|

Shadow IT and Governance

By Barry Nathan, CMA
October 1, 2019
0 comments

Shadow IT, the use of applications that exist on a company’s IT network and that haven’t been authorized by IT, can present problems.

 

Shadow IT often occurs because department employees want their IT project completed now and they have access to tools on their home computer that make them more efficient. They sometimes believe that their IT need is the most important in the business: This IT project will enable a significant business improvement. Therefore, the department will use a different option to ensure the project is completed. Some scenarios may look like this:

 

  • Save the department budget money, then spend it on the department project. This may include buying the servers, whether compatible with central IT or not, that the department runs.

 

  • Have one of the department staff members, who is an excellent programmer, develop what the department needs without working with central IT. To keep it under the radar, there is little documentation. When that employee leaves the organization, no one knows anything about the program.

 

  • Purchase an off-the-shelf product, install it, and run it independently. Either platform-as-a-service (PaaS) or software-as-a-service (SaaS) is used to manage the department software need. This sets up a shadow IT section because use of the company network is required.

 

  • Finding the perfect free application that will work, then loading it on to a company computer.

 

  • Copying the software from another party, then loading it to a computer or server.

 

ISSUES WITH SHADOW IT

 

Shadow IT presents a real security threat for the corporate IT systems. The products haven’t undergone rigorous testing by IT to determine if they’re secure, and they could compromise the security of the whole network.

 

Another perceived issue with shadow IT is the lack of corporate control involved. The fear is that if every team is given the freedom to deploy whatever software it chooses, the organization will end up with disparate and incompatible applications that hinder the collaborative function.

 

For some organizations, shadow IT is perceived as slowing down the network. In some cases, it may force an unnecessary request for more bandwidth.

 

ADVANTAGES OF SHADOW IT

 

Some individuals have argued that shadow IT is already entrenched and that it enables innovation within an organization. Shadow IT has gained popularity because of the perception that the IT department is too slow or unsupportive of individual departments.

 

Often shadow IT enables management to concentrate on bigger and more important organizational issues. Since IT is consistently underfunded, it provides a different and better way to have interactive software. Many individuals consider shadow IT an enhancement, not a detriment to the business.

 

PITFALLS TO AVOID

 

Organizations need to set up very strong IT governance and enforce that governance. The governance may be set up to accommodate each organizational structure, but it shouldn’t deviate significantly from a set process. The most effective processes follow these steps:

 

  1. Develop a strategic plan. This should incorporate the organization’s mission statement and provide general guidance for the specifics of an IT plan. It’s critical that the strategic plan include data metrics.

 

  1. Incorporate or develop tactical plans that all parts of the organization agree on and/or can work with and that are aligned with the strategic plan. These tactical plans should be constantly reviewed and analyzed to determine if they work. (An old friend once recalled from his military days that all tactical plans are great until the guns begin to fire.)

 

  1. Utilize all parts of the organization to determine the software and IT needs of the organization. Put everything on the table so that it may be presented and discussed. The financial planning and analysis (FP&A) group should do a projection over two or three refresh cycles to understand the costs of maintenance of software, servers, and personnel. If you are using SaaS or PaaS solutions, then the costs should cover a minimum of six years since the refresh cycle is often determined by the SaaS or PaaS provider. The IT department should review all suggestions of the software for compatibility, vulnerability, and overall security.

 

  1. Executive management and, depending on the organization, the board of directors should determine which software gets implemented. Since IT represents a very high potential risk to the organization, the board should be informed about the progress being made.

 

The organization can provide many services and direction to controlling shadow IT. These include the following:

 

  • Consolidate applications when you can. All departments need solutions to write documents and manage sales, inventory, and administrative tasks including finance and data analytics.

 

  • Constantly monitor user activity. There are tools that can run a monthly scan of applications that can be compared to the prior month. Changes are noted and sent to management to investigate and determine how anything new entered the system.

 

  • Develop and enforce policies to block risky application activity. Some applications have a “share” or “upload” feature that can be eliminated if those functions aren’t core to the success of the business.

 

  • Research applications themselves to determine how they fit into a business. The administrator should try to ascertain risks of an application and choose it wisely.

 

  • Educate users about shadow IT. Make sure users understand their responsibility to the organization in minimizing risk and the problems of using software outside of the governance process.

 

  • If funding is available, utilize a small-problem IT solution team. It’s available to work with individuals in an organization to help determine IT solutions that can be completed in fewer than 100 hours. By having the IT department involved in solving small problems, the employee gets improved job functionality, the business retains control over its IT footprint, and the department feels that it’s getting the appropriate amount of attention.

 

One of the key components of the management accountant’s role is to ensure that data is accurate, available, and confidential to an organization. Often, shadow IT will open up the network to a number of activities that will compromise the accuracy and confidentiality of the data. Sometimes, the data may not be available to those who need to know and analyze it. Shadow IT increases the risk within the organization. The management accountant must decide if the rewards of allowing shadow IT are worth the risks to the business system. It’s a decision that must be made with solid and reliable information.

 

Barry Nathan, CMA, retired after 19 years as the fiscal manager for Oregon Department of Transportation Information Systems. He is currently chair of the IMA Technology Solutions and Practices Committee. He may be contacted at barryn@prodigy.net.
0 No Comments

You may also like