What to do When You Discover a Shadow IT App
Nearly every technology leader encounters “shadow” technology adoption at some point. Also known as “unapproved IT” or “rogue IT”, shadow IT might be a social media management app adopted in marketing, an analysis tool used in finance, a database deployed by customer service, a presentation app purchased by an executive, or a workflow management system implemented in operations.
While the term “Shadow IT” suggests a threat that lurks nearby, an accurate description might cause a bit less concern: Technology that people in an organization use, but that was not reviewed, approved, selected, or deployed by the organization’s IT team.
“Shut it down, now,” remains the default response of many IT professionals when any non-IT approved technology is identified.
But that response puts the IT team in direct conflict with people in the organization. Worse, such an approach often ensures that the IT team will not be consulted about any future technology decisions.
More effective IT teams respond in a more measured manner. The following steps may help you move from “Shadow IT” as a potential problem to an opportunity to open dialogue and build trust.
1. Review security
If you discover an unauthorized app with access to personally identifiable information, payment information, files, photos, or other sensitive data you may need to take immediate action. However, be cautious to not overreact. Make sure you accurately understand the specific security risk. For example, an app used to create marketing materials could potentially reveal product plans, but an unauthorized third-party payment system should raise a much greater concern.
2. Quantify adoption scale
Is this an app used by one person, by a few people, or by hundreds — or thousands — of people?
Adoption scale matters, since it tends to indicate whether the issue is one of communication or trust. When a few people turn to “Shadow IT” it tends to indicate a lack of awareness or communication — but when large numbers of people seek solutions without involving the IT team, that signals a much more significant problem. In other words, if a few people use Shadow IT, you need to improve communication; if many people turn to Shadow IT, you need to consider how to build trust.
3. Identify workflow concerns
People often select a solution that works in a manner that meets their needs. However, some apps that deliver local optimization might also cause concern elsewhere in the organization. For example, if a design department creates CAD files in a format that requires conversion before use in manufacturing. Unidentified conversion issues could cause problems.
4. Assess IT involvement
Often, when individuals or teams select tools without the involvement of IT, the tools selected lack reliable backup, support, or business continuity controls. Keep in mind that not every application requires instant, automated, cloud backup; 24 x 7 x 365 support; or a fail-over alternative in the event of an emergency. Assess the extent to which the rogue application may require these additional measures.
5. Consider costs
Too often, different teams pay for the same app from different budgets. When this happens, the organization often loses economies of scale, since many vendors offer discounts as quantity or usage increases. In other cases, people purchase an alternative that is essentially equivalent to an existing corporate subscription. For example, a company with existing Adobe Creative Cloud subscriptions would likely find additional third-party PDF editing subscriptions to be redundant.
6. Embrace innovation
In some cases, a newly identified app can be a very good thing, since it solves a problem for people. App adoption occurs not only because of features and functions, but also because a system works in a way that people like or prefer to work. Stay open to the possibility that an application may represent an innovative new way to work.
How do you respond?
The worst response you can have when you discover a non-approved app is to immediately shut it down or block access without any conversation. This type of response will only create animosity between people in your organization and your team.
A better response is to treat the discovery of the app as an opportunity to begin a conversation to understand why the solution was selected and the problem it solves. Only after that is well understood can you seek to learn why the IT team was left out of the process. The most important thing is for people on the IT team to listen, educate, and communicate.
If you create the right environment, your team will be the first place people turn when they seek assistance with technology. But getting to that point requires that you build trust, that you listen carefully to people’s needs and preferences, and that you remain patient. Ultimately, effective IT leadership requires you to be an engaged leader, actively involved in business operations and processes. When you discover “Shadow IT”, you’ve also discovered an opportunity to start a conversation.