By Jon Murphy
Love it or hate it, with the consumerization of IT and rapid adoption of all things cloud computing, most organizations are loudly demonstrating their need for new tools to do more – faster and more efficiently than ever before. That in part is making Shadow IT pervasive in most of those organizations. Some estimates have it accounting for as much 30%-50% of IT spend. Other estimations have as much as 80% of workforces using some form of unsanctioned software (SaaS or otherwise) to get their day-to-day jobs and special projects timely completed.
By “Shadow IT” we are referring to, what some have also dubbed Stealth IT, describing hardware and software used by people in organizations without explicit authorization by the organization’s IT department. This hidden-from-IT software and systems also includes innumerable homegrown Access databases, scripts, and WordPress/PHP files on local desktops as well in various places out in the cloud, like AWS for instance.
So, with this much utilization of, or even dependence on Shadow IT, what would happen in a Disaster Recovery (DR) scenario in which the organization’s work force lost all that work in progress (WIP) or connectivity to the countless sites that corporate IT is “officially” and sometimes blissfully, ignorant of today? Some might be inclined to say, good riddance to bad rubbish. After all, most traditional IT pros will tell you that all those doings in the shadows can introduce security risks when unsupported hardware and software are not subject to the same security measures that are applied to supported technologies. The flip side of that truth is that Shadow IT largely exists because enterprise IT has generally not been serving business needs as well as they should be and as quickly as needed!
Here are five steps to take today, before a significant business-as-usual disruption occurs, to ensure the potentially vital business processes supported by Shadow IT remain in place until better solutions prevail:
- Take assessment: How much Shadow IT is out there? Start with the rogue databases on desktops, try surveys, check with procurement, but do find out how big this hidden use truly is. It will be challenging since most will see this as a potential “police-like” crackdown in the making.
- Rate it: Just like you would do with official systems and applications, perform a business impact analysis (BIA) to find recovery time and point objectives as well as assigning tiers of importance. Learning and highlighting the difference between what service level agreements are missing or are woefully inadequate from the third parties that have been contracted gives corporate IT another chance to shine.
- Back it up: Once you think you have a good idea of how much there is, do something to create copies that you apply appropriate levels of protection to, just as you would the “official” cousins – the sanctioned IT offerings.
- Test it: You do regularly test your backups and perform recovery exercises on sanctioned systems and applications; right? Same things need to occur here. If the actual recovery of the in-the shadows info and systems is not achievable, then all the work before went for naught.
- Capitalize: Now that you, corporate IT, have proven you are a business enabler and team player, you have established the credibility to begin formally wrangling control of the potential downsides to Shadow IT. Here are the three sub-steps to that process:
- Identify weaknesses: Corporate IT did not do something right enough or fast enough in the first place at some point in the past. Ask those hard questions of the business and take stock to see what IT can do to operate at the speed of business.
- Reestablish relationships: There are key department and individual in the business whose cooperation and favor you need to curry. Identify them and solicit their help to rebrand so that the IT department won’t be viewed as a hindrance to their job.
- Reinstitute: Use the capital you collected in the previous steps to begin re-positioning the IT department as the single and best source for technology solutions in the workplace.
For sure, Shadow IT has problems inherent within it. However, if we Enterprise IT Practitioners are honest with ourselves, it probably exists to some degree in almost every organization and we are partially to blame. Some of the WIP being done by and through Shadow IT has likely become vital to the enterprise. Being proactive to protect that gives enterprise IT a chance to improve their image and better manage unsanctioned IT sprawl.
About the author: Jon Murphy is the Global VP of Security Operations for a leading mortgage servicing firm. His expertise includes facilitating improvement initiatives in the areas of IT operations with heavy emphasis on Infrastructure, Information Systems Security, Regulatory Compliance, Risk Management, Business Continuity/Disaster Recovery, and IT Governance. He is also a nationally well-regarded technology and homeland security professional, author, and speaker, and has been published in USFN, CSO, CIO, CIOReview,and Bloomberg BusinessWeek. He can be reached here via LinkedIn.