There’s IT, and then there’s shadow IT.
Shadow IT is all the IT that was neither planned nor approved by anyone but gets chosen, deployed and used by end users. Some see this as grassroots deployment of cool technologies; some see it as weeds growing from any crack in the IT plan. If you don’t build it, they will go find it elsewhere. And even if you build it, if it isn’t adequate, comprehensive, flexible and easy to use, they will go find it elsewhere.
In most companies, users will quite comfortably sidestep any IT system that isn’t working for them and find their own. Worse, users will seek out externally hosted offerings that they use as consumers and adapt them to business use. What about all the security controls you carefully deployed to protect the business? There’s a good chance that users see security controls as bugs and seek external solutions precisely because they are unencumbered by security.
Enterprise users will inevitably make comparisons between the applications that IT serves up and the stuff they use as consumers. Nowadays, for every enterprise application provided by corporate IT there seem to be a dozen Web-based alternatives that are cooler, better designed and can be mashed-up, shared and extended.
Part of the reason for all the hype behind enterprise Web 2.0 is that run-of-the-mill enterprise applications look so bad by comparison! Sure, they have better controls, audit capabilities, backup, security, reporting and workflow. But for most employees these are not “features,” they are encumbrances. How do you make sure your employees use approved applications and don’t go shopping for their own application infrastructure?
First of all, saying “No” doesn’t help. You can put policies and controls, even penalties and audits in place but users will still seek out unauthorized applications. For years instant messaging was banned in many companies (probably still is in some). Network audits almost always show plenty of “banned” applications running on the network. If you crack down hard, the applications become stealthy (tunneling encrypted IM over HTTPS over port-hopping TCP, or whatever). I personally think that outright bans only serve to further ossify corporate IT by removing competition and allowing mediocre applications to survive. But clearly you don’t want a “free-for-all.”
A much better approach is to have a more balanced security program that emphasizes training and awareness as much as controls and penalties. After all, your employees aren’t being “insecure” deliberately. Most of the time they are not aware of the risks of applications that they see as more flexible or easier to “share.”
IT should be open to examining external applications. Perhaps you can securely integrate and enable that new application. If you let employees ask for new applications and soberly evaluate them in comparison to internally developed applications, you create the opportunity for innovation and security. The alternative is the head-in-sand approach: mandate, prohibit, control, penalize and be sidestepped by users who see corporate IT and security as dinosaurs impeding the flow of business.
