News Stay informed about the latest enterprise technology news and product updates.

Use velvet gloves, not boxing gloves, to beat shadow IT

IT hopes to lure end users out from the shadows through proactive and reasonable compromise. Some say it may be working.

As shadow IT continues to abide, more IT professionals are approaching that world with an open hand instead of a clenched fist.

After years of dealing with the denizens of shadow IT as the enemy, some IT organizations are more aggressively launching educational programs to better inform users about the risks of using unauthorized applications and services that could expose their company's mission-critical data. And, heaven forbid, they are proactively engaging users in what software and devices they need to better do their jobs.

"You have to think of [end users] as your teammates; you don't want to create this us-versus-them mentality," said Brian Lillie, CIO of Equinix, Inc., a global colocation services provider. "We could see we weren't meeting their needs and so went to them to ask how we could help. It is more like forging a partnership than trying to impose something on them they don't want or understand."

Once his organization approached users more with the intention of reasonable compromise, Lillie said they were more forthcoming about what resources they needed, and were more open to some of the suggestions his organization could offer.

"When we asked them what problems they were trying to solve, they were more open to talking and willing to accept some of the resources I was offering," Lillie said. "I could then hire the people who could best map those resources to their functions. It started to solve some real problems."

David Levin, director of information security for Western Union, a U.S.-based financial services company, also believes an important first step for IT professionals to establish better communications with users is to realize why most users venture into shadow IT.

"If users can't get their work done with the tools they get from IT, they will get their cloud-based apps from somewhere else," Levin said. "We didn't have full visibility into this at first, but they were using free file transfer sites like Dropbox to send files outside the organization because of our limits."

Rather than blocking access to such sites, Western Union was proactive and came up with its own file management solution called Exelon, which has many similar features to Dropbox but had security capabilities the company can control. The product has been adopted by thousands of users, according to Levin, and has made users more productive when using a variety of different cloud platforms.

Levin's team created a program called Western Union Information Security Enablement (WISE), a group Levin describes as dedicated to allowing users to get their jobs done through "innovative thinking and solutions."

Besides Exelon, WISE also launched several other products and services including a cloud-based identification management program it purchased from Okta, Inc. The Excelon product became a tile in the Otka platform that users could just click on, eliminating the need for authentication, making it easier for users to share and collaborate information.

"We would rather take this approach than become known as the company that just says 'no, you can't do that,'" Levin said.

Meanwhile, employees typically use multiple devices to access cloud services, which can further complicate matters for some IT professionals, who are asking their users to download authorized, properly secured software to devices not properly secured.

"It's a two-phase process no matter what steps you take with your own security and software," said an IT director with a New York City-based children's retailer. "It won't matter if it lands on a device you haven't logged in and tracked."

Both Levin and Lillie stressed the importance of educating users about the risks of venturing out to unauthorized sites through formal training programs, as one way of blunting shadow IT. Western Union presents users with pop-up messages about other in-house alternatives available, if it looks like they are accessing a competitive site, Levin said.

"If we see they are accessing a site like Dropbox that could be competitive with Exelon, we put a message in front of that user asking them if they want to or need to use Dropbox, reminding them Exelon does the same thing," Levin said.

Dig Deeper on Enterprise mobility strategy and policy

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

How does your organization handle Shadow IT?
We strongly discourage it, and that's not very difficult - we focus on hiring people whose judgment they can trust, and they know that if they want to add something, all they really need to do is write up an explanation of what it is, how it will be used, and how it won't be a problem for anyone else. Shadow IT has driven some innovation in the past, and we don't want to stifle that, but I don't believe there's a need to hide ideas between reasonable, mature professionals. It's not our style. 
I know this be controversial.  
Our organization is still trying to determine the best way to handle shadow IT, but we have learned a few lessons about how best to approach it, one of which is to work with the users, not against them. We have seen is that the trend towards self-service has made some of the decisions for us as users who are either unsatisfied with an ailing legacy system or are early adopters of emerging technologies have brought on their own shadow IT solutions to solve problems, and those solutions became the new standard.