You’d be forgiven for assuming the term “Shadow IT” means something ominous; conjuring images of viruses lurking on your system, suspect activity online, and general risks to an organization’s security… but it is simply the name given to any external hardware or software that is being used without the approval or support of the organization’s IT department.
Historically, shadow IT was due to staff deviating from the organization’s process for requesting hardware or software access, either through ignorance or impatience, which meant IT had no knowledge of what was being deployed. These days, in a world of smartphones and “always on”, the use of personal devices and third-party specialist technology also falls into this category. Therefore, Shadow IT is, arguably, an enabler. It allows an organization to stay agile, and connected, and it invites productivity both inside and outside of the workplace. In fact, organizations that don’t indulge in shadow IT are actually at risk of being left behind.
Shadow IT makes Software Asset Management (even more) difficult
Even with a mature SAM process, where the IT Asset lifecycle is properly tracked and effectively managed, IT has a big task on its hands. If an employee procures their desired hardware or software outside of that process, and IT is unaware, the task becomes impossible.
Of course, there are security risks associated with unknown software, but there is also the threat of noncompliance. Unapproved software, which is therefore not covered by an organization’s license terms, could trigger a software vendor audit. The resource that must be applied to respond to an audit request will most likely make a significant dent in “business-as-usual”, and any unapproved or unlicensed software puts the organization at risk of fines.
Responsive IT can cast light where there is shadow
Shadow IT, especially in larger organizations, kicks against any standardised process in place for monitoring software requests, access, deployment, use, and budget. That can lead to conflicts in approach and contradictions in business strategy – how can management make an informed business-critical decision about IT with inaccurate information about IT?
A unified approach to business goals and therefore business processes is best practice in any organization, but it’s rare to have no department-centric goals. That is, different business functions will have different aspirations and therefore different needs, which is where the demand for IT, in order to support these aspirations, will vary. There are two ways to manage this:
Simplify SAM for everyone
IT Asset Management, should have an effective SAM process in place that forms part of the organization’s culture as a whole. It should be robust enough to track and manage all software licenses throughout their lifecycle, but flexible or accessible enough that it tackles the reasons employees aren’t contacting IT directly with access requirements. Red tape, long delays, and missed requests encourage the unauthorized deployment of software.
Interdepartmental SAM
Although it is essential to identify the top of the chain of responsibility, that doesn’t necessarily have to mean sole responsibility. Picture an IT department driving the organization’s Software Asset Management, but appointing a responsible party from each department, as necessary, to take ownership of their access requests by following a predetermined protocol. If a certain piece of software is only in use by a single department, managing the associated contract terms sits within that department. If the software is used company-wide, or if it is via vendor supplying software to other departments within the company, the IT department and the SAM Manager must be involved.
Visibility in shadow IT with SAM
Instead of trying to put a stop to shadow IT, organizations with SAM and ITAM processes mature enough to handle the use of personal devices, and accommodate time-sensitive software requests can better respond to the evolution of the way their IT environment operates. The emphasis should be on making clear what is permitted, as well as being agile enough to respond to requests outside of the norm, and a true view of all deployed software and all devices touching the network.
