This article by CTO Ron Culler was originally published in Channelnomics
‘Shadow IT’ is the term for technology introduced into an organization by the end user without the knowledge or blessing of the IT department, and you see it occurring with increasing frequency in companies of all sizes. Even though there are often compelling business reasons for individuals or departments making independent purchases without the approval of their IT team, there’s a growing sense of unease about how to manage this trend. One way or another, channel partners need to pay attention.
Shadow IT is something affecting companies large and small. It can take the form of utilities, apps or equipment like video cameras or even POS devices that may be approved on a departmental basis, but haven’t actually made it into the corporate IT ecosystem.
A large IT staff often is part of the problem, not the solution. While major IT shops and enterprises may have the both the tools and the frameworks to manage the way Shadow IT impacts their organization, it’s still a daily struggle, mostly because of the vastness of the corporate network and user environment. Far too many large enterprises still see IT as a support group or a cost center (where margin-cutting always seems like a great strategy) so they don’t understand what the residual effects of ignoring the problem. For the small business, the Shadow IT problem is massively more dangerous. The smaller the company, the less likely it is to have internal IT support staff to help mop up unexpected consequences – especially when it comes to security.
Herein lies a great opportunity for solution providers.
Managed Services Providers (MSP) can provide tremendous value to new sets of customers if they apply themselves to understanding the evolving landscape and use this knowledge to win the trust of business leaders. From the management perspective, it’s a far better option to pass the Shadow IT problem to a trusted MSP and free the internal team to focus on strategic IT projects. The argument is even more powerful if the organization doesn’t have its own internal IT support.
Regulatory compliance is a significant risk factor in this scenario. Shadow IT solutions are often out of alignment with the broader regulatory requirements for control, documentation, security and reliability (although, to be fair, these issues can apply to some authorized IT solutions). But for markets such as healthcare, finance or retail, where the eye of the regulator is unblinking and fines are severe, the expertise of the solution provider is a compelling value proposition.
MSPs can help their customers identify where Shadow IT might enter the organization and, when detected, how it can be audited, managed and ultimately blended into existing security and reporting processes. If solution providers can educate their customers about dangers such as audit failures, leakages of proprietary data, or exposure of network vulnerabilities, they can partner with the organization to provide a solution that acknowledges this new way of leveraging technology.
For many channel partners, the world of Shadow IT has gone unnoticed simply because most of the ways it’s being introduced are via non-traditional channel sources. If you buy a video surveillance system, a utility app, or highly targeted departmental tool, you don’t always look to your network security provider. While a few sources and providers of such IT may be looking towards the channel for access or assistance, many others don’t ask, don’t know or don’t care as long as they are making sales.
Because most of these Shadow IT entry points are placed in the network by companies that traditionally don’t have strong IT backgrounds or skill sets, but do excel at delivering a traditional service, they often remain unnoticed. Newer, non-traditional technology or software vendors are actively looking for alternative entry points to the broader market. If they can tap into Marketing’s budget rather than wait to go through the IT vetting process, so much the better. The rush to market by new vendors coupled lack of IT expertise on the buyer side is already leading many end customer businesses to breach point.
Out of the Shadows
Audits, monitoring and vulnerability scanning are critical tools that MSPs can use to not only detect but use to prove the point to customers about these threats and ultimately provide a level of protection. Understanding where to look is part of the challenge. Often Shadow IT is hidden in plain sight–you see it every day in all types of businesses, but after they’ve become integrated into the network. Security cameras, access controls, WiFi hotspots, mobile payment devices, environmental controls or potentially the most dangerous of all: insecure third party network connections. All of these devices are there to serve a specific purpose, but each one brings with it a set of intrinsic vulnerabilities as well as IT management headaches.
IT managers and their solution providers need to understand the business implications of Shadow IT, but more importantly it’s also an opportunity to get an early start on building partnerships with companies providing these products and who may not understand the IT channel view. By partnering with these vendors and bringing your expertise to the table you will expand your horizons and theirs, and ultimately create new opportunities
It’s important to recognize that there’s no future in putting up barriers to Shadow IT. This is the equivalent of stifling organizational innovation. Far-sighted managed services providers will find new growth potential by helping their customers find ways of safely incorporating new technologies and methods into the overall IT structure, adapting to its proliferation, and knowing when to step in with protective measures.