With shadow IT piggy-backing on the growing use of cloud computing in enterprises, it is becoming increasingly difficult for IT departments to manage and maintain their IT estates in a secure environment.
According to a recent survey we carried out at NTT Communications of European enterprises, entitled ‘Growing Pains in the Cloud II: The People vs The Ministry of No’, we found that shadow IT is already widespread in organizations, with 80 per cent of respondents saying data stored in shadow IT is critical to their organization. The main reasons for business users reaching out to shadow IT appear to be ease of set up, ease of use and access to the services they really need. The majority of shadow IT users know they are putting their organization at risk of data leaks and breaches by doing so. This is a major challenge for IT departments who are working overtime to keep track of data.
Consider an amnesty
So what can IT decision makers do to identify and manage shadow IT, which has been purchased and deployed without their permission, and in many cases knowledge, to reduce potential risks? It may be worth considering an amnesty.
An amnesty gives users an opportunity to list which shadow IT applications they are using and why, without fear of retribution.
Our research shows that in the majority of cases an amnesty would be well received. 83 per cent of business managers surveyed said they would participate in a cloud amnesty where users could turn in their shadow IT cloud contracts with no repercussions, even if there was no guarantee that access to the cloud services would remain the same.
Engaging with business users in this way helps IT better understand their problems and enables both parties to work together to find the right tools, whilst retaining IT’s relevance within the organization.
How to run an amnesty
A shadow IT amnesty isn’t about shutting down tools. It is designed to enable IT to listen to employees, who, without reprisals, can explain why they have chosen to circumvent IT for specific applications. This is a critical first step for IT in learning more about its user base and how it can meet the needs of users across the organization. Here are some tips you might like to consider to run an amnesty.
- Go and talk to the various business units.
- Explain that the amnesty is designed to help IT get a better understanding of the tools business needs, uses and likes.
- Stress that there will be no retribution for those who are using shadow IT and that you want to deliver the service that the business needs.
- Run it alongside a full IT asset management audit conducted by the support team, so you get a full picture of the IT estate.
- Use it as a good chance to remind business departments where any applicable compliance regulations or data protection requirements should be considered.
- Look at it as an opportunity for IT to become a valued resource and a trusted adviser to business, as opposed to an IT gatekeeper.
And what not to do!
Do not take a draconian approach. If IT departments imply that shadow IT will be terminated as a result of the amnesty, then this may result in a poor response, as it will be seen as little more than a carrot dangling exercise.
By taking this ‘stand up and be counted’ approach employees also have to be secure in the knowledge that there will be no repercussions for their actions. Therefore think of selling to business departments as more of a fact finding and educational exercise.
Get in touch
Finally, if anyone out there has run a shadow IT amnesty we would be really interested in hearing your feedback on what you’ve tried and what you think was useful.
If you would like to read more about shadow IT in the enterprise, complete with further recommendations download Growing Pains in the Cloud II: The People Vs the Ministry of No.
Shadow IT is causing headaches for IT departments, but it looks like it is here to stay. With business users increasingly reaching out to Shadow IT to find their own tools, this can have a destructive impact on relations between IT and business departments. How can the situation be diffused? How can shadow IT be seen as an opportunity as opposed to a threat?