Business users and IT departments have been at war. The conflict has burned for years, but the growing need for agile tech has exacerbated the problem. If companies want to stay competitive, these battling sides will need to broker a peace treaty through improved cooperation.
In its early days, Microsoft sold computers and other hardware directly to IT departments. Those departments had final oversight when it came to the technologies a company’s employees used. But when Microsoft began selling directly to business users in marketing or sales, not just in IT, decision makers outside the IT team could choose the hardware they wanted.
The shift caused friction immediately. Department heads came to depend on the new tech, but IT teams refused to accept that expensive personal computers were necessary. They didn't see why business users would need the PCs — and they wondered how these users would even learn to operate the machines.
So they dropped the "security policy" atom bomb, arguing that user-selected PCs posed security risks. And as soon as they mentioned "security," IT teams declared victory. But business users were unwilling to accept that argument, and they instead set up secret infrastructures and hid their computers, a strategy known as shadow IT.
The same issue is playing out now with software. Users need certain software tools to do their jobs effectively, but IT departments once again insist that security concerns preclude them from supporting new software systems. So today's business users are taking a page from their predecessors, hiding software tools just like users previously hid their hardware.
IT teams are right to worry about security. But their responses — or lack thereof — to users’ problems encourages shadow IT to flourish, exacerbating companies' security threats. According to a presentation at the 2016 Gartner Security and Risk Summit, researchers found that by 2020, one-third of all successful hacks on enterprises will centre on shadow IT. The only way for companies to protect themselves is through collaboration between IT and their business users.
A bad case of déjà vu
IT teams resist user-initiated tech decisions because they believe most users don’t know how to assess software for security. They also assume most people don’t know how to manage their applications’ permissions to keep their data — and that of a company — safe. And they’re probably right. The majority of users don’t have the same training as IT professionals, so they’re not as well-versed in how to safeguard against cyberattacks.
But the solution is not to create an artificial barrier that excludes users from the decision-making process. The IT department might have final say on the company’s official tech purchases, but how can they make optimal choices if they don’t understand what each department needs?
Without a clear understanding of the programs that marketers, salespeople, and customer service representatives rely on, the IT team is flying blind when creating the tech infrastructure. IT departments should have learned this from the shadow ecosystems that flourished around hardware, but they’re making exactly the same mistakes when it comes to software.
Business users aren’t slowing down with software adoption, regardless of IT’s security warnings. Department heads are especially eager to adopt project and task management software. Because IT isn’t providing them with any solutions, they turn to unapproved platforms such as Asana and Trello. Technology has expanded the scope of many jobs, and all departments must track multiple initiatives at a time. If IT won’t help them manage the workload, they’re happy to find platforms that will.
Learning from history
IT lost the hardware battle. Unless they want to do the same with software — and jeopardize their companies’ security in the process — IT departments must learn from the past and find a way to work with business users.
If you’re an IT decision maker struggling with shadow IT, here’s how to forge a more secure path:
1. Own users’ challenges.
Historically, IT teams have claimed authority over all of the company’s technology. That authoritarian approach no longer works. Instead of handing down decisions, meet with department heads to find out what they need. Offer amnesty, and ask them which shadow IT programs they use.
Then, either create an alternative solution or partner with them to bring those platforms out of the shadows. Perhaps there are simple steps you can take to make their activities more secure. Educate them on security best practices, and invite them to come to you when they encounter new tech needs. Reassure them that you will listen and take action on their problems instead of dismissing them out of hand.
Most importantly, stop thinking of tech as IT’s exclusive domain. IT is vital to creating secure infrastructures, but the end users are experts in their domains. Work with them to find viable solutions that suit their processes without compromising the company’s security. The IT department sets security standards for a reason, and users will respect them if you’re willing to help solve their problems.
2. Become an educational resource.
Earlier, I said IT teams are right to assume that users know less about security than they do. I stand by this statement. But with that expertise comes great responsibility. Users don’t secretly hope for a security breach, but they’re not constantly on alert, either. Educate other departments about common security lapses and the steps they can take to prevent them.
Hold regular conversations with department heads as well. If they’re using shadow IT, ask why and really listen to the answers. Chances are, you can address that pain point through better, more secure program recommendations. Even better, hold monthly seminars or send out newsletters with security updates and briefings on new tools. Circulate a checklist that people can use when evaluating new software to help them identify legitimate options.
Invite people to ask you about a program before they install it as well — not so you can turn them down, but so you can look into it. An interesting new software program might sound like a no-brainer for their workflows, but it might not be vetted enough to make sense for the company.
3. Ensure compatibility of new solutions with existing software.
Once you’ve agreed on a new solution, continue to run tests to make sure it complies with security standards and plays nice with other platforms used throughout the company. Where possible, consolidate functions into fewer platforms and opt for programs that are as intuitive as possible. Favour solutions that offer encryption and data loss prevention support to minimize the chance of a breach.
Ideally, these programs will be user-friendly, so as to reduce the burden on the IT department. They should be safe self-service platforms where business users can create their own solutions. People shouldn’t need coding skills just to log in to a database and collect insights. Shadow IT sprang up because users needed better tech solutions, so the ones you approve should help them do their jobs, not necessitate more shadow installations.
The shadow IT war is hurting everyone, and it’s time for it to end. IT teams can achieve their security goals without hindering productivity, and business users can access the tools they need without jeopardizing company data. But the only way to achieve everyone’s goals is to wave the white flag and start working together.
Suresh Sambandam, CEO, KiSSFLOW
Image source: Shutterstock/Kzenon