Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Is shadow IT really that bad?

SAN FRANCISCO — In a lot of circles, shadow IT is considered a dirty term — something IT should prevent at all costs. In reality, however, shadow IT can be a great resource for IT departments, helping them identify problem areas and understand what users really need to get their jobs done.

The idea is that users are partners that IT should work with, not talk down to. Open lines of communication are critical to creating that partnership. In fact, if IT works with users, shadow IT can lead organizations to useful enterprise tools for file-sharing or other technologies.

Instead of just saying ‘no’ to what users want, the IT department at San Jose Unified School District seeks them out to learn more.

“Tell us what you’re doing or not able to do, and that changes the conversation, where we never would’ve known about that wonderful free application,” said Emalie McGinnis, director of technology and data services for the school system, here in a session at BoxWorks.

NASA had around 9,000 people using unsanctioned enterprise file sync-and-share (EFSS) tools. When the space agency became aware, it adopted Box to help solve the problem, said Chris Blakeley, a NASA application software developer.

“Users just want to get their jobs done, and if we don’t have the solutions for them regularly available, they’re going to do it on their own,” Blakeley said.

In other situations, rather than moving users to a new tool, IT should assess the risk of some of the unsanctioned software users work with, Blakeley said. If the risk is small, it may be better to let users work with software IT is aware of, rather than blocking it and having them find another option IT doesn’t know about that might be worse, he said.

Users aren’t out of the woods

Accountability is still critical. Just because shadow IT is not the harbinger of disaster some people think it is, users still need to take responsibility for the corporate data they interact with.

“You can’t bypass the security rules just because you want to do your job,” Blakeley said.

One way to ensure that users understand the requirements around cloud storage and file-sharing, for instance, is to create a cloud governance policy that clearly explains what software IT approves and what it denies.

“Users will want to do the right thing; it’s just that they don’t have the reference architecture [to always do it],” said Srini Gurrapu, vice president of customer solutions at Skyhigh Networks.