Have you ever been tempted to use WhatsApp, Google Drive or Evernote to speed up a project, or use your personal USB drive to take some files to a meeting? These temptations are very natural, but giving in to them raises security problems: this is what we call Shadow IT.
IT departments therefore strive to combat these uses, so as to guarantee the security of information flows. Yet professions engaged in digital transformation are still demanding more flexibility. Each of these two aspirations is legitimate: it is therefore important to find ways to reconcile them, so that the threat becomes a performance lever.
IT departments and the temptation to block:
At what moment do we cross the red line? Many fall into Shadow IT without even realising it. Let’s consider the example of a team sent to a trade fair in search of customers or new partners: its members soon abandon the protected email in favour of personal communication tools to organise their appointments. After all, why not create a WhatsApp group and communicate that way? It will be a lot more convenient when arranging a restaurant for lunch.
The situation becomes problematic when we start using this third party platform to debrief the afternoon’s appointments or quickly transfer a file to a colleague who is in a rush. We enter into a grey area that correctly alerts those responsible for protecting the integrity of the IT: using a service external to the company exposes us to risks such as the loss or theft of information.
There is rarely any question of intentional malice: the problem is that mainstream tools employed for professional uses do not always offer the level of security or compliance required by the company’s internal policies.
The most common example is probably that of strategic documents that we share or store using online services such as Dropbox, Gmail and others such as WeTransfer. They are free and practical, but what about security, reliability or the “small print” in the general conditions of use?
The IT department, whose very nature makes it risk-averse, is therefore tempted to block access and ban all Shadow IT type uses. The alternative would be to produce the tools required by the occupations internally, but responding to each project represents an investment of time and money that cannot be absorbed. The result is all the more problematic as management and the market are constantly pushing for more agility.
How can we guarantee security while encouraging autonomy?
Aware of the benefits of using hosted tools, IT departments are trying to satisfy some of the lag. They are therefore developing file sharing services on their own infrastructure, or releasing the resources needed to purchase or certify the collaborative tool that business units require. This approach, conceived in reaction to Shadow IT, is necessary, but it is rarely enough to cope with the proliferation of innovative services on offer.
Generations accustomed to social networks and online tools have become used to juggling between a variety of tools. They have more than anything else discovered that they can save a lot of time by using online services.
Perhaps an employee needs to collect user reviews after organising an internal event? Creating a survey on Surveymonkey and sending the email link to participants will take significantly less time than the request to create a dedicated tool or to validate a publication on the intranet. And what if the users are surfers recruited online? The employee will create their own mailing list much quicker on Mailchimp than requesting it from the teams in charge of emailing campaigns within the marketing department.
These uses are not necessarily problematic. In fact, they even represent real potential for the company, as they allow employees to move faster and with a high level of autonomy on the project with which they are involved. They respond to a specific need and eliminate an obstacle in the overall progress of the project, and conform to agile logic.
The digital transformation makes it necessary to rethink old patterns, according to which everything outside the controlled perimeter constitutes a danger, in order to encourage this creative energy. In the same way that it is possible to make the management of risks a performance lever, we can take advantage of these less controlled uses to improve competitiveness, empower employees and globally advance the company.
Integrate the problem to scale:
How can we maintain effective security without compromising the emergence of this potential? It is this thorny issue that the IS department must address in order to encourage the phenomenon.
The first level of action is to revisit the risks to which the IT is exposed, bearing in mind that the loss of data often results from human errors rather than from the tools. At the end of October, a USB key containing all the plans for Heathrow airport was found in the street by a passerby. While it is not a deliberate leak, it is obviously not normal for an employee to carry such sensitive information on a mobile device, especially unencrypted.
We will therefore focus on informing, educating and raising awareness of end-users who most of the time err through foolishness, thinking they will save time or increase convenience. It is important for each user to understand the concept of the IS perimeter and to be aware of what the problems really are when using third-party services.
We will finally look at how to scale, in other words, how to industrialise and standardise good practices as well as effective tools, so that they contribute to the creativity and performance of the various occupations. The process is complex, as the needs or the constraints can vary between the department initiating the use of a tool and the one exploiting it tomorrow, but it is essential.
The IT department must first define the framework of acceptable uses, i.e., which tools or services can be used autonomously by the employees. The adaptation is not trivial, as it requires moving away from the logic of strict compartmentalisation, but a framed flexibility is better than an uncontrolled Shadow IT. Churchill would suggest abandoning the German approach (everything is forbidden, except what is explicitly permitted) and having an English vision, explaining that everything is permitted, except what is forbidden!
IT departments will then be able to focus on support, by studying, for example, how to speed up and secure the interactions between the different tools, internal and external, made available to employees.
Rather than simply erecting barriers, the IT department can return to its core competencies: creating effective, secure and properly orchestrated workflows to support all areas of the business. In doing so, it can retain its fundamental role, but will at the same time be open to new methods inspired by the agile movement, capable of eventually offering the occupations greater autonomy.
As a result, it supports the company’s transition to an agile culture: it removes the obstacles that hinder business projects, helps teams acquire new skills and contributes to the continuous improvement of the organisation. Rather than being censor, it becomes facilitator, and participates in the migration to management 3.0.