Contact Us

Continuity Insights Management Conference

By Jon Murphy

Love it or hate it, with the consumerization of IT and rapid adoption of all things cloud computing, most organizations are loudly demonstrating their need for new tools to do more – faster and more efficiently than ever before. That in part is making Shadow IT pervasive in most of those organizations.  Some estimates have it accounting for as much 30%-50% of IT spend. Other estimations have as much as 80% of workforces using some form of unsanctioned software (SaaS or otherwise) to get their day-to-day jobs and special projects timely completed.

By “Shadow IT” we are referring to, what some have also dubbed Stealth IT, describing hardware and software used by people in organizations without explicit authorization by the organization’s IT department. This hidden-from-IT software and systems also includes innumerable homegrown Access databases, scripts, and WordPress/PHP files on local desktops as well in various places out in the cloud, like AWS for instance.

So, with this much utilization of, or even dependence on Shadow IT, what would happen in a Disaster Recovery (DR) scenario in which the organization’s work force lost all that work in progress (WIP) or connectivity to the countless sites that corporate IT is “officially” and sometimes blissfully, ignorant of today? Some might be inclined to say, good riddance to bad rubbish. After all, most traditional IT pros will tell you that all those doings in the shadows can introduce security risks when unsupported hardware and software are not subject to the same security measures that are applied to supported technologies. The flip side of that truth is that Shadow IT largely exists because enterprise IT has generally not been serving business needs as well as they should be and as quickly as needed!

Here are five steps to take today, before a significant business-as-usual disruption occurs, to ensure the potentially vital business processes supported by Shadow IT remain in place until better solutions prevail:

  1. Take assessment: How much Shadow IT is out there? Start with the rogue databases on desktops, try surveys, check with procurement, but do find out how big this hidden use truly is. It will be challenging since most will see this as a potential “police-like” crackdown in the making.
  2. Rate it: Just like you would do with official systems and applications, perform a business impact analysis (BIA) to find recovery time and point objectives as well as assigning tiers of importance. Learning and highlighting the difference between what service level agreements are missing or are woefully inadequate from the third parties that have been contracted gives corporate IT another chance to shine.
  3. Back it up: Once you think you have a good idea of how much there is, do something to create copies that you apply appropriate levels of protection to, just as you would the “official” cousins – the sanctioned IT offerings.
  4. Test it: You do regularly test your backups and perform recovery exercises on sanctioned systems and applications; right? Same things need to occur here. If the actual recovery of the in-the shadows info and systems is not achievable, then all the work before went for naught.
  5. Capitalize: Now that you, corporate IT, have proven you are a business enabler and team player, you have established the credibility to begin formally wrangling control of the potential downsides to Shadow IT. Here are the three sub-steps to that process:
    1. Identify weaknesses: Corporate IT did not do something right enough or fast enough in the first place at some point in the past. Ask those hard questions of the business and take stock to see what IT can do to operate at the speed of business.
    2. Reestablish relationships: There are key department and individual in the business whose cooperation and favor you need to curry. Identify them and solicit their help to rebrand so that the IT department won’t be viewed as a hindrance to their job.
    3. Reinstitute: Use the capital you collected in the previous steps to begin re-positioning the IT department as the single and best source for technology solutions in the workplace.

For sure, Shadow IT has problems inherent within it. However, if we Enterprise IT Practitioners are honest with ourselves, it probably exists to some degree in almost every organization and we are partially to blame. Some of the WIP being done by and through Shadow IT has likely become vital to the enterprise. Being proactive to protect that gives enterprise IT a chance to improve their image and better manage unsanctioned IT sprawl.

About the author: Jon Murphy is the Global VP of Security Operations for a leading mortgage servicing firm. His expertise includes facilitating improvement initiatives in the areas of IT operations with heavy emphasis on Infrastructure, Information Systems Security, Regulatory Compliance, Risk Management, Business Continuity/Disaster Recovery, and IT Governance. He is also a nationally well-regarded technology and homeland security professional, author, and speaker, and has been published in USFN, CSO, CIO, CIOReview,and Bloomberg BusinessWeek. He can be reached here via LinkedIn.

 

 

Continuity Insights

Similar Articles

Cybersecurity is Greatest Post-Pandemic Concern in 2021

MetricStream, a global market leader of Integrated Risk Management and GRC solutions, has announced the results of a new survey on the State of Risk Management, post-pandemic. The survey found …

Adaptability & Flexibility – Are You Living Like a Slinky?

We are all experiencing ever-increasing uncertainty and change. The organization and its people must have the ability to change, evolve, and adapt in response to changing circumstances and the ability to …

10 BCP Mistakes You Really Want to Avoid

Wondering if your business is going to get your through the next wave of Covid-19 or some other business interruption? Then you’ll want to join Continuity Insights as we walk …

Leave a Comment

Share to...