Shadow IT is the use of IT systems within an organisation without the approval or knowledge of IT. We’ve already heard a lot about it over the past few years. It’s caused IT departments many headaches, not least because it sees them lose control of systems and data and puts them at greater risk of a security breach.
You can be sure we’re going to hear a lot more about it over the few years. With the General Data Protection Regulation coming along fast, shadow IT will cause even more headaches for charities as they seek to find out which of their systems house personal data and how they’re going to put new controls on its use.
So what’s the plan going to be?
In our view, the best thing to do is to avoid seeing GDPR as an excuse to try to implement a clampdown on any system that has not been formally sanctioned by IT. History has shown us that’s just not going to work. The very reason shadow IT sprung up in the first place is that people saw IT departments as a bottleneck they wanted to avoid. If you try to re-tighten that bottleneck, people are just going to circumvent you again – sending you straight back to square one.
Instead, IT needs to start to think about fully embracing shadow IT and how it can work on a more formal basis for all concerned.
Think about cloud services, which have been a big driver behind the growth of shadow IT because they can be set up rapidly by anyone with a browser and a credit card. Realistically, with the way the world is going, you’re not going to stop this happening. But what you can do is provide a list of sanctioned reference architectures that business units can choose from when selecting new cloud services.
This way, you can at least provide a governance framework that ensures adequate levels of reliability, availability, security and in-built compliance in the cloud services the business units procure. It should be a help to business units such as marketing and digital, because they will know that they still have the freedom to fulfil their agile and innovative instincts. At the same time, however, they will have the confidence that they’re not going to be responsible for causing the kind of security breaches that have previously put charities in the national headlines for all the wrong reasons.
Of course, the framework we’re suggesting will need some work to develop. Perhaps industry forums such as ITSMF UK – which have already made tentative moves in this direction – can help you to define it.
But we’re convinced that it needs to happen. Shadow IT is not going to go away. Neither are new regulatory measures such as the GDPR. To find the right middle ground, IT departments need to at least help business units find a way to quickly assess their needs and work with them to find a sanctioned solution. In the end – if this approach is a success – we might even end up coining a much friendlier term such as "departmental IT" and replace the shadow IT title that at the moment is being viewed too negatively.
John Simcock is director of charities and third sector at Eduserv, a not-for-profit provider of IT, digital and web development services