lolloj - Fotolia

'Regulated enablement' key to minimizing shadow IT risk

Shadow IT risk continues to plague companies, but some are finding ways to allow citizen developers to use these unsanctioned applications -- with certain restrictions.

Early in his tenure as CIO at Helm Inc., Michael Wacht surveyed employees in business units and asked how they managed their work.

The responses showed that they used their own skills and preferences to find tools that worked best for them, whether that meant writing programs in Excel and Microsoft Access or using old-fashioned Post-it notes.

"There is an infinite demand for IT resources, but there's only a finite capability [to meet demands]," he said.

Wacht also recognized that the workers' unsanctioned tools created risks for Helm: These types of "shadow IT" processes can leave data unprotected in locally built programs, putting it at heightened risk for a breach.

Those processes also put data out of reach of sanctioned corporate systems, preventing the company from ensuring it had the single source of truth required for business intelligence and analytics programs.

Those unsanctioned processes and the corresponding data also remain tied to the users themselves, rather than the organization. When those users change positions or leave the company, the systems they built and used fall away -- leaving their successors to start over.

Wacht pointed to a specific example that illustrates his point. Workers were using some 3,000 Excel spreadsheets to manage 100,000-plus skews for the company's products when he arrived at the company in 2010. As they bent Excel to their unique needs, these workers were overwriting data and using corrupted files as they programmed in the environment.

"People create solutions within their skill sets, and this was a risk within the organization," he said. "When it's not done in an organized way and in tools that can be repurposed for the next person, when workers change jobs or leave the company, all that goes with them because the organization doesn't know that systems and information [in those systems] exists."

The rise of citizen developers

A new crop of tech-savvy workers, powered by increased code expertise and an ability to easily purchase their own apps, are creating their own tech environments. In many cases, these citizen developers are working with limited or no coordination with traditional technology departments, a situation that's perpetuating shadow IT risk.

The trend has alarmed CIOs and others on companies' executive teams, given how much more powerful technology is today and the increasingly severe consequences of data breaches and the expanse of potential exposure created via the cloud.

IT leaders cite data integrity (73%), security (69%) and integration (58%) as key challenges when it comes to citizen developers, according to a 2017 survey of 500-plus IT decision-makers commissioned by low-code platform provider Appian Corp. and conducted by YouGov.

The goal is to minimize the use of unsanctioned technology; you want to enable a partnership to avoid those surprises.
Mark Drivervice president, Gartner

To be clear, shadow IT risk is decades old. Nontech staffers (and even some IT workers) had for years been doing their own development in Microsoft Access and Excel as well as the now-discontinued Lotus 1-2-3 spreadsheet program, said Mark Driver, a vice president and research director at the IT research and advisory firm Gartner.

"But in the past, the apps had technology limits that made them fairly secure. They were more or less contained inside the area network," he said.

Today, cloud and other technology advances can make unsanctioned programs accessible to hundreds, or even millions, of people.

"That exposes all sorts of problems around regulated data, security and compliance and all kinds of stuff," Driver said. "That's why IT is freaking out."

Minimize -- not eliminate -- shadow IT risk

Shadow IT risk involves more than just data-related concerns. Driver noted that shadow IT often follows a typical pattern: A business unit employee with some technical acumen develops a simple program to help out with a specific task and then shares it with colleagues who start using it. A manager, not wanting his or her employee spending time coding, hands it off to IT to manage -- throwing off IT's own budget, work schedules and strategic commitments.

Driver said IT shouldn't fool itself into thinking it can eliminate citizen development and rogue apps, but they can minimize the fallout.

"The goal is to minimize the use of unsanctioned technology; you want to enable a partnership to avoid those surprises," he said.

Driver advises collaboration between IT and business leaders to support citizen developers with accepted guardrails in place regarding scope, access and cost. He recommends IT offer at least one -- if not several -- low-code/no-code platforms to help both enable such work and enforce some of the parameters.

"These tools provide a compliance checkpoint," he said. "It's 'trust but verify.' These tools allow you to verify that everyone is saying what they say they're doing."

The IT department should also have auditing capabilities so it knows when the use of a citizen-built app grows so much it needs IT oversight and maintenance.

Wacht took a similar tack at Helm, which provides corporate brand merchandise to Fortune 500 companies. He implemented the no-code platform Quick Base and used tiered training for non-IT employees who were interested in developing their own apps.

"We've become good at recognizing processes that are well-formed processes that are outside our core system. Sometimes they're hidden in email or on paper-based forms; most of the time they're in Excel. But people are now going to Quick Base," he said.

The IT department controls access to data, and builds and maintains systems that use any sensitive or regulated data. "Those protocols keep anybody out of where they're not supposed to be," said Wacht, now Helm's executive vice president of marketing and operations.

Carl Lehmann, principal analyst in the development, DevOps and IT ops channel at 451 Research, agreed that executives need to take steps to limit this new wave of shadow IT risks.

"IT needs to put in place some controls: control to access based on roles, the type of data and the quality of data," he said.

As Lehmann noted, executives need to recognize citizen developers, acknowledge shadow IT risks and strategically address them if they truly want to move such work out of the shadows. Data quality management firms and integration vendors are already designing tools that allow IT to create data or integration wizards.

These tools regulate access to data, regardless of which coding platform the person is using, Lehmann added. Once IT sets up these data wizards, citizen developers can get what they need within established parameters. But regulated enablement is only part of the solution, he said.

"The next step beyond that is to incorporate this enablement within an enterprise security strategy," he said, adding that fraud detection and encryption should also be part of the security steps to limit organizational risk from shadow IT.

Next Steps

How DevOps helps turn shadow IT into customer collaborators

Find opportunity in shadow IT risk

Build shadow IT strategy to benefit the entire organization

Dig Deeper on Enterprise information security management