Robert Not Bob

“Who knows what evil lurks in the hearts of men?”

“The Shadow knows!”

These are the opening lines to the popular 1930s radio program “The Shadow.” While the Shadow may have known about the lurking evil, many of today’s CIOs are not so fortunate in knowing where IT lurks across their organizations. That’s right, I am talking about the evil called “Shadow IT.”

For those that do not know what is meant by “Shadow IT”, this is basically when employees within an organization are using systems, applications, software, storage solutions or other technology tools without the knowledge of the organizations designated IT department.

As a former CIO who had open, but properly approved and provisioned, access to the company’s financial transaction data and a background in accounting, I know firsthand that Shadow IT is real. I would regularly query the general ledger and accounts payable transactions looking for expenses or assets that looked to be technology related but were not recorded against the expected GL codes of the IT function. I don’t recall a single time I reviewed such data without coming across some kind of technology spend that was happening outside the corporate IT organization and without my prior awareness.

In addition to those financial transaction reviews, I would also found out about Shadow IT items just by listening and observing. When traveling to different locations around the company, I would make a point to decline to sit in a guest office, instead opting to sit out in an available cubicle or open area work space. This would give me a chance to see and hear how employees worked and in some cases see the use of technology-based tools that I knew were not acquired and provisioned through approved channels.

In all the cases of Shadow IT I came across, I don’t recall any instance where someone was trying to maliciously disregard policies or trying to intentionally put the security of the company (and data) at risk. In general, people were just finding ways to get their job done easier and to better serve their customers; and with the proliferation of applications, systems, storage, and platforms being offered as a service the ability to acquire and consume technology outside the purview of the IT function is becoming easier and easier.

So you may be thinking “what’s the big deal about having Shadow IT?” Two words come to mind: money and risks (specifically data security risks.)

Shadow IT can be expensive for an organization – much more expensive than acquiring the technology through formally established IT procurement processes. This increased expense can be in the form of poorly negotiated pricing, inadequate evaluation of alternative solutions and duplication of technology across the organization. In addition, the cost of Shadow IT solutions are often coded into miscellaneous expense categories or are not scrutinized due to the relatively small amount in the context of the non-IT operating budgets. This can result in unmanaged expenses and at time ongoing expenses for technology solutions that are not even actively used.

Shadow IT can also expose an organization to increased risk related to data security. Typically the core processes and controls an IT function have in place are not applied to solutions acquired and managed outside of the IT function. IT functions usually have established processes and procedures to manage access to technology solutions that ensure that new users are given access only to data that is needed to perform job tasks; that access is removed when employees change roles or depart the organization; and that access to systems is reviewed on a regular basis. Systems and applications managed by IT functions usually also have strict password policies that require complex passwords and require regularly changing of passwords. These strict password controls are often lacking or inadequate in Shadow IT environments. In addition, systems and applications managed by IT functions are typically monitored for patches and updates to address security vulnerabilities. The IT function typically also has processes to receive notices from IT solution providers about security incidents and to respond accordingly. These monitoring and response capabilities are typically lacking for technology solutions procured and managed outside of IT functions.

While I could continue on and on about the security risks introduced or amplified by Shadow IT, I think you get the idea. Shadow IT can also create other risks, such as the administrative access to an application walking out the door with a terminated employee (yes, I lived through that one) or having ownership of a company website domain registered under an employee and not the company and not finding out about until the employee has left the company (again, that happened to me.)

So what’s a CIO to do to try and stop or at least curb the evil known as Shadow IT?

• It almost goes with saying, but have company policies that require IT solutions be acquired and managed through the appropriate IT function.
• Create processes that make it easy for other function and their employees to request and consume technology that is managed by the IT function. People are normally like water and will follow the path of least resistance. The easier you make it to use the approved IT services, the less likely it is that someone will look for a different path.
• Listen to the needs of employees and provide technology that makes it easier and more efficient to perform daily tasks. If you are giving employees the tools they need, the need to go find tools outside of the IT function are diminished.
• Apply the same listening skills to external customers as well. If the IT function does not provide technology that meets the needs of customers, other functions within the organization that interact more closely with customers will find other avenues to meet the needs.
• When you find Shadow IT, get the management of the technology in alignment with how other technology is managed. Even if the management tasks are not performed directly to IT staff, make sure it follow establish processes and procedures for the management of technology.
• Do not be the CI-NO! This doesn’t mean you have to say yes to every request, but the answer shouldn’t always be an outright “No”; sometimes it may be providing an alternative that accomplishes the same goal. Shadow IT is typically a sign that the business, and specifically the IT function, is not providing employees with adequate tools to effectively and efficiently carry out their job functions. If IT is providing the business with the technology needed to be successful, other departments and individual employees will not feel a need to go seek out their own technology solutions.

There were times as a CIO that I got pretty worked up about Shadow IT and would start down the war path to go after those that created it. However, calmer heads almost always prevailed and  I tried my best to use every occurrence of it as a learning experience on where there were gaps in the services being provided to the organization. The learnings would then be used to shape and direct future investments in technology and to improve how IT services were delivered to the organization.  While the impacts of Shadow IT can be evil, the intention of those engaged in Shadow IT are usually good.

“Who knows what evil lurks in the shadows of IT? “ If an organization is lucky, the answer is “The CIO knows!”