COVID-19: the unchecked expansion of shadow IT in 2020
Today we are experiencing a shift in working practice that was unthinkable even just a few weeks ago. With the majority of staff now working remotely, IT resilience and the operational practices of organisations are being tested on a global scale. Operations and security teams are rushing to ensure teams remain connected, whilst business areas are attempting to maintain productivity. Any disconnect between requirements and solutions increases the risk that departments are going to solve IT bottlenecks themselves, bypassing the usual governance checks. These technology solutions, deployed by departments other than official IT service teams, are referred to as shadow IT.
Prior to this recent change in working circumstances, cases of shadow IT were already on the rise as the entry bar to complex technologies is lowered because third party services and cloud providers make it easier to install and set up solutions. Even the complexities of technologies around AI and machine learning have dramatically reduced. So combined with stretched IT teams and large numbers of people working remotely, shadow IT projects will only increase.
Although solutioning in this manner might provide short-term benefits of increased employee productivity. The answer is to strike a balance between the needs of rapid business change, maintaining productivity and protecting operational resilience to check the expansion of shadow IT. The long-term effects of shadow IT can lead to an increased risk of security issues, contravene governance and compliance, increase technology divergence and technical debt. Ignoring these long-term effects ultimately increases the cost of doing business, affecting the bottom line. And organisations will find themselves on the back foot when normal business operations resume as they belatedly deal with these issues.
Workarounds are not the sole domain of engineering teams either. All areas of the business from Finance and HR to marketing and sales are going to pose a risk. While engineering teams with strong DevOps capabilities are able to rapidly respond to change in consumers’ demands. Business teams can also adapt and overcome issues that organisations commonly face, be it a shift in technology, rapidly needed features or responding to security threats. However, they may not all respond appropriately to new issues that prolonged remote working could introduce.
Impacts of shadow IT
The best case scenario around this rise in shadow IT is that we see an increase in innovative solutions which lead to longer term improvement in team productivity, as well as refined ways of working. However it is even more likely that businesses will experience some or all of the following negative outcomes.
Increase in cybersecurity and compliance risks and issues – Prolonged and whole-organisation working from home is going to stretch security teams as new areas of the business deploy remotely or require greater access to their tools and data. And under the circumstances teams will naturally begin looking at additional tools to solve the sometimes novel issues they face maintaining business as usual, or pivoting to new areas of business. They will therefore source solutions from third parties which they may not put through the normal security governance process. In addition to IT impacts, there are also often Legal and Procurement implications to using a third party that can be forgotten by teams looking for quick solutions.
Data Security – Shadow IT applications may also not follow best practices around access controls, backups and restore policies. This increases the risk of data loss, including sensitive client data.
Increased IT Costs – Cloud and third party services have drastically lowered the entry level to powerful capabilities such as AI/machine learning and data analytics. These services are very tempting for business areas looking at a quick solution to a business need, but often teams won’t take into account the running costs of these servers so costs quickly escalate.
Inefficiency / Productivity / Technical Debt – New shadow IT projects can ultimately introduce a drop in productivity.
IT teams are structured to apply operational best practice and work at scale. With multiple teams embarking on shadow IT projects, we can expect to see IT inefficiency creep in.
Usually business teams won’t have the capability to run new services from an operational perspective, and will look to pass them to IT. This leaves IT with additional workload they may not have capacity or the skills to service. Additionally these projects often need to be migrated back on to existing IT services, adding to the IT backlog.
Reducing risk
So how can organisations reduce the risks imposed by shadow IT projects at this time?
Monitor cloud and network resources – Organisations need to prioritise maintaining high visibility of their network and cloud resources. Using custom dashboards, alerting and tagging gives IT teams effective visibility on who is deploying what and where. Security scans on networks looking for newly introduced vulnerabilities should be increased. Unknown resources need to be quickly identified and traced back to an owner.
IT project governance guidelines should be highlighted – IT teams should highlight any new services and what is currently available that can help the business. Often these shadow IT projects come about solely because teams are unaware of what IT can offer in a particular area. IT Operations need to be proactively supporting teams, rather than solely reactive.
Allowing limited shadow IT – Shadow IT projects can be beneficial. These are unusual times, already stretched IT should be open to new options being presented to them. Teams should feel they can come to IT with a potential solution, be open about what their need is, and not be immediately shot down. IT teams should understand these projects are attempting to solve genuine business needs. Often a quick, tactical solution is preferable to both sides and with transparency you can reduce the risk of introducing additional technical debt.
Summary
The true cost of shadow IT might not be felt until normal business resumes. However organisations should operate with transparency and collaboration between business and IT functions to anticipate and respond to the issues which inevitably drive the use of shadow IT whilst businesses operate remotely.
6point6 have a proven track record in providing cost-effective digital transformation. Our in-house team of consultants with expertise in DevOps can help your organisation strike the right balance between innovation and security with shadow IT.
