freshidea - Fotolia


Ten tips to expose and expunge shadow IT at your company

Bringing shadow IT projects into the sunlight requires change management and getting employees to embrace IT-sanctioned technologies.

If you're concerned about the security of your corporate content, it's time to take charge of shadow IT. To take...

control, though, you need to know more about how content is seeping in and out of the four walls of your company. If it's being emailed and viewed on mobile devices or saved to personal PCs, it's going to take some technology and some change management to enforce greater content security measures.

Ask your senior IT people whether they're aware of every information technology your organization uses. Chances are, they're not.

Oh, they'd like to be, and it's not that long ago that they probably believed they were. But today, most seem to know that there's a lot of stuff operating in the shadows that they don't know about -- for which, at some point, they'll likely be held responsible.

We see this commonly among our clients because an employee somewhere signed up for a cloud content service (e.g., Box, Dropbox, Office 365, etc.), never imagining that it would cause compliance, governance or technical problems down the road.

The question is what can you do about it? You can't turn off what you don't know exists, so here is a list of 10 tips to get you started in expunging rogue content-sharing technologies.

Find 'em

The obvious starting point is to find as many of the rogue solutions as you can. There are many ways to get this done, including simply showing up in each department and asking to see what employees are using. But there are a few behind-the-scenes approaches that can illuminate the dark spots more quickly and, perhaps, more completely.

  1. Monitor your server connections to see which applications are making calls to your information. Most will be known quantities, especially if they're coming from inside your firewall. But there will certainly be others that strike you as more unusual -- especially connections that come from outside.
  2. Monitor log ins (attempted and successful) as well, and match them against your user directory. Not only are you looking for obvious mismatches but you also want to examine accesses from unknown or unusual locations -- these could be legitimate users dialing in from a mobile phone or home office, but they could also be potentially suspect sources connecting via a shadow IT technology.
  3. Monitor help desk requests to learn whether anyone is asking questions about unsanctioned applications or connections (i.e., to a cloud service). Inquiries related to usability (e.g., "How do I … ?") are worthy of examination because they are common among those with little experience with a solution, and there would be plenty of those associated with a non-mainstream system.

Fix 'em

Now that you know what you're up against, the next step is to bring your rascally systems and users into the fold -- or get rid of them altogether. Whichever approach you take, you can't simply let the situation stand, because of the compliance, discovery and other risks associated with such quasi-controlled information stores. Most successes here are rooted in our old axiom, "It's psychology, not technology." Chances are the shadow technology was originally set up because of feelings related to authority or control, and the exertion (properly or otherwise) thereof.

  1. Grant an amnesty. As much as you want to regulate your technology sprawl, you can't afford to lose the hearts and minds of the people using and benefitting from their rogue solutions. So, focus on forgiveness rather than punishment to encourage employees to fess up to shadow IT and get with the program.
  2. Help the transition. Empower an employee in each affected area to help make the transition back to "sanctioned" territory. You can't do all the work yourself, and inviting the managers and users involved to participate in the process helps reinforce the notion that you're doing this for them and not to them.
  3. Offer help. Don't interpret the previous point to mean, "Here, do this and that and the other thing." Work with the application owners to get the system in question to interoperate with or migrate to your sanctioned solutions by reconciling the data, managing the permissions, etc.

Learn how business processes can help keep shadow IT at bay.

Forestall 'em

The last ingredient in the recipe is to minimize the chances that future systems sprout in the shadows. It's not realistic to prevent rogue IT altogether, but you can encourage both the following of the rules and the shrinking of the shadows.

  1. Take a customer service approach to technology management. As is the case in so many areas, communication is key, so expectations can be properly set and follow-through made tangible. Responsiveness and transparency are paramount -- even if the news you have to communicate is not the best.
  2. Think in business terms, not technology features. The folks in your organization's lines of business are much more likely to engage with you if the conversations you have are held in their terms. Otherwise, they can be left feeling either ignored or condescended to and thereby more likely to want to do their own thing rather than deal with it.
  3. Emphasize ease of use. Emphasize the ease of use of the solutions you want people to use -- and if they're not easy to use, make them so. There's no doubt that the less painful a sanctioned technology is to use, the less people will want to end-run it. And if nothing else, it will benefit the people who are playing by the rules, and that's a good thing, too.
  4. Let people know about the capabilities you've already built. In one recent case, we helped a client discover part of their problem was that one department didn't know the records group had a scanning capability and was eager for others to use it. The result was a readily avoidable overreliance on paper to move many processes along, and a budding desire of the department in question to seek its own solution.

Finally …

At the end of the day, exposing and expunging shadow IT begins and ends with tightening the relationship between technology and business, which often are disconnected enough to cause them to spin in separate, if overlapping, orbits.

I can almost guarantee your organization has technologies you don't know about, and I know that the only way to come to grips with them is to ask the question posed at the top of this piece. So, get out there and ask, and let us know what you find out.

Next Steps

File sharing apps challenge ECM status quo

Consumerization drives ECM changes

Protecting content within the company

Dig Deeper on Information governance management