While IT always has to contend with an ever-changing landscape driven by shifts in technology, the sector has not really had to deal with the situation that has emerged over the past few years, where IT decisions are made, without the IT department even knowing about them.
With cloud computing, particularly software-as-a-service, end users are able to plug in to services with little more than a browser, an internet connection, and a company credit card to pay subscription fees, if the service isn't free. Departments and business units, and individuals are happily signing up for cloud services and tossing company data into the cloud, without any thought for security, governance or whether data can be safely retreived from service providers.
In the hardware space, while data has potentially been 'mobile' since the floppy disk, previous generations of mobile workers tended to be equipped with company-issued laptops or perhaps BlackBerrys, which IT, in theory, configured for proper security for the limited amount of data that might be carried on them. With the rise and rise of smart mobile devices however, with huge amounts of storage space and, increasingly, a pipeline directly into mobile-enabled corporate applications, the risks from hardware have grown massively. The proliferation of mobile devices and the desire of the workforce to BYOD has increasinly meant IT organisations having to give access to devices over which they have no control.
Tackling the problem of hardware and software outside of IT's control, so-called 'shadow IT', has become a difficult taks for the IT department, as organisations seek to retain control over data and access, at the same time as gaining the benefits of allowing workers to use the tools they want, and the benefits of the cloud model. So how big a problem is shadow IT in the region, and how should organisations best manage it?
How widespread is Shadow IT?
Mingay: All of the above. But what's evolving is increasing use of more sophisticated solutions. And this is where it starts to clash with the traditional role of the IT organisation.
Kumar: With regards to departments actually implementing systems that do not have a buy in from IT is a bit more rare in the
Are you aware of your end users using Shadow IT?
Jawed Akhtar, Chief Information Officer,
Does your organisation have any policies to govern or forbid shadow IT?
Rathi: There are policies, which are signed by every employee when he joins the company. With business requirements as an excuse, there are many exceptions to the policy approved by management. Over a period of time the exceptions keeps on increasing, making the policy ineffective.
Thameem Rizvon, Group IT Director,
For software — we restrict users from being able to install on their own except for travelling users. Whenever we notice unauthorised software, we work with the respective business head to understand the requirement and either uninstall or approve new applications if required.
Lijeesh Rajan, Director of Centralized IT Services, Dubai & Northern Emirates.
Do you have any regular activities to detect unauthorised applications in your environment?
Akhtar: We do control and monitor this regularly. We do not allow any user to install any freeware or unlicensed software. In fact user's PCs have admin access removed so that they do not install any unwarranted software. On some authorised software we only provide access to selected users, with the strict control not to create any applications to use for business. Of late we observed that some IT savvy staff were developing applications and trying to use them for business.
Rizvon: We use Microsoft System Center Configuration Manager to check for any unauthorised apps and we also check whenever the devices come in for service.
What sort of policies should organisations have to manage the issue?
Kumar: Security policies will cover non-complaint device and application usage. Data sharing policies need to cover the usage of cloud services and the data that can be shared on the cloud. Without proper control, shadow IT can be a nuisance for both IT management and enterprise security. Education and training levels on data sharing and more controls around data sharing and applications downloads needed to be implemented.
Mingay: Clear policies around security, privacy, compliance, vendor engagement. But also supporting services to help users understand and deal with these appropriately. Guidance on which areas are appropriate for end user development/solution acquisition, and which areas are the domain for enterprise IT, and controls to identify when a solution is sliding from one domain into another.
How should organisations best tackle shadow IT?
Mingay: IT organisations must engage! It is no longer practical to take the moral high ground and wag fingers at people, and then when things go wrong take the view 'we told you so'. The idea that the CIO can be responsible for all things IT in the enterprise has passed, and now there will be many channels of delivery. As such the IT organisation will be responsible for enterprise IT, and needs to engage in actively shepherding and guiding 'shadow IT' firstly to bring it out of the shadows into the open and secondly to ensure it is used appropriately to create value. This means adapting the services the IT organisation provides to support 'shadow IT'.
Kumar: Frequent audits are needed. Also if a cloud service such as Dropbox seems critical for a department, [IT should] upgrade it for an enterprise level option that provides better monitoring and complies with the security policies of the company.
How can you best manage shadow IT?
Rizvon: It is best is to work with the management team on why it is important to have a standard policy against shadow IT. In the last few years, our IT staff size has either remained the same or reduced every year and our budgets are almost flat. This has been possible by following a Standard IT policy for hardware and software.
Tewary: By keeping a 'safe' distance between enterprise systems and such shadow systems. The maintenance and upkeep of the shadow systems is done through the vendor who delivered it and by the business segment who went for it. We do not allow any direct data interface/data transfer and data updates between enterprise applications and shadow systems. Based on needs, we shall keep such shadow systems on separate VLANs.
Rajan: We work towards having co-ordination between management divisions whether it is sales, marketing or finance to understand the solutions and their tools in action. This allows us to understand well how to maintain their solutions and also to look for and deliver the right solutions that meet their needs.
Rathi: The best way to manage shadow IT is to listen to the user. His requirements are genuine and in most of the cases, they are ready to use an alternative secure application. We need to explain to them, the security issues and the impact it would have on the enterprise. Simply saying 'no', makes them hate IT. Use technology to identify the offender, talk to them, provide an amnesty for breaking the policy and get them on your side. Believe me the end users simply wants to get their work done with ease.
Khan: In our organisation we deal this with by building and sharing IT strategy with the CEO and functional heads; and building capability in the IT team to understand business needs in every area. We have also established information risk management, so that the risk of shadow IT is clearly understood. We give special attention to vulnerable areas like digital media, websites, social media - the typical areas where shadow IT initiates.
Sometimes we play hardball in preventing the proliferation of IT, if it touches the overall IT strategy; while sometimes we allow relatively innocuous initiatives to go by to win friends. IT departments need to take cognizance of this trend, and change their strategy to leverage this — this trend is here to stay.
Most Popular Stories
- U.S. Families 'Extraordinarily Vulnerable': Yellen
- Hillary Clinton to Address CHCI Conference
- Larry Ellison Steps Down as Oracle CEO
- Alibaba Prices IPO at $68 a Share
- Veterans to Get Training as Solar Panel Installers
- Apple Locks Itself Out of Devices
- Hispanics Doubt Marco Rubio's Chances
- Wildfires Rage in California
- John Cantlie Delivers ISIS Message to Save Life
- Alibaba: Today China, Tomorrow the World