denisismagilov - Fotolia


Practical strategies for shadow IT management

Employees might believe that they need tools beyond the organization's scope. Learn how CIOs and their teams can properly manage shadow IT to avoid unnecessary risk.

As more departments bypass IT to use their devices and applications of choice, CIOs and their teams must find effective ways to manage this rogue tech use.

Shadow IT is the unauthorized use and deployment of apps and systems that fall outside an IT department's operational policies, procedures and standards. Such invisible activities are often the result of the introduction of rogue systems or apps operating outside the department's control. The approach might also involve transmission of data and files that don't follow IT security policies, such as the use of encryption.

In the pursuit of maintaining productivity, companies might become lax towards shadow IT. For example, organizations that allow employee-owned devices -- such as bring your own device (BYOD) -- might unknowingly encourage shadow IT activities. In these cases, IT might not screen or modify devices to comply with the company's IT security policies.

Shadow IT often starts with a disgruntled employee who needs access to an app or another IT resource but can't obtain it from IT. Employees with IT expertise might band together and create alternate IT groups operating outside of normal IT procedures.

Challenges for IT leadership

CIOs and IT leaders strive for a smooth-running IT organization that is compliant, secure and risk-free. But as long as an internet connection is available, shadow IT users can access just about any cloud-based -- or non-cloud-based -- resource with minimal difficulty. For example, the continued growth and acceptance of hybrid workplaces can spur shadow IT activity.

In addition, the growth of cloud-based systems using SaaS, IaaS and PaaS represent significant opportunities for shadow IT. These systems are often found alongside off-the-shelf hardware and software apps that are traditional sources for shadow IT users.

Here are some strategies that CIOs and IT leaders can take to effectively manage shadow IT without compromising operational security or employee productivity.

How CIOs and their teams can manage shadow IT

CIOs and IT leaders must develop and enforce policies to help address shadow IT as effectively as possible. An organization's adoption of these measures minimizes potential risks in the short and long term. With that in mind, the following are suggestions for addressing these issues.

Proactive monitoring and operational diagnostics

An important way to identify shadow IT is to have as many investigative tools and resources as possible. Networks can be potential sources for shadow IT, but entire data centers can also be targets.

IT leaders can stay ahead of any risks by maintaining an up-to-date inventory of all resources within the IT infrastructure -- including employee-owned tech -- and updating it regularly using network inventory technology or other relevant tools.

IT leaders should review inbound and outbound network firewall activity to identify suspicious traffic for further analysis. To help with that, consider reviewing activity on intrusion detection and intrusion prevention systems to identify anomalies for further study.

The organization can also regularly run network sniffing programs to detect unknown IP addresses. CIOs and IT leaders should consider running penetration tests and other ethical hacking measures to identify further suspicious activity.

To enhance security at the data center, the company should consider installing surveillance equipment like cameras and motion detectors. Regular review of data center access logs can help detect possible unauthorized activity.

However, monitoring goes beyond the technologists' side. IT teams should work with the facilities department to coordinate the use of closed-circuit television throughout the office to identify suspicious behavior.

Senior management support

As with any technology-related activity, senior management support and funding are essential. IT leadership plays a key role in keeping senior management informed and supportive.

A periodic agenda item at staff meetings could include the organization's shadow IT status to keep the C-suite informed outside of immediate security events. The CIO should ensure senior management reviews and approves any new policies or updates to existing procedures.

The senior leadership team can also be diligent and help identify any possible shadow installations. Beyond that, CIOs and IT leaders should brief senior management on any suspicious IT activity and the measures to remediate the activities.

Ensure employee awareness

Since employees are the primary candidates to launch shadow IT activity, it's important to foster awareness. Users should understand the characteristics of shadow IT, how such activities can damage the company and possibly affect their job status. By proactively providing training, employees can understand that they play a part in keeping these actions out of the organization.

To begin, IT teams can fill in any knowledge gaps by developing and delivering shadow IT training -- alongside other critical IT training -- to increase employee awareness. For example, IT can advise what steps employees can take if they become aware of suspicious activity.

CIOs and IT leaders should send periodic messages advising employees of possible shadow IT activities and asking them to report any suspicious activity to IT management.

Organizations need to consider establishing or updating policies and protocols for dealing with shadow IT activities and penalties for employees relying on shadow IT. Including HR and legal departments in the overall process is imperative.

Vendor management

Dependence on vendors is a key part of IT operations management. A close partnership with all relevant IT vendors is a critical strategy for identifying potential shadow IT threats and vulnerabilities and also how to deal with them. Shadow IT detection is a group effort, so IT teams should identify and examine shadow IT detection tools available from various vendors.

Before implementing a new IT service, IT teams should determine the shadow IT analysis capabilities of cloud-based and other managed service providers, IT vendors and network carriers. Another tool organizations should consider is a cloud access security broker (CASB) to detect suspicious cloud network traffic.

The IT team can discuss shadow IT concerns with established IT vendors and network carriers, including cloud vendors, and ask how they respond to and provide support for such incidents.

CIOs and IT leaders should advise cloud service organizations under contract of any issues about suspected shadow IT and authorize them to report suspicious activity.

Compliance and audit concerns

Aside from disrupting IT operations and possibly the firm's overall goals, shadow IT might also result in noncompliance with regulations, standards and other governance metrics. Depending on the frequency of compliance assessment and auditing, maintaining vigilance of IT operations is essential for preventing noncompliance.

Before an IT audit, IT teams should be prepared for potential questions from auditors about shadow IT activities, as these activities present possible security risks and access control issues.

To help the process further, CIOs and IT leaders should help determine if suspected shadow IT activities violate the firm's compliance with standards and regulations.

Preparation is the key to success

These suggested actions can help CIOs and IT leaders manage the threat of shadow IT activities. The best strategy is to assume they might occur and prepare accordingly.

By taking a proactive approach, IT teams can minimize the risks associated with shadow IT and protect sensitive data and assets, while ensuring smooth operations within the organization.

Paul Kirvan is an independent consultant, IT auditor, technical writer, editor and educator. He has more than 25 years of experience in business continuity, disaster recovery, security, enterprise risk management, telecom and IT auditing.

Dig Deeper on CIO strategy

Cloud Computing
Mobile Computing
Data Center
and ESG