1. Partner with Other Departments Instead of Blocking Them
Shadow IT exists for a reason: IT departments can be slow and their requirements burdensome when others just want to get work done. Shadow IT projects are often innovative and usually implemented very quickly. IT teams should focus on why specific cases of shadow IT happen and try to be a partner rather than a naysayer. Work to understand the problem to be solved. Then prioritize a solution and become part of the team. Make the contribution needed to ensure that IT’s security concerns and operational requirements are satisfied, and let the shadow IT team do their own thing otherwise.
2. Set Priorities: Deal with Real Security Risks
Not every shadow IT project puts protected health information at risk or threatens compliance. Manage the risk where appropriate and back off when shadow IT doesn’t present a true risk to the organization. Identify the most critical IT policies and make sure that everyone knows what the red lines are — the ones that cannot be crossed without jeopardizing patient privacy and compliance auditing. Offer education and training on how to meet general security requirements and, if possible, extend access to services such as single sign-on or secure web proxies. If there’s no real risk, don’t get in the way of an agile and innovative project.
3. Make Shadow IT a Force Multiplier
Shadow IT is someone else doing IT’s job for them. Let that happen. When a project is up and running, you’ve gained in-house knowledge and expertise with a minimum use of IT team resources. Leverage that experience and build on it. Successful shadow IT projects often grow their scope or user base over time, and when that happens, the shadow teams are usually happy to hand over a project to production IT. Consider that a gift of time and effort, even if it’s not exactly how you would have done it.
4. Monitor and Manage Shadow IT from a Distance
Knowing where shadow IT exists isn’t easy, especially with cloud-based solutions. A combination of network monitoring and cost controls will help identify the who and where. Once you’ve found shadow IT in operation, track it and make sure you know its scope and timelines. Keep in contact with the team running the shadow IT project, and ask for status updates, documentation and lines of responsibility. Shadow IT shouldn’t be permanent; if it looks to be an ongoing project, negotiate for integration into production IT processes for vulnerability management, resource planning and upgrades, and business continuity.