Expert Panel | Forbes.com »
Wherever there is a company tech program, there is also the risk of people trying to work around it on their own without consulting IT. While the use of “shadow IT” isn’t a new issue for tech professionals, recent increases in remote work could potentially worsen the problem. Therefore, IT leaders must stay especially vigilant to prevent team members from downloading and using unapproved or unauthorized technology.
Below, the members of Forbes Technology Council share 16 practical solutions for combating shadow IT within your organization. Follow their recommendations to minimize the number of unauthorized “workarounds” your employees are creating for issues your IT team can more safely address.
1. Cultivate a culture of ‘Yes.’
Shadow IT flourishes when the IT team is not responsive to users’ needs. Start with a culture of “Yes,” and work with the business users to enable them. Make the most egregious violators of IT policy your allies—once convinced, they will become your evangelists. In today’s world, “command and control” doesn’t work. – Sunil Misra, Emtec
2. Think of shadow IT as a pilot program.
Stop thinking of it as “shadow IT” and start thinking of it as an ongoing pilot program. Start by auditing the tools employees are testing, but don’t frame it punitively. Rather, consider it as an opportunity to optimize. What needs are employees trying to meet? How many people have gravitated to the same tools? A “Yes, and” mindset to shadow IT can optimize your tech stack while swiftly closing security gaps. – Adnan Asar, Lucid Lane, Inc.
3. Don’t deploy tech that frustrates users.
One of the best ways to prevent shadow IT is to deploy solutions that don’t disrupt or frustrate your workers. When tech causes work delays or headaches, employees will try to get around it. Many cybersecurity solutions in particular cause work interruptions such as blocking files or delaying email delivery. Engage employee stakeholders and consider the employee UX when buying to prevent shadow IT. – Aviv Grafi, Votiro
4. Listen to users without being defensive.
Shadow IT often evolves from the user base not having confidence that IT can either solve their problems at all or do it in a timely manner. The key is to have an “open ear” to the constituents. IT needs to listen—not be defensive or argue why something may not be valid for the business. Just listen, and do it frequently. – Alec Elmore, OpenGate Consulting
5. Educate your team.
The risks and costs of shadow IT are usually poorly understood. You have to educate and then trust and empower your team to make good decisions about what they bring in. And then, of course, maintain awareness of what exists in your environment. Educate, trust, empower, inspect. – Jason Walker, BigPanda
6. Provide equipment that can be managed remotely.
The company may need to provide equipment they can manage remotely and insist employees use the company-provided kit for work. Alternatively, provide remote desktops of some form that the users can log into from home. It is possible to manage what can cross the client boundary without putting software they may object to on the user’s home system. – Saryu Nayyar, Gurucul
7. Put protections in place for all endpoints.
It’s difficult to enforce standards for unapproved or unauthorized tech in the home environment. IT teams must put advanced protection in place for all endpoints and work with each employee to create security awareness and implement best practices—for example, ensuring their wireless network is protected with encryption and a secure password and creating a separate network for kids to use, if possible. – Rodney Joffe, Neustar
8. ‘Build it like it’s broken.’
One very practical thing leaders can and should do now is “build it like it’s broken.” Take time to table-top what violations will look like for your organization, how you would detect them, how you’d prioritize them and how you’d respond. This is a low-cost process, and I believe it better reflects the reality of the reduced control IT leaders have over their fleet at the moment. – Casey Ellis, Bugcrowd
9. Ensure the tech you provide delivers.
Just as water follows the path of least resistance as it winds its way down from the mountains to the ocean, humans also find the easiest path. One of the best methods of avoiding shadow IT is to ensure that the approved and authorized technology stack provides real lift to your users. If you enable employees to do their jobs simply and easily, they’ll never have a reason to look elsewhere. – Chris Grundemann, Myriad360
10. Invest in blocking tools.
Run scans on any device on the network and force employees to remove unapproved applications. Create a governance and compliance procedure and, through quality processes, ensure the integrity of the program. The shadow IT that we usually see is old servers on the network, not employees downloading unsanctioned applications. – Damian Ehrlicher, Protected IT
11. Explain the dangers of shadow IT.
Teach your team why shadow IT can hurt them, your product and the company. Many companies create rules and restrictions without telling people why. Giving directives without providing an understanding of why they are important is just asking for them to be broken. – Laureen Knudsen, Broadcom
12. Take a Zero Trust approach.
I hate the phrase “Zero Trust” (and an increasing groundswell of security professionals agree), but the original ideas of the Zero Trust movement do make sense. Old networks were like castles, but today’s networks are like cities—security teams have to think like mayors, not feudal lords. It’s about mapping, coordination and preparation, not about thick stone walls. – Mike Lloyd, RedSeal
13. Monitor expense reports.
Corporate cards and reimbursed expenses are how most shadow IT makes its way into the organization. Monthly or quarterly reviews with your peers in finance will ensure that the shadow IT is discovered. It can then be embraced properly, or users of those products can be redirected. It’s not high-tech, but it works. – Anthony Presley, Custom Business Solutions
Don’t depend on training, processes or humans to do the right thing. There are ways to automate and fully control what can run on endpoints (laptops and so on) and on the servers (on-premises or cloud). Creating a repository of curated software helps you avoid having to look for random unauthorized software. Creating isolated experimental zones can allow experimentation without risking security. – Vipin Jain, Pensando Systems
15. Provide hardware with security controls.
Equip your team with the right hardware with suitable security protocols and tools to ensure shadow IT issues don’t happen. If we depend on employee-owned equipment, controlling these factors is a very cumbersome task. – Bhavna Juneja, Infinity, a Stamford Technology Company
16. Invest in tools that will provide visibility and control.
IT teams cannot prevent shadow IT; it will happen no matter what. But there are tools that identify new apps—cloud apps especially—not yet in the realm of IT control. Once implemented, these tools provide IT with the visibility and control to bring most, if not all, apps under their governance and supervision. – Juliette Rizkallah, SailPoint