometimes things happen that seem undesirable, but they actually can turn out to be advantageous when viewed in a certain light, when approached in a certain way, or depending on circumstances.

For example, this can be true when it comes to “Shadow IT” — specifically, the adoption of technology without the involvement or knowledge of the IT organization.

The Shadow IT Struggle

Most IT professionals for the past few years have struggled with the “shadow” adoption of technologies. Consumer-oriented technologies, cloud services with free or “pay as you go” pricing, mobile applications, etc., all can make it relatively easy for individual users and small groups to adopt technologies without involving IT in their deployment.

This practice can be problematic in several ways. First, without central oversight, it can be difficult to ensure that technical risks are addressed. Second, Shadow IT undermines standardization efforts. Individual departments or users may select different solutions for the same fundamental problem, leading to complexities in support and processes, as well as integration challenges down the road.

Third, if multiple different groups adopt the same technology, it can lead to suboptimal pricing — when purchases are negotiated centrally, volume pricing might come into play. Lastly, it can lead to a waste of organizational resources and to overall inefficiency.

However, there can be situations in which Shadow IT can be turned — in part, at least — to an organization’s advantage. Now, don’t get me wrong — I’m not suggesting that IT pros go out and actively cultivate shadow technology in their organizations. The problems and risks associated with it are very real and should be approached with consideration and gravity.

That said, it’s not necessarily all downside all the time. If Shadow IT is going to happen anyway — and it will — then it’s important we learn as much from it as we can. In fact, depending on how you choose to respond when Shadow IT is encountered, you might find that it actually can be somewhat beneficial.

What We Can Learn

The first thing to note is that there’s an underlying root cause for shadow technology adoption: unmet business needs. Why would individuals or business units go to the trouble of finding and using a new application, technology or service if they felt they already had everything at their disposal to be maximally effective? They wouldn’t, right?

When Shadow IT is encountered, it means that there’s something that these folks want to do that they feel they can’t. It could be because they want something new that IT doesn’t provide. It also could be because IT offers it, but they either don’t know that or there’s something less appealing about IT’s offering — e.g., speed, flexibility, interoperability, etc. Shadow IT tells us something about what we can do better — or other services we can offer — to make sure folks have what they need to be effective.

In addition to showing us what unmet needs there might be, Shadow IT can help to inform us about important new technologies coming down the pike. This can directly inform decisions we need to make concerning things like the security controls we implement, how we allocate budget, and how we adapt tools and processes.

For example, if we’re seeing an increase in SaaS, what might we need to do to safeguard data stored outside our perimeter? If we’re seeing pockets of Docker, will our existing asset management processes and tools stay relevant in a container-focused world?

In IT, it’s hard to prepare for new technologies when they’re dropped on us with little warning; Shadow IT can very well serve as that warning. It can tell us what folks are likely to find valuable and how they might use it.

Ensuring You Get the Value

There can be some valuable learning opportunities that occur as a result of Shadow IT. That said, those learning opportunities happen only when supported by a few key pieces of data: namely, what’s being used, how it’s being used, and why. You need to have a way to discover usage when it occurs, and you need a solid-enough understanding of the business side of the house to understand how and why.

In practice, that means having a two-way, trust-based relationship with business teams. Why? Because while there are some technical tools out there that can help you locate certain types of technology. For example, asset management tools might help you locate new hosts or devices, cloud discovery tools might help you find SaaS uses, and vulnerability scanners might help you find unexpected hosts or services.

No single tool will alert you to every possible new technology out there. It’s easier and generally more effective if you have the kind of relationship that encourages business teams to tell you about it instead — ideally without your specifically asking. That type of relationship is also key to answering the other important questions: that is, why and how they’re using a particular technology.

Interfacing well with, being trusted by, and engaging often with business teams are particularly important when it comes to ensuring that we learn all we can from Shadow IT. Shadow IT likely will be a challenge for years to come, and it certainly carries risks — but depending on how we approach it, Shadow IT also can be instrumental in improving IT within the organization.

Ed Moyle

Ed Moyle is Director of Emerging Business and Technology for ISACA. His extensive background in computer security includes experience in forensics, application penetration testing, information security audit and secure solutions development. You can connect with him on Google+.

1 Comment

  • We see this all the time with our clients for whom we do IT support help and service. They have a very hard time coordinating between department with IT and even within IS function. Software like this could really help organize.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels