Forget Shadow IT — Think Enlightened IT

IT has traditionally sought to tightly control exactly what products employees are using. This was a result of needing security, meeting compliance requirements, and even simply making sure expensive enterprise software and custom internal tools were working.

As new tools and methods began propping with the rise of the Internet, consumer devices, and the “consumerization of IT”, non-sanctioned products started showing up in corporate IT. The traditional response was to eliminate these products and return control to the centralized process. IT created a disparaging term for these unofficial products: “Shadow IT.”

Wikipedia lists out the typical “implications” of Shadow IT.

• Wasted time
• Inconsistent business logic
• Inconsistent approach
• Wasted investment
• Inefficiencies
• Higher risk of data loss or leaks
• Barrier to enhancement
• Organizational dysfunction
• Effect on IT Departments

Notice a common thread; they are all negative. This is not an accident. And this pejorative attitude towards Shadow IT is pervasive to this day.

SaaS: Pandora’s Box for Shadow IT

While Shadow IT was a problem before SaaS, the proliferation of free, freemium, and inexpensive per-seat SaaS offerings resulted in a massive explosion in Shadow IT. This trend is exacerbated by shifting employee preferences. Employees are demanding to use their own devices (the massive BYOD trend). They are demanding better products that are as usable as the consumer software they’re used to. They are demanding to be able to work from anywhere. When employees are off the corporate network and hardware, traditional tools for managing and fighting Shadow IT (e.g. packet sniffing, computer agents) are rendered ineffective.

In fact, this desire for tight control has probably been counter-productive. As IT gets increasingly restrictive, employees simply go completely outside the view of traditional IT. This exacerbates Shadow IT, resulting in a much larger surface area of company tech usage and data sharing that is invisible to IT.

Inverting Shadow IT: Enlightened IT

The first step to effectively manage IT in today’s often SaaS first world is an inversion of the typical attitude towards Shadow IT. Instead of focusing exclusively on its negative effects, we should also focus on the many benefits of this new world:

• Leveraging intelligence of the ENTIRE organization, not just IT / leadership
• Encouraging more experimentation leads to new product discover and quicker org-wide adoption of new tools.
• Organic adoption results in employees using the products they want
• Better product discovery as decisions get pushed to “users”
• Happier more productive employees

The way to do that is to invert the traditional attitude towards Shadow IT. To start with permission and restrict if needed, vs to start with restriction and approve in a centralized process. To require products be blacklisted to prevent usage, rather than wait for them to be whitelisted before allowing usage.

We call this approach Enlightened IT. And it’s a great way to encourage bottoms up innovation and adoption in an organization. It’s also a better strategic approach to minimize downside risk by actually seeing everything, and reducing blind spots.

How to effectively manage Enlightened IT

While it’s important to invert the traditional IT decision-making process, it’s even more important to do so in a smart, not reckless way. In addition to a new outlook, it requires a different set of tools.

To make this work, you need to be able to:

• Easily capture accurate information on products that employees are using, especially when outside company networks or company owned computers
• Discover product usage across the entire organization, not just traditional decision makers (everyone is a decision maker now)
• Be able and willing to promote and expand products that are working well and making employees happier and more productive
• Quickly find and address any security issues to minimize downside risk
• Be easily able to kill what’s not working or what’s not up to security or compliance guidelines

With that in place, you can begin a simple analysis of products that are discovered across the organization. They should fall into one of four buckets:

• Expand: Usage and adoption of products by teams and individuals can result in finding and choosing products that make the entire company happier and more productive. Products that meet both of these characteristics should be expanded to more users and teams, and even be brought into the core stack.
• Allow: A more open policy allows for many more products that may not necessarily need to be expanded, but serve a particular function for a particular team, and can go on doing so in a self-supported way. Plenty of department specific tools, such as marketing lead enrichment, will fall under this bucket.
• Research: This is the most important part of the Enlightened IT framework. Experimentation of new apps is great and should be allowed and encouraged, however, monitoring and research are still important. Products that have access to sensitive information, e.g. financial, contracts, PII (personally identifiable information), should be more closely vetted to make sure they meet your internal security requirements. After that initial research, you can choose to expand, allow, or restrict.
• Restrict: Certain apps may always be restricted by your particular organization. Due either to industry specific compliance needs, particular team sensitivities, or proactive decisions to consolidate on certain tools. The appropriate framework is to think of these restricted apps as a specific “Blacklist.” The default for a new app is to be able to test it, but certain products can be blacklisted.

IT’s Four responses to Unknown Products

Changing the culture of an organization to encourage bottoms up adoptions and more permission-less innovation will require buy-in from various teams, especially IT. If you can make this change, and start leveraging the product intelligence across the entire organization, you’ll likely have happier, more productive employees, and less worry about Shadow IT.

Enter Blissfully — Turning Shadow IT into Enlightened IT in a SaaS-first World

Blissfully automatically detect all the tools in use in your organization, across devices, and across networks. This is increasingly necessary as work moves onto personal devices and non-office networks. Keeping pulse of what the organization is using is the critical first step to making sure you make the best choices, keep employees happy and productive, and minimize security risk. Check out Blissfully to see how we can help.

Originally published at www.blissfully.com on June 28, 2017.