LuckyStep - stock.adobe.com
Cloud services and low-code/no-code tools are helping companies expedite the development, provisioning and customization of products and services. Yet this kind of business agility can create security, governance, risk management and cost control problems due to issues associated with shadow IT.
The term shadow IT is often used to describe the downside of IT departments losing control and visibility of the company's IT estate. A centralized shared services model can help companies strike the right balance between agility and control. IT departments need to identify the different flavors of shadow IT across the organization and help departments achieve their business goals with the appropriate centralized services infrastructure.
"While an employee downloading their own software to complete a task might seem harmless, IT and security professionals can't protect what they don't know or can't see," reasoned Amol Dalvi, vice president of product at virtual desktop management tools provider Nerdio. This lack of visibility prevents the IT department from protecting the company against security risks that can come with software.
In addition to potentially compromising IT support, shadow IT can complicate data sharing and knowledge sharing. When employees install an application independently, for example, IT can't support them when they encounter problems. Also, users are responsible for keeping the app up to date. Security vulnerabilities can ensue when apps aren't patched in a timely manner.
"Communication is key to preventing and lowering the use of shadow IT across an organization," Dalvi said. Surveys and focus groups can provide IT teams with insights into support needs and answer why employees are considering introducing their own external devices and software into a work environment to do their job more effectively. With that information, IT teams can ensure that centralized service offerings cover employees' expressed needs and avoid the risks of shadow IT deployments.
Shadow processes and control problems
In its early days, shadow IT might just have involved a sales team setting up a software program to replace an internal system. But the needs have grown more complex with the proliferation of integration tools, new AI products and just about everything as a service.
"Shadow IT has evolved and now often goes by other names such as 'citizen developed' or 'low-code platforms,'" explained Jason Brucker, managing director at management consultancy Protiviti. "However, the challenges associated with decentralized management of technology assets remain largely the same."
One key challenge is process divergence. Owners adopt different practices to manage their shadow technologies that lead to weaker management processes. The result can be inconsistent process outcomes and greater potential for control and compliance problems.
Enterprises can often encounter application access management issues from shadow practices, Brucker noted. Some of those issues can include excessive granting of permissions and entitlements, failure to remove terminated personnel and a lack of regular reviews to clean up access permission lists within shadow applications.
Use shared services to manage, not eliminate, shadow IT
IT teams need to develop a deep understanding of the business process to identify and quantify shadow IT, advised Venky Jayaraman, U.S. cloud and digital strategy practice leader at PwC. This approach can shine a light on how shadow IT is being used in the company and the business problem it's supposed to solve.
According to Jayaraman, many IT teams try to manage shadow IT at the point of access to enterprise data or systems. Rigorous controls and processes that prevent unauthorized apps from accessing other enterprise assets can improve security and data integrity. When business teams stumble across a helpful new app, they'll have to work with IT to get it authorized as part of a centralized services infrastructure.
"Centralizing shadow IT is often a resource-intensive and politically challenging process," Jayaraman acknowledged. Be prepared for lively conversations. Along those lines, a centralized services approach is usually most successful when business teams are frustrated with maintaining their own shadow IT.
Centralizing technical support and sharing business services can also provide significant cost savings. But this benefit isn't always provided by SaaS tools. Therefore, many IT departments aren't set on eliminating all shadow IT practices. Instead, they focus on managing shadow IT in a way that optimizes cost and security but gives business functions some degree of flexibility.
When business and technical agility are critical, a hybrid approach might be the most effective way to centralize business functions, share services and manage shadow IT. There are multiple variations to explore.
One promising method for low-code and citizen developer efforts, Brucker suggested, is to reposition the central IT department as a shared services platform for business users. Teams can manage applications in close alignment with business operations, removing the traditional gap between business needs and IT delivery. The IT team can focus on defining and operating access and change management and provide the tools to manage those processes. Continuous monitoring can detect and help correct issues in business-managed application environments.
Make the right pitch for centralized services
In many cases, an initiative to migrate from a decentralized shadow IT approach to a shared services model is driven by an adverse event like a negative audit report. Proactive IT leaders should determine ways to help their organization eliminate these types of risk, Brucker advised, and focus on the benefits centralized services can provide to their business partners managing their shadow IT assets.
IT leaders should emphasize the benefits of increasing automation in processes and how low-code/no-code tools can enable IT to provide support in a more efficient IT-as-a-service platform model. IT, for example, could start with an analysis of how the sales operations team manages its cloud sales platform. More than likely, the sales team manually configures changes to the platform, which opens the door to errors, testing and troubleshooting. Auditor requests could also hamper the sales team.
By focusing on the benefits of reducing the sales team's workload and increasing its velocity, Brucker said, IT can demonstrate how a centralized shared services approach will empower IT teams to provide better oversight and control over the sales platform and lower security risks of untethered shadow IT.