Children downloading and buying stuff online that parents may have no control over.
Imagine an organisation where parts of the business are consuming hardware, apps and services the IT department does not know about.
“Welcome to the spooky word of shadow IT.”
This is how Kirk Nesbitt, national product manager for cloud and smarter infrastructure at IBM New Zealand, began his presentation at the IBM SolutionsConnect 2014.
He says shadow IT encompasses all technology used by individual employees or departments for business whose use has not been approved or sanctioned by the IT department. People are building their own apps, he says purchasing computing power from vendors you do not have procurement agreements with.
While the phenomenon is now new, the pace of adoption of shadow IT is accelerating because of the cloud, says Nesbitt. He cites Gartner’s estimate that by 2015, 35 per cent of IT expenditures will happen outside of the corporate IT budget.
CIOs, he says, have two choices: Adopt it in an unhealthy manner, by trying to ignore it or maintain centralised control. Or, move to become the enabler of the business.
His presentation focuses on how to become the latter.
When IT adapts to support shadow IT, they can influence how it’s done.
Kirk Nesbitt, IBM
He starts with a quote from a PwC survey which finds that in half of the top 100 companies, IT controls less than 50 per cent of corporate technology expenditures. These are companies that are in the top quartile of margin and revenue growth and innovation and reported growth of 5 per cent or more in the previous year.
They have got to be doing something right, he states.
There are five ways to go about it: Change the role of IT, provide architecture that supports service centric delivery, have an agile adoption mindset, provide appropriate security controls, and ensure right technical capabilities are in place.
He says some of the things IT can do is to develop innovative products to make it easy and cheaper for employees to do their jobs.
He cites the case of Sesame Workshop, which according to a Computerworld report, saved US$90,000 on file transfer and $20,000 on shipping by adopting consumer technologies in the cloud. YouSendIt service, which costs $50,000 for two years, replaced FTP services that cost $140,000 for the same period. As well, before using Central Desktop, staffers were shipping hard drives. The cloud-based service reduced those costs by $20,000.
He warns, however, of inherent risks of shadow IT.
Higher risk of data loss or leaks is one. Also, when there are problems they will become IT problems. The support, even informally, has costs to IT.
Controlling costs can be challenging. One company found that four lines of business are spending far more money on IAAS than they should have.
Regulatory compliance is difficult. If you are sued and you don’t know where our stuff is – the email sent, document or contract – you risk getting fined.
“It is worthy acknowledging shadow IT is real, adopting it in a healthy way so you have a chance to mitigate some of the risks."
Also, provide users with a gateway to the cloud. “Most users want to do the right thing, but if there are barriers they will use a credit card.”
He says shadow IT happens because lines of business are demanding a higher velocity in their IT projects than IT can deliver. Suppliers also target business users with their products and services. The lines of business are also becoming “more tech savvy and feel comfortable driving their own projects”.
The key is to allow the businesses to do what they are doing but with a thin layer of control.
Performance monitoring. The last thing you want is having to make something critical to the business work with a technology you didn't not know was being introduced into the organisation.
Event consolidation. You need capability that can consolidate information from disparate sources. This is a foundational capability before you can do capacity analytics and visualisation.
Capacity analytics. Once you have that consolidated source, you can run capacity planning tools and analytics to predict outages. What are some future demands going to be?
Visualisation. Provide dashboards, so if there are issues, you will alert people, so they are not running around in a mad panic, he states. Your visualisation layer should allow you to pick and choose what data elements should be surfaced for certain users.
He concludes: When IT adapts to support shadow IT, they can influence how it’s done.
An ongoing education of what is - and is not - appropriate
IT manager Ian Parker says managing shadow IT requires an ongoing education of what is and is not appropriate.
“Staff are already using shadow IT, whether they know it or not,” says Parker. “It may be a colleague showing them how to get around an IT policy, a file Dropbox or a third party IT company supplying services.
Work with staff to help them do what they are already doing in a more secure manner and at the same time work with your colleagues, via education, as to what is appropriate and what is not appropriate.
Ian Parker
“Staff members, whilst at work, are already using personal smart phones to circumvent the traditional policies IT has put in place. You cannot prevent that from happening and in some cases nor do you want to," he states. “A reasonable approach is to work with staff to help them do what they are already doing in a more secure manner and at the same time work with your colleagues, via education, as to what is appropriate and what is not appropriate.”
With regards to the use of cloud-based file sharing services, he says education for staff includes emphasising it is strictly prohibited to have confidential information in a public cloud area. All file transfers must be transacted via the corporate secure FTP system.
Staff equipment has bright yellow stickers with the words Security, my highest priority. “It is a good daily reminder,” he states.
New Zealand business technology leaders share more pointers on how to stop shadow IT from getting “out of control” in this year’s State of the CIO report.
Send news tips and comments to divina_paredes@idg.co.nz
