Today I wanted to talk about Shadow IT. It’s one of those topics that can be emotive, especially if you’re in the IT department or Information Security team. Let’s work on the definition of shadow IT being; “the implementation and or use of an IT solution that has been put in place by a department without the aid or knowledge of the IT department”.
Let’s start by identifying what might be the problem with Shadow IT and then we can move on to what can be done about it.
ITIL comes in handy because it’s a well-known standard that we can use to describe what good looks like for an IT Service or IT Solution. Once we’ve established a definition of good, we can examine what problems or risks Shadow IT can cause. For an IT Service to be considered good, it must be both; “fit for purpose” and “fit for use”. ITIL defines these terms as follows.
Fit for purpose – “The ability to meet an agreed level of utility. Fit for purpose is also used informally to describe a process, configuration item, IT service etc. that is capable of meeting its objectives or service levels. Being fit for purpose requires suitable design, implementation, control and maintenance.”
Fit for use – “The ability to meet an agreed level of warranty. Being fit for use requires suitable design, implementation, control and maintenance.”
It’s common for IT departments to use ITIL, but even if they’re not, the basic premises we’ve described above of ensuring things meet needed requirements are usually followed, either through training, experience, following best practice and or good discipline. The reason for this is that IT has become like a normal utility such as water or electricity and the expectation for it to just work is high. IT professionals have expertise in designing IT Solutions and managing them. Conversely, it’s unusual for departments outside of IT to follow this same rigour because the role they fulfil does not have the exact same demands.
Looking from an Information Security perspective, a good service should uphold the 3 tenants of CIA, that is to uphold Confidentiality, Integrity and Availability. In other words, I want the information in the service to be only available to the right people (Confidential), I want the information in the service to be correct (Integrity) and finally I want the information available to me when I need it (Available). Working in tandem, IT departments and Information Security teams deliver CIA through ensuring IT Services are designed, tested and implemented for quality and standards that are expected. The last thing anyone wants is a security breach and not working with IT and Information Security teams to build your own solutions or data integrations sure does raise the risk of an issue. The professionals inside an Infosec team are always the best people to review and check a solution and if you engage them, will be most helpful.
To understand what can be done, we need to consider the question, why do departments not work with IT and Information Security to put IT solutions in place? The answer could be many things, poor quality service, not enough resources, poor relationships, trust, budget, priority, the list can be endless.
That all being said, the solution to this conundrum does not have to be illusive.
In today’s Public Cloud, Software as a Service (Saas) world and the huge movements forward in technology, the answer is not to fight the departments outside of IT and Information Security, but put in place frameworks, toolsets and technologies and empower them to use them. If you give people the tools to solve their own problems, they won’t need to go looking for their own tools. An example of such a toolset is Office 365. If properly implemented, an IT department can correctly licence, train, configure and support Office 365 and give the whole company tools to store, manage and share document safely, build applications, automate tasks, create, collect, store and analyse data and then publish it. You also get email, chat, video call and much more as part of Office 365. There are many good alternatives to Office 365 depending on your particular needs but in this example, its demonstrating use of an integrated toolset, not just one function like email.
Shadow IT and similar issues are born from the need for IT departments and Information Security teams to modernise or take a new look at what their customers need, not necessarily what they’re directly asking for. Organisations don’t need IT to just be the people who organise and look after infrastructure, plug things in and be techy, they need the creative, problem solving skills they have channelled into creative solutions. Public Cloud like AWS and Azure have given IT teams the toolsets to create and manage infrastructure without having to worry about patching, cabling and so on, which has created time and space to do more.
IT departments don’t need to solve every problem and build every solution, they need to empower, educate, govern, trust, train and procure the right toolsets and implement the right processes around them. They can do this by creating well rounded and considered solutions or bringing in the right IT consultants to help them. If you give people the tools and they’ve been designed to work together, all departments benefit from the innovation, speed to market, safety, security and reliability of it all. My last word on this is strategy. Make sure you have a modern strategy that IT and Information Security can execute in order to ensure both teams stay relevant, in control of their respective needs and empower those around them – for the wise organisation this means supporting IT and giving them a proper mission, actual problems to solve, not seeing them as the IT department from 30 years ago who just setup boxes.
Please note, ITIL® is a registered trade mark of AXELOS Limited