Building a User-Centric Approach to Shadow IT
There is little doubt that embracing shadow IT will create some risk, but it also creates advantages, including giving employees access to a wider range of solutions and creating more opportunities to find new ways of doing things.
At a previous position of mine, everyone got excited when the announcement came that IT would build a new content management system, and that it would be a proprietary platform so IT could build it the way line-of-business employees used it.
The old system lacked basic usability features such as auto save – at the time, it was actually organizational policy to work within Google Docs and transfer content over to upload to clients. It took years to replace that way of doing things, and several additional months after the launch of the new system to get it to a state where most people wanted to use it.
In the initial release, performance was slow and the entire platform sometimes locked up. The auto save feature didn't always work, so employees lost a great deal of work – many went back to using Google Docs and copying/pasting content into the new system because that was often faster than simply writing within the new platform to begin with. It's a small and almost harmless example of Shadow IT, but my old employer underscores the reason the trend exists: Employees want to do their jobs with the most convenient tools (and sometimes, the best ones) that are available.
The trend toward Shadow IT is already prevalent among organizations. Frost & Sullivan's report, The Hidden Truth Behind Shadow IT, though focused specifically on SaaS applications, outlines the widespread nature of shadow IT – more than 80% of respondents admitted that they used non-approved apps, including 83% of respondents who held IT positions.
Part of the problem is that it's difficult to roll out technology at an organizational level and keep pace with the average tech savvy employee, because organizations have longer time-to-deployment, more cost concerns and more regulatory considerations. However, in some cases, the gap between consumer and organizations' technology is massive. For example, The New York Times reported in December last year that the Federal Register still relies on floppy disks, partially because many government agencies have not yet updated to the secure email system through which the Register can also receive publications.
The history of the mobile platform wars also showcases the problem well. Apple's iOS devices took the lead in the business technology market in late 2011, but, according to data from iPass, BlackBerry still held 32% market share for the business mobile category.
By that point, BlackBerry had already dropped well below the market share of both iOS and Android in the consumer space. According to Mintel's Mobile Phones – US, February 2012 BlackBerry had a 14.9% consumer mobile technology market share. This gap is significant because as operating systems lose traction among users, they also tend to lose traction among developers, which means limited support and a smaller library of apps.
Bringing light to shadow IT
There are two broad approaches to dealing with shadow IT. One strategy attempts to keep the organization in complete control of technology decisions and is built around more stringently enforcing policies designed to protect important data. Clearly, this strategy alone cannot address the driving force behind the trend: Employees want better and more convenient ways of doing their jobs.
The second approach is to embrace shadow IT. There is little doubt that this approach will create some risk, but it also creates advantages, including giving employees access to a wider range of solutions and creating more opportunities to find new ways of doing things. We can think of this as a "user-centric" approach to shadow IT.
A user-centric approach to shadow IT attempts to account for the underlying motivations behind the trend's existence, and it attempts to address the security challenge without disregarding employees' needs. There will never be an all-encompassing best solution for every situation, but organizations can consider approaching shadow IT with a framework that incorporates the user into the decision making process. The following points are not a step-by-step guide – instead, they should serve as a framework that can be continually applied as needs change and as technology evolves.
Identifying the way that employees currently use technology, which services they are actually using and what their must-have features are can give organizations a better understanding of their true technology environments rather than the one they think users have. Anonymous surveys are a good start for organizations that have not addressed the problem before, especially since many employees will be reticent to report how often and why they go outside official solutions. However, this is also about creating a dialogue between users and IT so that both sides are aware of the challenges the other party faces.
Organizations can also focus the assessment lens back on themselves. Exploring an organization's true technology environment – ALL of the services and devices employees use for work – is likely to reveal gaps between existing policies and actual usage. If practices and policies do not match, it's important to understand why. Are employees frustrated by a poor interface in organizational software? Are there essential features missing? Are employees opting for other solutions because they are more familiar?
It may also be worth gauging interest in training sessions for currently implemented solutions so that employees can make better use of what they have and begin to see IT as an enabler of productivity as opposed to a barrier.
This is not just about updating organizational policies to better account for the true technology environment. It's also about updating practices to minimize risk. A truly user-centric approach will require compromise from both sides.
Instead of blanket banning of third-party clouds, for example, organizations can opt for all data in these environments to be encrypted. If the problem is a lack of involvement from IT, then organizational processes should be updated to streamline the vetting process for third-party apps so that line-of-business employees can still use their favorite solutions but IT gains insight into which services are actually being used.
The updates may also need to come from a technical level. If employees aren't using official channels to send data and the problem is that existing solutions are cumbersome to use, it's time to consider something better - or at least streamlining processes wherever possible. Accepting third-party solutions into an organization's technology environment may also demand data-centric security solutions that are seamless or at least intuitive from a user's perspective.
Finally, it may not be possible to give users the level of control they really want. Regulated industries will naturally run into compliance barriers. However, there are still ways of updating practices to better satisfy productivity demands. Instead of opting for only one solution or one type of device, giving employees a selection of pre-approved solutions and allowing for some customization can alleviate a great deal of strain – a similar strategy is already occurring with the choose-your-own-device trend, which effectively serves as a halfway point between a single, provisioned platform and BYOD.
3. Gather Feedback
Regardless of the approach, gathering feedback from users will limit the friction that would otherwise be created by implementing restrictive policies or extra steps to security. Would employees prefer to continue using the solutions they already use, but with limitations or extra steps to secure the data they're placing in these environments? Would they rather have IT implement an alternative, but equally convenient, solution that the organization can control? Make employees an active part of the process and help them to understand why certain compromises need to be made.
Just as IT leadership will benefit from gathering feedback from employees, users will benefit from practices that encourage feedback from IT. For instance, if an organization decides to allow the use of third-party apps, IT may make suggestions for ones that are most effective in terms of security and productivity.
Bryant Harland has been writing in the technology sector for more than five years, initially as a content marketer for several leaders in the IT security and cloud storage industries. He serves as a Technology Analyst for market research firm Mintel, where he covers a wide range of technology purchasing and usage trends. The views expressed by the author in this article are the author's alone and do not represent the views of Mintel.