Shadow IT: What is it?
Shadow IT refers to IT projects that are done outside the standard IT approval process; often without the knowledge of the IT department or the IT team for the company. At first glance the question is why would you want to do this in the first place? This entire concept started because internal departments at large companies learned that if they needed to get a web application or a mobile site launched quickly the IT team would probably slow it down or just say "No." The reason is simple. The internal IT team is paid to keep a very complex system running and secure at the same time. Every project that comes through IT regardless of size or complexity needs to go through a full approval process. For the IT department the goal is to slow things down, take time to do their due diligence and make sure everything is safe. For the head of the department trying to complete the web application this is seen as an inappropriate amount of caution. Who is right? Like most things in life a balance is needed and for this article we are certainly not recommending leaving your IT department out of the conversation if you have an important web initiative.
Regardless of what is right or wrong what has become popular, and in some cases needed, has been to bypass the IT team. Often this is done by calling an outside vendor who will complete the project completely outside the normal IT process. The advantage is that the project bypasses all the standard corporate politics and approval processes so it get's done fast and often cheaper. The risk though is huge. As in the case of Target their entire credit card system was hacked because a vendor plugged their laptop into a store to get internet access. Sometimes small mistakes have huge consequences.
When is Shadow IT a Good Thing?
Our opinion is that true Shadow IT is never good. If you are working on a website, a mobile application, even a basic software as a service (SaaS) purchase you need to involve IT and get their approval. The real trick is to make sure that if you want to bypass the slow process you come to your IT team with a proposal that they will approve and get out of the way. How do you do this?
How to get your Shadow IT Project Approved
IT departments slow projects down for several reasons
- Security concerns because the application will touch something inside the corporation (corporate data, corporate servers, staff usernames and passwords)
- The project requires company resources to be allocated (sub domains on the main company domain, additional email accounts to be created, etc.)
- The project is outside their skill set and they need to contact a trusted vendor to review your requirements
If you need to operate outside your IT department you need to find a vendor who can work without causing these problems. Often software development companies don't have the skill set to plan and build applications that don't need at least one of these requirements. Or often they make promises that "This project won't need anything from your IT department so let's get started." The problem is that if you take this approach and find out they are wrong your IT team is naturally going to pull the rug on the project. The first step is to take time to plan the project in a way that makes your IT team want to say "Yes."
Step 1: Plan on launching the web application or mobile application on it's own server that can be hosted outside your IT infrastructure.
This is not as simple as installing it on Azure or Amazon EC2. While those hosting platforms are outside your IT infrastructure your application may still need to get into your corporate environment. For instance you still need to pull data from a server inside your company, authenticate users through your corporate intranet, etc. Make sure you think about how user accounts will be created, how they will be managed, what data you need to pull from your environment and what you need to publish to the website or application. Do everything you can to eliminate the need for your new application to "be aware" of anything at your company.
Step 2: Find budget to pay for everything outside of your IT teams resource allocation. If your entire project is good but you need IT to let you have one of their Database Administrators (DBA) for a day to configure something you just created a ton of paperwork for them to deal with. Spend the extra $1,000 and get a DBA from your vendor. Don't ask your IT team to configure their firewall. Find a way around it entirely.
Step 3: Make sure your vendor has a plan to present the full infrastructure to your IT team. You should have some basic network diagrams, some statement about how you will handle security (better yet if security isn't an issue), and a hosting or maintenance agreement from an outside vendor. Your goal is to show them that your web project can exist without any of their help.
Step 4: Setup time to meet with them. True Shadow IT bypasses all the safeguards your IT department has setup because it doesn't let them know. There is no faster way to get your web project killed and yourself fired then to try and cut corners on security. Let them know you need their time and ask for their opinions. Everyone wants to have a chance to ask questions and share feedback. If you try to push a project at them they will naturally feel threatened. Give them a chance to ask questions. If you have done your job right with your vendor you will give them the confidence they need to approve the project and get out of your way.
Step 5: Setup a time prior to launching the project when you will meet with them to review everything. This is critical. It allows your IT team to get out of your way because you are letting them know you won't blaze ahead. They get to say "yes" knowing they get one more chance to check it. In truth the next meeting will be a formality but if you try to cut them out they will demand weekly updates and bog you down to make sure you are doing your job. Make it easy for them to say yes by setting up time for them to check in on the project before it goes live.
In Summary: Do your homework, hire an experienced vendor, involve IT, make it easy for them to say "yes."